Playbook-Centric Scalable SOAR System Architecture

Inhalt:
Currently, the SOAR system faces various problems during use, such as the inability to quickly iterate, the repetition of playbooks, the need to format heterogeneous data, and the inability to meet the diverse needs of security experts. In order to solve these problems, this article proposes a playbook-centric scalable SOAR system architecture. Through introducing the concept of "workspace", users can set their own customary security incident handling process through the workspace playbook, and the playbook drives the system workflow. In addition, the article analyses the key technologies of the proposed architecture; finally, the three workspace playbooks are used to analyse the system architecture and its superiority was proved. When the work process of the SOAR system needs to be iterated, it can be updated by modifying the workspace playbook without version iteration; at the same time, the system is also compatible with the company’s original safe time disposal process, without the need for data due to the introduction of the SOAR system Formatting and other operations; in addition, the system can also adapt to the handling habits of different security experts for security incidents to meet their diversified needs.