Cloud SOAR Compared to the Automation Service
Cloud SOAR is a full-featured security orchestration, automation, and response (SOAR) application. The Automation Service is a subset of automation capabilities adapted from Cloud SOAR that is available to the entire Sumo Logic log analytics platform.
The Automation Service only has Cloud SOAR’s playbook-related features, including App Central and the Automation Bridge. Like the Cloud SOAR action types, the Automation Service action types can perform automated responses to events, including run containment actions and manual user interaction steps.
Main differences​
Why would you want to use Cloud SOAR when the Automation Service already does automation similar to Cloud SOAR? Because Cloud SOAR does much more.
Case and incident management​
The Automation Service doesn't include any of Cloud SOAR’s case management or incident management functionality. Managing at the incident level and assigning to cases gives SecOps teams flexibility to respond in a number of ways, and to run reports and do analysis.
Daemon and trigger action types​
The Automation Service does not support daemon and trigger action types. The Automation Service can only use triggers built into Cloud SIEM and the Log Analytics platform. So you can’t configure a playbook in the Automation Service to monitor an external process or file and fire a trigger in response like you can with Cloud SOAR. A trigger can only fire in the Automation Service for limited events, such as when an Insight is created in Cloud SIEM.
Additional features​
Cloud SOAR also offers many more features than the Automation Service, including customizable dashboards, reports, widgets, data filtering, and entity analysis, to name a few.
Feature comparison​
Feature | Automation Service | Cloud SOAR |
---|---|---|
App Central - Integrations - Playbooks | ||
Automation (full features) | ||
Automation Bridge | ||
Integration with Cloud SIEM and Log Analytics | ||
Integrations management | ||
Open Integration Framework (OIF) - Custom docker images for action execution - Custom integration capabilities - Integration Builder (almost no-code) | ||
Playbooks - Execution in the cloud (without using an Automation Bridge) - Execution in local network with an Automation Bridge - Management - Slack integration for node activation | ||
Advanced automation capabilities - Daemons - Triggers | ||
Automation rule definition | ||
Average Phase Duration | ||
Cases - Attachments - Bulk actions - Cloning - Collaboration ( Notes, Slack, Task) - Contextual hints while writing a search string - Fields customization - Filters with advanced search bar - Incident attachments (files) - Label configuration - Manual creation - Online/offline search - Over time - Overview - Ownership and user group management - Selection of case properties to display - Statistics - Template - War Room | ||
Dashboards - Cloning - Multiple - Preview while customizing page - Public/private | ||
Entities - Harvesting - Manual creation | ||
Data can be shown with: - Filtering (with query, bookmarks, and via search bar) - Graphs - Placeholders/tags - Tables - Text | ||
Flexible layout with drag and drop | ||
Logo configuration | ||
Metrics for usage and adoption | ||
Reports - Create starting from a case list query - Customize format, margins, orientation, pages and page header/footer - Flexible layout with drag and drop - Multiple - Public/private - Realtime preview while customizing page - Scheduled | ||
SecOps Dashboard | ||
Task Overview | ||
Triage - Configuration - Event management - Graphical display of the playbooks executed | ||
User group management | ||
Widgets - Custom - Public/private - Real time preview - Textual (with placeholder and images support) |