Skip to main content

Splunk Training + Certification

Investigating Incidents with Splunk SOAR

Course Description

This 3 hour course prepares security practitioners to use SOAR to respond to security incidents, investigate vulnerabilities, and take action to mitigate and prevent security problems.

Instructor-led Training Schedule

Prerequisite Knowledge

To be successful, students should have a solid understanding of the following:

  • Security operations experience

Course Topics

  • SOAR concepts
  • Investigations
  • Running actions and playbooks
  • Case management & workflows

Course Objectives

Topic 1 – Starting Investigations
  • SOAR investigation concepts
  • ROI view
  • Using the Analyst Queue
  • Using indicators
  • Using search


Topic 2 – Working on Events
  • Use the Investigation page to work on events
  • Use the heads-up display
  • Set event status and other fields
  • Use notes and comments
  • How SLA affects event workflow
  • Using artifacts and files
  • Exporting events
  • Executing actions and playbooks
  • Managing approvals


Topic 3 – Cases: Complex Events
  • Use case management for complex investigations
  • Use case workflows
  • Mark evidence
  • Running reports