Capability 06 — Walkthrough

SOAR Pipeline

Synthetic federal financial system logs flow through a real, deployed Security Orchestration, Automation, and Response pipeline end-to-end. This page replays a captured trace from a live AWS run so you can step through every component without consuming live infrastructure.

Architecture

The pipeline is built on AWS Lambda, S3 with object lock, KMS-encrypted storage, SNS for downstream fan-out, and an HTTP API webhook into ServiceNow ITSM. Each stage emits structured JSON to CloudWatch and increments a CloudWatch metric. Detection runs are scoped per FISMA boundary, with one stack per agency by design.

Live trace replay

The trace below is a JSON snapshot of a real run captured by record_soar_trace.py. Press Play to step through each stage with the actual timestamps and CloudWatch payloads from the live run.

SOAR End-to-End Replay

Captured Run

Trace not yet captured

The replay UI loads a JSON trace produced by the recording script. Once SOAR is deployed and a recording is captured, drop the JSON into the static site as soar-trace.json and reload this page.

python record_soar_trace.py \
    --pulumi-dir /path/to/Kearney-Pulumi \
    --stack dev \
    --total-records 50 \
    --anomaly-count 5 \
    --out soar-trace.json

aws s3 cp soar-trace.json s3://<static-site-bucket>/soar-trace.json

What this proves

The pipeline is real, deployed, and capable of taking a financial system log event from ingest to ITSM ticket without a human in the loop. The capture is replayable so audiences can examine each stage without re-running infrastructure. The same pipeline architecture is what runs in client deployments after FedRAMP and CMMC accreditation.

Synthetic data only

The captured trace is from a synthetic batch generated by the recording script. Every record carries the _synthetic: true flag through the pipeline. No real agency data is ever recorded or replayed here.