Observability / SIEM / SOAR
FR EN

Observability

SIEM / SOAR

SIEM / SOAR: correlation of security signals and automated incident response.

Plane
Observability
Flow steps
9 · 10
Frameworks
NIST 800-53

Technology

Why use it

Aggregate and correlate logs and traces across the stack to detect, then orchestrate the response.

Why it matters to security

Turns scattered signals into detection and action: it is the brain of detection-and-response.

Implementations Microsoft SentinelSplunkElastic SecuritySOAR (Cortex XSOAR, Tines)

Detecting without responding is watching the attack unfold.

Recommendations by maturity tier

Hover a recommendation for its explanation · each one carries its control number

Foundation

Minimum viable baseline
  • Log centralization and correlation.
    NIST 800-53 AU-6
    Weak signals only emerge once correlated.
  • Baseline detection rules.
    NIST 800-53 SI-4
    Known attack patterns raise alerts.
  • Incident-response procedure.
    NIST 800-53 IR-4
    An alert must lead to a defined action.

Enterprise

Enterprise standard
  • AI-specific detections (injection, abuse, exfiltration).
    NIST 800-53 SI-4
    LLM-specific threats have their own rules.
  • Alert enrichment with context (PIP).
    NIST 800-53 AU-6
    Risk context speeds up alert triage.
  • Semi-automated response playbooks.
    NIST 800-53 IR-4(1)
    Common responses are scripted and accelerated.

Advanced

High-assurance / regulated
  • Automated response (revoke, block) wired to the PDP.
    NIST 800-53 IR-4 · AC-24
    A confirmed signal triggers an immediate revocation or block.
  • Multi-signal correlated detection (UEBA).
    NIST 800-53 SI-4
    Identity, data and agent behavior are cross-checked.
  • Continuous detection-improvement loop.
    NIST 800-53 IR-4NIST AI 600-1 MG-4.1-002
    Each incident refines rules and playbooks.

Architecture notes

  • Wire SOAR to the PDP for real response.details ▸
    An alert with no action protects no one.
    A confirmed risk signal must be able to trigger revocation or blocking via the control plane.

References

NIST SP 800-53 Rev5
AU-6 (Review/Analysis), SI-4 (Monitoring), IR-4 (Incident Handling), IR-4(1) (Automated Processes), AC-24.
NIST AI 600-1
MG-4.1 — continuous improvement through incident response.

Abbreviations

PDP
Policy Decision Point
PEP
Policy Enforcement Point
PIP
Policy Information Point
PAP
Policy Administration Point
IdP
Identity Provider
TSS
Token Service
NHI
Non-Human Identity
RBAC
Role-Based Access Control
ABAC
Attribute-Based Access Control
MFA
Multi-Factor Authentication
HITL
Human-in-the-loop
JIT
Just-In-Time
CAE
Continuous Access Evaluation
CAEP
Continuous Access Evaluation Profile
DPoP
Demonstrating Proof-of-Possession
mTLS
mutual TLS
PII
Personally Identifiable Information
KMS
Key Management Service
CI/CD
Continuous Integration / Continuous Delivery
SIEM
Security Information and Event Management
SOAR
Security Orchestration, Automation and Response
SCIM
System for Cross-domain Identity Management
XACML
eXtensible Access Control Markup Language
OPA
Open Policy Agent
OWASP
Open Worldwide Application Security Project
NIST
National Institute of Standards and Technology
ATLAS
Adversarial Threat Landscape for Artificial-Intelligence Systems
LLM
Large Language Model
WAF
Web Application Firewall
CDN
Content Delivery Network
DDoS
Distributed Denial of Service
DLP
Data Loss Prevention
JWT
JSON Web Token
API
Application Programming Interface
CRS
Core Rule Set (OWASP)
RAG
Retrieval-Augmented Generation
MCP
Model Context Protocol
PBAC
Permission-Based Access Control
HSM
Hardware Security Module
UEBA
User and Entity Behavior Analytics
SBOM
Software Bill of Materials
SLSA
Supply-chain Levels for Software Artifacts
WORM
Write Once, Read Many
SPIFFE
Secure Production Identity Framework For Everyone