SOAR and Playbook Automation
1. A platform that automates repetitive SOC tasks (alert enrichment, blocking IPs, creating tickets), orchestrates workflows, and enables analysts to manage incidents through automated playbooks is called:
2. A documented or automated procedure for responding to a specific type of security incident — defining decision logic and actions — is called:
3. The SOAR platform automatically enriches every P1 alert with IP reputation, creates a JIRA ticket, pages the on-call analyst, and blocks the offending IP in the firewall — all within 90 seconds of alert generation. What does this automation reduce?
4. A SOAR playbook checks: 'Is the IP reputation score below 30? If yes, auto-block. If no, page Tier 2 for manual review.' What element of the playbook is the 'If IP reputation < 30' condition?
5. The SOAR platform connects to the firewall, SIEM, ticketing system, and email to execute response actions. Each of these integrations is called:
Exercise complete!
out of 5 questions