fatcousin
// industry vertical

SOAR / incident orchestration forensics

Cortex XSOAR war room · Splunk SOAR playbook runs · Swimlane cases · Torq workflows · ServiceNow SecOps · PagerDuty bridges · indicator ledger · playbook deviation · enrichment actions · multi-platform correlation.

tools
12
priority
H
processing
local · in browser

start here · primary tools

ordered. work top-down. the first tool is the suggested entry point for this vertical.

  1. cortex xsoar incident war room forensic analyzerdrop xsoar incident json export · parse war room entries + task timeline + owner · runs locally
  2. splunk soar playbook run forensic analyzerdrop splunk soar container/run export · parse playbook blocks + action results · runs locally
  3. incident response playbook deviation detectordrop soar playbook run export · detect skipped steps + manual overrides · runs locally
  4. multi soar playbook correlation tooldrop 2+ soar run exports · correlate incident id + shared indicators · runs locally
  5. case report generatorfill in case number · examiner · dates · findings · drop evidence files for auto hash · generates structured forensic report PDF · runs locally

also useful · secondary tools

cross-cutting tools that surface depending on the specific investigation.

  1. swimlane case timeline forensic analyzerdrop swimlane case export · parse record events + automation + assignee · runs locally
  2. torq automation run log forensic analyzerdrop torq workflow run export · parse step status + integration calls · runs locally
  3. servicenow security incident response forensic analyzerdrop servicenow secops incident export · parse tasks + cmdb links + state · runs locally
  4. pagerduty incident bridge forensic analyzerdrop pagerduty incident + bridge export · parse responder timeline + conference events · runs locally
  5. xsoar indicator ledger forensic extractordrop xsoar indicator export · parse reputation + relationships + expiration · runs locally
  6. soar enrichment action forensic analyzerdrop soar enrichment task export · parse vendor queries + hit counts · runs locally
  7. evidence manifest generatordrop evidence files · compute md5 sha1 sha256 · chain of custody manifest · case number · analyst · export pdf and csv · runs locally

want deeper SOAR coverage?

this vertical is intentionally sparse — deep-moat coverage grows over time. tracked in the forensics rollout.

ready