Guys, I need to be able to get some report on SOAR usage.

I know I could get something from System Settings --> License Information. But what I need is to identify the playbooks used in specific incidents.

I know I could get information from Playbooks --> Playbooks Instances. But I can't see incident details or filter by incident type.

I tried using the API and couldn't!

Any suggestions?

Has anyone experienced the need to be able to show and justify the use of SOAR to the CISO?

Soar isn't just about playbooks.

How about some reports from the analytics dashboard showing incidents closed over time by type etc ?

The playbook instances do show most used playbooks to highlight that side of soar.

Guys, I need to be able to get some report on SOAR usage.

I know I could get something from System Settings --> License Information. But what I need is to identify the playbooks used in specific incidents.

I know I could get information from Playbooks --> Playbooks Instances. But I can't see incident details or filter by incident type.

I tried using the API and couldn't!

Any suggestions?

Has anyone experienced the need to be able to show and justify the use of SOAR to the CISO?

Martin, thank you very much for the reply.
I understand the point.

But if I wanted to know, for example, when a malicious IP attack arrives (from different rules in Qradar):
How much time do we save as a SOC operator by using the "IP Blocking in FW" playbook? This playbook includes:
1. IP search in a whitelist.
2. Query the IP reputation in three external sources.
3. Query Qradar for source/destination IP events.
4. Based on rules based on the information obtained, the block is sent in the FW or simply the activity is reported.
5. Email is sent to management + FW admin about the tasks.

All of this, without SOAR, can take an operator as quickly as 30 to 40 minutes during business hours. During off-duty hours, on-call personnel often have to be called, which can be costly, and the timescale could be longer than an hour.

So, I'd like to be able to pull up a report that allows me to filter by incident type, severity, whether the incident is due to a radar violation, etc.

I can't find a way to view this information, and I think it's valuable when we're asked every year... what did I earn with SOAR? "Time, money," how much? That's where we always have to justify...

Soar isn't just about playbooks.

How about some reports from the analytics dashboard showing incidents closed over time by type etc ?

The playbook instances do show most used playbooks to highlight that side of soar.

Guys, I need to be able to get some report on SOAR usage.

I know I could get something from System Settings --> License Information. But what I need is to identify the playbooks used in specific incidents.

I know I could get information from Playbooks --> Playbooks Instances. But I can't see incident details or filter by incident type.

I tried using the API and couldn't!

Any suggestions?

Has anyone experienced the need to be able to show and justify the use of SOAR to the CISO?