Isn't a SOAR inherently reactive?

@ShakedTal
do we have any insight on this use case?

Siemplify will always be in response to something but that doesn't mean we can't get proactive in some interesting ways. Just playing with the idea:

Looks like the
MISP - Triage and Investigation
use case also has some threat hunting concepts in there as well

Indeed! If one could document a procedure they generally follow with threat hunting, one could for sure use a SOAR tool to complete it.





You could setup a job to do
whatever
at some time interval or designated time.





Or, like Andrew said, you could have the automation kick off based on some newly received intel.





For instance, say a notification comes in that APT28, known to target your sector, has been seen abusing CVE-x-x. A playbook could kick off that pulls your vulnerability data for that CVE.


Then another action runs to check abnormal communications for affected devices.


Another action creates tickets for the SOC to investigate and for the patch team to patch.





Very basic example

Thanks guys!