Skip to main content

Cloud SOAR Compared to the Automation Service

Cloud SOAR is a full-featured security orchestration, automation, and response (SOAR) application. The Automation Service is a subset of automation capabilities adapted from Cloud SOAR that is available to the entire Sumo Logic log analytics platform.

The Automation Service only has Cloud SOAR’s playbook-related features, including App Central and the Automation Bridge. Like the Cloud SOAR action types, the Automation Service action types can perform automated responses to events, including run containment actions and manual user interaction steps.

Main differences

Why would you want to use Cloud SOAR when the Automation Service already does automation similar to Cloud SOAR? Because Cloud SOAR does much more.

Case and incident management

The Automation Service doesn't include any of Cloud SOAR’s case management or incident management functionality. Managing at the incident level and assigning to cases gives SecOps teams flexibility to respond in a number of ways, and to run reports and do analysis.

Daemon and trigger action types

The Automation Service does not support daemon and trigger action types. The Automation Service can only use triggers built into Cloud SIEM and the Log Analytics platform. So you can’t configure a playbook in the Automation Service to monitor an external process or file and fire a trigger in response like you can with Cloud SOAR. A trigger can only fire in the Automation Service for limited events, such as when an Insight is created in Cloud SIEM.

Additional features

Cloud SOAR also offers many more features than the Automation Service, including customizable dashboards, reports, widgets, data filtering, and entity analysis, to name a few.

Feature comparison

FeatureAutomation
Service
Cloud SOAR
Advanced automation capabilities
- Daemons
- Triggers
check
App Central
- Integrations
- Playbooks
checkcheck
Automation (full features)checkcheck
Automation Bridgecheckcheck
Automation rule definitioncheck
Average Phase Durationcheck
Cases
- Attachments
- Bulk actions
- Cloning
- Collaboration ( Notes, Slack, Task)
- Contextual hints while writing a search string
- Fields customization
- Filters with advanced search bar
- Incident attachments (files)
- Label configuration
- Manual creation
- Online/offline search
- Over time
- Overview
- Ownership and user group management
- Selection of case properties to display
- Statistics
- Template
- War Room
check
Dashboards
- Cloning
- Multiple
- Preview while customizing page
- Public/private
check
Entities
- Harvesting
- Manual creation
check
Data can be shown with:
- Filtering (with query, bookmarks, and via search bar)
- Graphs
- Placeholders/tags
- Tables
- Text
check
Flexible layout with drag and dropcheck
Integration with Cloud SIEM and Log Analyticscheckcheck
Integrations managementcheckcheck
Logo configurationcheck
Metrics for usage and adoptioncheck
Open Integration Framework (OIF)
- Custom docker images for action execution
- Custom integration capabilities
- Integration Builder (almost no-code)
checkcheck
Playbooks
- Execution in the cloud (without using an Automation Bridge)
- Execution in local network with an Automation Bridge
- Management
- Slack integration for node activation
checkcheck
Reports
- Create starting from a case list query
- Customize format, margins, orientation, pages and page header/footer
- Flexible layout with drag and drop
- Multiple
- Public/private
- Realtime preview while customizing page
- Scheduled
check
SecOps Dashboardcheck
Task Overviewcheck
Triage
- Configuration
- Event management
- Graphical display of the playbooks executed
check
User group managementcheck
Widgets
- Custom
- Public/private
- Real time preview
- Textual (with placeholder and images support)
check
Legal
Privacy Statement
Terms of Use

Copyright © 2024 by Sumo Logic, Inc.