RESEARCH ON SOAR PLATFORMS AND JUSTIFICATION FOR CHOOSING SPLUNK PHANTOM

Abstract

The article examines the features of SOAR platforms in the context of improving the efficiency of security operations centers (SOCs) amid growing complexity of corporate infrastructures, increasing number of cyber incidents, and expanding use of cloud services. It analyzes the key problems faced by SOC analysts, including the large volume of events, the high level of false positives, and the limitations of traditional monitoring systems that do not provide automated response. The architecture of modern SOAR platforms is considered, covering the integration, orchestration and analytics, and operational layers, as well as the principles of their interaction with SIEM, EDR, IDS/IPS, vulnerability management systems, and threat intelligence platforms. The paper explores models of incident automation and orchestration, in particular rule-based, state-based, and context- aware approaches, which form the basis of modern playbooks and reduce the workload on analysts, increase response speed, and standardize processes. Special attention is paid to metrics for evaluating the effectiveness of SOAR solutions, such as MTTD, MTTR, Automation Coverage, and False Positive Ratio, as well as methods for testing scalability and integration reliability. A comparative analysis of leading solutions: Splunk Phantom, Cortex XSOAR, IBM Resilient, and Chronicle SOAR, is presented, identifying their key advantages and limitations. It is shown that Splunk Phantom stands out with its balanced architecture, flexible containers–artifacts model, extensive integration capabilities, support for Python scripts, and ability to build complex response scenarios. The results obtained allow us to define the place of SOAR platforms as a key element of modern cybersecurity infrastructure and emphasize their role in creating reproducible, controllable, and standardized response processes.