Security Automation and Orchestration

RSA NetWitness® Orchestrator

RSA NetWitness Orchestrator is a comprehensive security automation and orchestration solution designed to improve the efficiency and effectiveness of your security operations center. Key differentiating features include:

  • Hundreds of preconfigured and customizable playbooks to streamline and automate incident management and response
  • Auto-documentation capabilities that record every action taken during an investigation
  • Chat-Ops powered "war room" that facilitates collaboration among SOC staff

What Is Security Automation and Orchestration?

Security automation and orchestration tools, also known as O&A or SOAR solutions, are designed to improve the productivity, efficiency and effectiveness of security operations centers and the analysts who work in them. As the term suggests, these tools automate routine, often time-consuming tasks, such as gathering and correlating data from disparate security systems, and they help orchestrate the incident management and incident response lifecycles. In the process, they help security teams address the staffing shortage; bring consistency, discipline and predictability to security operations; and help reduce the time it takes to detect and respond to incidents.

The Biggest Challenge for Security Operations Centers

Rethinking Endpoint Security

Featured ResourceS

Data Sheet

RSA NetWitness Orchestrator

RSA NetWitness Orchestrator empowers conversation-driven incident response with a powerful threat hunting platform.

Download the Data Sheet

Solution Brief

Leveraging Machine Learning to Orchestrate & Automate Your SOC

RSA NetWitness® Orchestrator goes beyond simple automation to help organizations truly enable and harmonize their SOCs. Check out 6 use cases to learn how machine learning can benefit your security team.

View the Solution Brief


Interactive Investigations

Interactive Investigations

RSA NetWitness Orchestrator facilitates collaborative, “conversation-driven” investigations—both among analysts and between analysts and an intelligent chat bot—in a virtual, ChatOps-powered war room (a key differentiator of the product). The ChatOps interface records entire investigations and indexes them for future learning and knowledge retention. It also features a rich tool kit for investigating related incidents.

Intelligent Chat Bot

Intelligent Chat Bot

The machine learning-powered chat bot learns from all the interactive commands, playbook executions and other incident actions to help analysts with their investigations. It learns and executes common commands, matches incidents to the appropriate analyst, offers to automate a wide variety of tasks, and recommends actions for incident owners to take.

Complete Incident Management

Complete Incident Management

RSA NetWitness Orchestrator manages all aspects of the incident lifecycle on a common platform, including documentation, evidence collection and journaling; SLA tracking; regulatory compliance activities and more. The incident management capabilities are highly customizable and allow you to bring much more data (including host data) into each case, both of which further set the product apart.

Real-Time Execution

Real-Time Execution

Another differentiating feature of RSA NetWitness Orchestrator is its command-line interface, which lets analysts run commands directly from the central console. Combined with the chat bot, the command-line interface facilitates quick investigational pivots and real-time, secured execution of actions right within the console, dramatically decreasing screen-switching and documentation times.



Auto-documentation of all investigation actions provides a comprehensive audit trail to support regulatory compliance. It also yields powerful knowledge management benefits: Because activities are automatically documented, a sudden personnel loss no longer leads to a permanent loss of expertise.

Extensible Integration Framework

Extensible Integration Framework

RSA NetWitness Orchestrator integrates with 100+ security products out of the box. It’s designed with a powerful SDK that makes it easy for developers to quickly build new integrations in Python or JavaScript—without the need for external tools or environments.


Meaningful, Prioritized Alerts

Meaningful, Prioritized Alerts

RSA NetWitness Orchestrator aggregates, standardizes and normalizes alerts from your entire stack of security technologies. It enriches these alerts with threat intelligence and other data about your business so that analysts at all levels can more quickly see the full scope of an attack and act decisively on the incidents that matter most.

Up-Level Analysts’ Skills

Up-Level Analysts’ Skills

Preconfigured playbooks transform ad-hoc incident management and response processes into consistent, repeatable and guided workflows that are easy for L1 analysts to execute, allowing them to function more like L3 analysts. The visual playbook editor makes it easy to build and customize your own workflows based on 500+ security actions.

More Efficient Security Operations Center

More Efficient Security Operations Center

Orchestration, automation and machine learning capabilities help your SOC run more efficiently and effectively. In addition, RSA NetWitness Orchestrator provides SOC managers and CISOs with insight into their organization’s cyber risk profile and posture, and includes capabilities for measuring SOC efficiency and ROI.

“Building a security operations center and centralizing all our security-related incidents has been huge for us. Having the tools in place to see exactly what’s happening and report on all activity in a timely manner is helping us shift the culture of the bank from being reactive about security to being proactive.”
Ryan Melle
Vice President, Information Security Officer

Berkshire Bank

RSA NetWitness Orchestrator acts as the “connective tissue” binding together the other solutions in the RSA NetWitness Platform and across your entire security infrastructure.

The RSA NetWitness Platform consists of RSA NetWitness Logs, RSA NetWitness Network, RSA NetWitness Endpoint, RSA NetWitness UEBA and RSA NetWitness Orchestrator. This complete and powerful platform combines risk intelligence and business context with advanced cybersecurity capabilities so that your organization can better detect known and unknown threats, minimize attacker dwell time and mean-time-to-respond, and lessen the impact of security incidents.



  • 3 Keys to Faster Threat Response Threats move fast. You have to move faster. See what capabilities your security operations center needs to quickly recognize the nature of a threat and implement a definitive response to it.
  • 5 Tools to Boost Your Security Team's Impact Download this short guide to find out how to equip analysts in your security operations center with the ability to see threats anytime, anywhere they’re hiding, to detect the full scope of attacks and respond to them faster.




  • Closing the Skills Gap Security teams need to leverage technology more than ever to close the skills gap and stay on top of attackers.

White Papers

  • It’s About Time Accelerating Threat Detection and Response Download this three-page brief to find out what obstacles you need to overcome and capabilities you’ll want to put in place to accelerate threat detection and response.
  • Managing the Security Skills Gap Get strategies for addressing the staffing shortage and taking pressure off your team. Learn how the RSA NetWitness Platform can improve the efficiency and effectiveness of your analysts and incident responders.

Want a Demo?

Sign up for a free demo today and watch our products in action.

Ready to Buy?

It's easy. Speak with an RSA expert anytime to request a quote.