{"id":7160,"date":"2026-04-10T14:18:11","date_gmt":"2026-04-10T12:18:11","guid":{"rendered":"https:\/\/logmanager.com\/?post_type=learning_hub&#038;p=7160"},"modified":"2026-05-27T10:52:56","modified_gmt":"2026-05-27T08:52:56","slug":"siem-vs-soar","status":"publish","type":"learning_hub","link":"https:\/\/logmanager.com\/cs\/learn\/siem-vs-soar\/","title":{"rendered":"SIEM vs. SOAR: Jak\u00fd je mezi nimi rozd\u00edl a kdy kter\u00fd pou\u017e\u00edt?"},"content":{"rendered":"\n<p>Pohybujete-li se v kyberbezpe\u010dnosti, pravd\u011bpodobn\u011b jste u\u017e narazili na zkratky <strong>SIEM<\/strong> a <strong>SOAR<\/strong>. V tomto \u010dl\u00e1nku si vysv\u011btl\u00edme, co tyto pojmy znamenaj\u00ed, \u010d\u00edm se tyto n\u00e1stroje li\u0161\u00ed a pro\u010d jejich kombinac\u00ed lze v\u00fdrazn\u011b pos\u00edl\u00ed kybernetickou bezpe\u010dnost organizace.<\/p>\n\n\n\n<p><strong>SIEM<\/strong> (Security Information and Event Management) a <strong>SOAR<\/strong> (Security Orchestration, Automation and Response) jsou v kyberbezpe\u010dnosti zaveden\u00e9 technologie. Ob\u011b lze za\u0159adit mezi pokro\u010dil\u00e1 \u0159e\u0161en\u00ed. Ob\u011b jsou velmi p\u0159\u00ednosn\u00e9.<\/p>\n\n\n\n<p>Nicm\u00e9n\u011b rozli\u0161it jejich role v bezpe\u010dnostn\u00ed architektu\u0159e organizace nemus\u00ed b\u00fdt na prvn\u00ed pohled \u00fapln\u011b snadn\u00e9. Pod\u00edvejme se tedy na jejich funkce bl\u00ed\u017ee. Proto\u017ee se t\u00e9matu <a href=\"https:\/\/logmanager.com\/cs\/blog\/siem\/co-je-to-siem\/\">co je to SIEM<\/a> v\u011bnujeme v samostatn\u00e9m blogu, za\u010dn\u011bme vysv\u011btlen\u00edm, co je to SOAR.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Co je to SOAR?<\/h2>\n\n\n\n<p><strong>SOAR (Security Orchestration, Automation and Response) <\/strong>je kategorie digit\u00e1ln\u00edch \u0159e\u0161en\u00ed, kter\u00e1 se v r\u00e1mci kyberbezpe\u010dnosti star\u00e1 o automatizaci reakce na incidenty.&nbsp;<\/p>\n\n\n\n<p>Spole\u010dnost Gartner, kter\u00e1 pojem SOAR zavedla, definuje tato \u0159e\u0161en\u00ed jako platformy, kter\u00e9 v sob\u011b kombinuj\u00ed reakci na incidenty, orchestraci a automatizaci proces\u016f a spr\u00e1vu threat intelligence.<\/p>\n\n\n\n<p>SOAR syst\u00e9my se standardn\u011b <strong>integruj\u00ed s celou \u0159adou n\u00e1stroj\u016f<\/strong>, na jedn\u00e9 stran\u011b se zdroji alert\u016f a informac\u00ed, na stran\u011b druh\u00e9 s n\u00e1stroji, kter\u00e9 umo\u017e\u0148uj\u00ed \u201ekonat\u201c. Jedn\u00e1 se typicky o SIEM syst\u00e9my, firewally, IAM syst\u00e9my, komunika\u010dn\u00ed kan\u00e1ly nebo n\u00e1stroje pro ochranu koncov\u00fdch stanic.&nbsp;<\/p>\n\n\n\n<p>SOAR mo\u017e\u0148uje centralizovan\u00e9 zpracov\u00e1n\u00ed alert\u016f, obohacen\u00ed dat o kontext a prioritizaci hrozeb. Jejich hlavn\u00edm p\u0159\u00ednosem je automatizace rutinn\u00edch \u00fakon\u016f, sn\u00ed\u017een\u00ed manu\u00e1ln\u00ed z\u00e1t\u011b\u017ee a zrychlen\u00ed reakce na bezpe\u010dnostn\u00ed ud\u00e1losti.<\/p>\n\n\n\n<p>SOAR \u0159e\u0161en\u00ed obvykle funguj\u00ed na z\u00e1klad\u011b tzv. Playbook\u016f, tedy p\u0159edem definovan\u00fdch postup\u016f, kter\u00e9 ur\u010duj\u00ed automatizovan\u00e9 nebo poloautomatizovan\u00e9 kroky v reakci na konkr\u00e9tn\u00ed typy alert\u016f. M\u016f\u017ee j\u00edt nap\u0159\u00edklad o izolaci kompromitovan\u00e9ho za\u0159\u00edzen\u00ed, blokaci \u0161kodliv\u00e9 IP adresy nebo informov\u00e1n\u00ed p\u0159\u00edslu\u0161n\u00fdch t\u00fdm\u016f.<\/p>\n\n\n\n<p>D\u00edky orchestraci n\u00e1stroj\u016f a automatizaci reakc\u00ed zvy\u0161uje SOAR efektivitu a \u0161k\u00e1lovatelnost bezpe\u010dnostn\u00edch operac\u00ed a umo\u017e\u0148uje analytik\u016fm soust\u0159edit se na skute\u010dn\u011b d\u016fle\u017eit\u00e9 hrozby a&nbsp; strategick\u00fd rozvoj.<\/p>\n\n\n\n<p>Ve firemn\u00edm prost\u0159ed\u00ed \u010dasto funguj\u00ed n\u00e1stroje SIEM a SOAR ve vz\u00e1jemn\u00e9 sou\u010dinnosti. Typicky to vypad\u00e1 tak, \u017ee SIEM detekuje hrozbu a vygeneruje alert, kter\u00fd je n\u00e1sledn\u011b p\u0159ed\u00e1n do SOAR syst\u00e9mu, jen\u017e zah\u00e1j\u00ed odpov\u00eddaj\u00edc\u00ed reakci.<\/p>\n\n\n\n<p>Toto p\u0159ed\u00e1n\u00ed m\u016f\u017ee prob\u00edhat bu\u010f prost\u0159ednictv\u00edm p\u0159\u00edm\u00e9 integrace, nebo p\u0159es API. Nap\u0159\u00edklad kdy\u017e SIEM vygeneruje alert, m\u016f\u017ee b\u00fdt p\u0159ed\u00e1n do SOAR platformy pomoc\u00ed webhooku nebo fronty, p\u0159\u00edpadn\u011b SOAR aktivn\u011b dotazuje SIEM na nov\u00e9 alerty. C\u00edlem je zajistit, aby se v\u00fdstrahy ze SIEM automaticky dost\u00e1valy do SOAR syst\u00e9mu&nbsp; a \u017e\u00e1dn\u00fd kritick\u00fd incident tak neunikl pozornosti.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">SIEM vs. SOAR: Jak\u00fd je mezi nimi rozd\u00edl?<\/h2>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"683\" src=\"https:\/\/logmanager.com\/wp-content\/uploads\/2025\/07\/lock-img-1024x683.png\" alt=\"lock img\" class=\"wp-image-4101\" srcset=\"https:\/\/logmanager.com\/wp-content\/uploads\/2025\/07\/lock-img-1024x683.png 1024w, https:\/\/logmanager.com\/wp-content\/uploads\/2025\/07\/lock-img-300x200.png 300w, https:\/\/logmanager.com\/wp-content\/uploads\/2025\/07\/lock-img-768x512.png 768w, https:\/\/logmanager.com\/wp-content\/uploads\/2025\/07\/lock-img.png 1436w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p class=\"has-xs-font-size\"><a href=\"https:\/\/www.canva.com\/\" data-type=\"link\" data-id=\"https:\/\/www.canva.com\/\" target=\"_blank\" rel=\"noopener\">zdroj<\/a><\/p>\n\n\n\n<p><strong>SIEM<\/strong> a <strong>SOAR<\/strong> jsou modern\u00ed n\u00e1stroje kyberbezpe\u010dnosti, kter\u00e9 se \u010dasto pou\u017e\u00edvaj\u00ed spole\u010dn\u011b. Ka\u017ed\u00fd z nich v\u0161ak pln\u00ed jinou roli.<\/p>\n\n\n\n<p><strong>SIEM<\/strong> (Security Information and Event Management) je bezpe\u010dnostn\u00ed \u0159e\u0161en\u00ed ur\u010den\u00e9 ke sb\u011bru, anal\u00fdze a korelaci log\u016f a ud\u00e1lost\u00ed nap\u0159\u00ed\u010d prakticky cel\u00fdm IT prost\u0159ed\u00edm organizace, od server\u016f, opera\u010dn\u00edch syst\u00e9m\u016f a s\u00ed\u0165ov\u00fdch za\u0159\u00edzen\u00ed a\u017e po aplikace, koncov\u00e1 za\u0159\u00edzen\u00ed \u010di cloudov\u00e9 slu\u017eby.<\/p>\n\n\n\n<p>D\u00edky tomu umo\u017e\u0148uje bezpe\u010dnostn\u00edm t\u00fdm\u016fm analyzovat z\u00e1znamy o aktivit\u00e1ch (<a href=\"https:\/\/logmanager.com\/cs\/blog\/log-management\/jak-na-logovani-typy-logu-zdroje-co-logovat\/\">logy<\/a>) a v\u010das rozpoznat podez\u0159el\u00e9 aktivity. P\u0159i spr\u00e1vn\u00e9m nastaven\u00ed generuje SIEM syst\u00e9m upozorn\u011bn\u00ed (alerty) na z\u00e1klad\u011b rozpoznan\u00fdch vzorc\u016f a trigger\u016f, \u010d\u00edm\u017e v\u00fdrazn\u011b zrychluje reakci na incidenty a jejich n\u00e1sledn\u00e9 \u0159e\u0161en\u00ed.<\/p>\n\n\n\n<p>V neposledn\u00ed \u0159ad\u011b p\u0159edstavuje SIEM d\u016fle\u017eit\u00fd n\u00e1stroj pro zaji\u0161t\u011bn\u00ed souladu s legislativn\u00edmi po\u017eadavky a standardy (<a href=\"https:\/\/logmanager.com\/cs\/?p=3680\">IT compliance<\/a>), proto\u017ee umo\u017e\u0148uje uchov\u00e1vat historick\u00e1 data pro \u00fa\u010dely auditu a obvykle tak\u00e9 nab\u00edz\u00ed vestav\u011bn\u00e9 reportovac\u00ed funkce pro p\u0159edpisy jako GDPR, HIPAA, <a href=\"https:\/\/logmanager.com\/cs\/?p=4034\">DORA<\/a> a dal\u0161\u00ed.<\/p>\n\n\n\n<p><strong>SOAR<\/strong> (Security Orchestration, Automation and Response) naopak nen\u00ed ur\u010den k detekci hrozeb. Jeho \u00fakolem je zefektivnit a automatizovat reakci na bezpe\u010dnostn\u00ed incidenty na z\u00e1klad\u011b alert\u016f a detekc\u00ed z jin\u00fdch zdroj\u016f, typicky pr\u00e1v\u011b ze SIEM syst\u00e9m\u016f.<\/p>\n\n\n\n<p>Jak typicky spolu SIEM a SOAR kooperuj\u00ed? Jakmile SOAR obdr\u017e\u00ed alert ze SIEMu, nap\u0159\u00edklad pomoc\u00ed webhooku nebo fronty, p\u0159eb\u00edr\u00e1 roli koordin\u00e1tora reakce na incident. Obohacuje upozorn\u011bn\u00ed o dal\u0161\u00ed kontext, nap\u0159\u00edklad ov\u011b\u0159en\u00edm, zda je IP adresa zn\u00e1m\u00e1 jako \u0161kodliv\u00e1, stanov\u00ed prioritu a n\u00e1sledn\u011b automaticky provede sadu p\u0159eddefinovan\u00fdch krok\u016f, vedouc\u00edch k vypo\u0159\u00e1d\u00e1n\u00ed se s hrozbou jako<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>blokace IP, port\u016f,<\/li>\n\n\n\n<li>deaktivace \u00fa\u010dt\u016f, reset hesel,<\/li>\n\n\n\n<li>izolace za\u0159\u00edzen\u00ed, karant\u00e9na soubor\u016f<\/li>\n\n\n\n<li>maz\u00e1n\u00ed nebo blokace phishingov\u00fdch zpr\u00e1v<\/li>\n\n\n\n<li>vytvo\u0159en\u00ed incidentu v ticketovac\u00edm syst\u00e9mu (nap\u0159. Jira, ServiceNow, Zendesk)<\/li>\n\n\n\n<li>notifikace t\u00fdmu (nap\u0159. Slack, MS Teams, e-mail)<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-table is-style-regular\"><table class=\"has-light-grey-background-color has-background has-fixed-layout\"><tbody><tr><td><strong>Co jsou to workflow a playbooky?<br><\/strong>V tomto \u010dl\u00e1nku se n\u011bkolikr\u00e1t zmi\u0148uj\u00ed pojmy <em>workflow<\/em> a <em>playbook<\/em>. Oboj\u00ed slou\u017e\u00ed k automatizaci proces\u016f v r\u00e1mci SOAR platforem, ale mezi nimi existuj\u00ed ur\u010dit\u00e9 nuance.<br><br><strong>Workflow<\/strong><br>Jedn\u00e1 se o posloupnost automatizovan\u00fdch krok\u016f nebo akc\u00ed, kter\u00e9 syst\u00e9m prov\u00e1d\u00ed za \u00fa\u010delem spln\u011bn\u00ed konkr\u00e9tn\u00edho \u00fakolu. <em>P\u0159\u00edklad:<\/em> Pokud je p\u0159ijat alert \u2192 p\u0159edat analytikovi \u2192 ov\u011b\u0159it zn\u00e1m\u00e9 indik\u00e1tory kompromitace (IOC) \u2192 izolovat koncov\u00fd bod \u2192 informovat t\u00fdm.<br><br><strong>Playbook<\/strong><br>Playbook je p\u0159eddefinovan\u00fd a strukturovan\u00fd n\u00e1vod, jak postupovat p\u0159i ur\u010dit\u00e9m typu bezpe\u010dnostn\u00edho incidentu.Obsahuje jak automatizovan\u00e9 kroky (workflows), tak i manu\u00e1ln\u00ed rozhodnut\u00ed, dokumentaci, eskala\u010dn\u00ed sc\u00e9n\u00e1\u0159e a \u0161ablony pro intern\u00ed komunikaci. <em>P\u0159\u00edklad:<\/em> \u201eJak reagovat na phishingov\u00fd e-mail\u201c m\u016f\u017ee zahrnovat automatizovan\u00e9 akce (nap\u0159. izolovat inbox, st\u00e1hnout podobn\u00e9 zpr\u00e1vy) i p\u0159ed\u00e1n\u00ed alertu bezpe\u010dnostn\u00edmu t\u00fdmu k ru\u010dn\u00edmu p\u0159ezkoum\u00e1n\u00ed.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p><strong>Zjednodu\u0161en\u011b lze hlavn\u00ed rozd\u00edl mezi SIEM a SOAR popsat jako:<\/strong><\/p>\n\n\n\n<p><strong>SIEM<\/strong> v\u00e1m \u0159ekne, co se ve va\u0161em prost\u0159ed\u00ed d\u011bje.<br><strong>SOAR<\/strong> v\u00e1m pom\u016f\u017ee s t\u00edm n\u011bco ud\u011blat.<\/p>\n\n\n\n<p>SOAR je \u010dasto myln\u011b pova\u017eov\u00e1n za n\u00e1hradu za SIEM. Ve skute\u010dnosti ale pln\u00ed oba syst\u00e9my odli\u0161n\u00e9 \u00fakoly, i kdy\u017e se v n\u011bkter\u00fdch funkc\u00edch \u010d\u00e1ste\u010dn\u011b p\u0159ekr\u00fdvaj\u00ed.<\/p>\n\n\n\n<p>Ve v\u011bt\u0161in\u011b p\u0159\u00edpad\u016f se v\u0161ak vz\u00e1jemn\u011b dopl\u0148uj\u00ed. Spole\u010dn\u011b posiluj\u00ed obranyschopnost organizace, a zkracuj\u00ed dobu pot\u0159ebnou k vypo\u0159\u00e1d\u00e1n\u00ed se s hrozbou.&nbsp;<\/p>\n\n\n\n<p>Zda ve va\u0161\u00ed organizaci pot\u0159ebujete SIEM, SOAR, nebo ide\u00e1ln\u011b oboj\u00ed, si podrobn\u011bji vysv\u011btl\u00edme d\u00e1le v \u010dl\u00e1nku.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Funkce a p\u0159\u00ednosy SIEM a SOAR<\/h2>\n\n\n\n<p>Pod\u00edvejme se nyn\u00ed bl\u00ed\u017ee na kl\u00ed\u010dov\u00e9 vlastnosti a v\u00fdhody obou n\u00e1stroj\u016f, v\u010detn\u011b konkr\u00e9tn\u00edch p\u0159\u00edklad\u016f z praxe.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">SIEM<\/h3>\n\n\n\n<p><strong>Sb\u011br a anal\u00fdza dat<\/strong><strong><br><\/strong><a href=\"https:\/\/logmanager.com\/cs\/reseni\/siem\/\">SIEM platformy<\/a> typu Logmanager centralizuj\u00ed sb\u011br log\u016f a ud\u00e1lost\u00ed, \u010d\u00edm\u017e poskytuj\u00ed jednotn\u00fd pohled na d\u011bn\u00ed v IT prost\u0159ed\u00ed organizace. D\u00edky schopnosti rozpoznat vzorce chov\u00e1n\u00ed typick\u00e9 pro kybernetick\u00e9 \u00fatoky dok\u00e1\u017ee SIEM detekovat i slo\u017eit\u00e9 \u00fatoky, kter\u00e9 by jednotliv\u00e9 n\u00e1stroje samostatn\u011b p\u0159ehl\u00e9dly.<\/p>\n\n\n\n<figure class=\"wp-block-table is-style-regular\"><table class=\"has-light-grey-background-color has-background has-fixed-layout\"><tbody><tr><td><strong>SIEM nen\u00ed tot\u00e9\u017e co log management<\/strong><br>SIEM je n\u011bkdy zam\u011b\u0148ov\u00e1n s n\u00e1stroji pro spr\u00e1vu log\u016f. Jedn\u00e1 se ale o dv\u011b rozd\u00edln\u00e9 kategorie n\u00e1stroj\u016f.<br><br><a href=\"https:\/\/logmanager.com\/cs\/blog\/log-management\/log-management-best-practices\/\">Log management<\/a> je prim\u00e1rn\u011b ur\u010den pro sb\u011br, vyhled\u00e1v\u00e1n\u00ed, anal\u00fdzu a dlouhodob\u00e9 ulo\u017een\u00ed log\u016f.<br>SIEM m\u00e1 \u0161ir\u0161\u00ed z\u00e1b\u011br \u2013 zam\u011b\u0159uje se na bezpe\u010dnost, pomoc\u00ed korelace log\u016f a ud\u00e1lost\u00ed identifikuje podez\u0159el\u00e9 aktivity, generuje alerty a pom\u00e1h\u00e1 s dodr\u017eov\u00e1n\u00edm legislativy a oborov\u00fdch standard\u016f.<br><br>V\u00edce se tomuto t\u00e9matu v\u011bnujeme v na\u0161em \u010dl\u00e1nku <a href=\"https:\/\/logmanager.com\/cs\/blog\/log-management\/siem-vs-log-management-srovnani-smb\/\">SIEM vs. log management<\/a>.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p><strong>Alerting v re\u00e1ln\u00e9m \u010dase<\/strong><\/p>\n\n\n\n<p>Jakmile SIEM rozpozn\u00e1 podez\u0159el\u00fd vzorec chov\u00e1n\u00ed, okam\u017eit\u011b generuje alert. Pr\u00e1v\u011b tato vlastnost s sebou ale obvykle nese i \u00faskal\u00ed. P\u0159i nespr\u00e1vn\u00e9 konfiguraci SIEMu jsou bezpe\u010dnostn\u00ed t\u00fdmy zahlceny mno\u017estv\u00edm upozorn\u011bn\u00ed, z nich\u017e \u0159ada nakonec nen\u00ed relevantn\u00ed.<\/p>\n\n\n\n<p><strong>Pokro\u010dil\u00e9 reportovac\u00ed mo\u017enosti<\/strong><\/p>\n\n\n\n<p>SIEM n\u00e1stroje se \u010dasto vyu\u017e\u00edvaj\u00ed i jako podp\u016frn\u00e9 syst\u00e9my pro dodr\u017eov\u00e1n\u00ed souladu s p\u0159edpisy (IT compliance). Nab\u00edzej\u00ed detailn\u00ed reporty o p\u0159\u00edstupech, chov\u00e1n\u00ed u\u017eivatel\u016f nebo poru\u0161en\u00ed compliance politik. Mnoh\u00e9 platformy obsahuj\u00ed i p\u0159edp\u0159ipraven\u00e9 \u0161ablony pro na\u0159\u00edzen\u00ed jako GDPR, HIPAA nebo PCI-DSS, co\u017e v\u00fdrazn\u011b usnad\u0148uje prokazov\u00e1n\u00ed souladu p\u0159i auditec a kontrol\u00e1ch..<\/p>\n\n\n\n<p><strong>Automatizace a prioritizace incident\u016f<\/strong><\/p>\n\n\n\n<p>Modern\u00ed SIEM \u0159e\u0161en\u00ed v n\u011bkter\u00fdch oblastech umo\u017e\u0148uj\u00ed nahradit manu\u00e1ln\u00ed pr\u00e1ci automatizac\u00ed. Nap\u0159\u00edklad p\u0159id\u011bluj\u00ed alert\u016fm sk\u00f3re rizikovosti podle zn\u00e1m\u00fdch vzorc\u016f hrozeb, co\u017e pom\u00e1h\u00e1 t\u00fdm\u016fm prioritizovat a soust\u0159edit se na z\u00e1va\u017en\u00e9 incidenty.<\/p>\n\n\n\n<p><strong>Integrace s dal\u0161\u00edmi bezpe\u010dnostn\u00edmi n\u00e1stroji<\/strong><\/p>\n\n\n\n<p>SIEM naplno vyu\u017eijete, kdy\u017e je propojen s dal\u0161\u00edmi syst\u00e9my, jako jsou n\u00e1stroje pro <a href=\"https:\/\/logmanager.com\/cs\/reseni\/log-management\/\">centralizovan\u00fd log management<\/a>, firewally, EDR (endpoint detection and response), n\u00e1stroje pro spr\u00e1vu identit (IAM) nebo samoz\u0159ejm\u011b SOAR platformy.<\/p>\n\n\n\n<p>D\u00edky t\u011bmto integrac\u00edm z\u00edsk\u00e1v\u00e1 SIEM v\u00edce kontextu o ka\u017ed\u00e9 ud\u00e1losti, co\u017e analytik\u016fm umo\u017e\u0148uje l\u00e9pe porozum\u011bt situaci a n\u00e1sledn\u011b efektivn\u011bji reagovat.<\/p>\n\n\n\n<figure class=\"wp-block-table is-style-regular\"><table class=\"has-light-grey-background-color has-background has-fixed-layout\"><tbody><tr><td><strong>P\u0159\u00edklad z praxe: SIEM vs. ransomware<br><\/strong>Poskytovatel zdravotn\u00ed p\u00e9\u010de \u010delil ransomware \u00fatoku, kdy se \u0161kodliv\u00fd k\u00f3d za\u010dal \u0161\u00ed\u0159it jeho s\u00edt\u00ed.<br><br>\u00datok odstartoval ve chv\u00edli, kdy jeden ze zam\u011bstnanc\u016f ne\u00famysln\u011b otev\u0159el \u0161kodlivou p\u0159\u00edlohu v e-mailu. B\u011bhem n\u011bkolika minut za\u010dal ransomware \u0161ifrovat soubory na jeho za\u0159\u00edzen\u00ed a postupn\u011b se \u0161\u00ed\u0159il do sd\u00edlen\u00fdch slo\u017eek v s\u00edti.<br><br>SIEM dan\u00e9ho poskytovatele zdravotn\u00ed p\u00e9\u010de pr\u016fb\u011b\u017en\u011b sledoval logy i souborovou aktivitu a zaznamenal prudk\u00fd n\u00e1r\u016fst operac\u00ed typu \u201ep\u0159ejmenov\u00e1n\u00ed soubor\u016f\u201c. V tomto p\u0159\u00edpad\u011b se jednalo o hromadn\u00e9 p\u0159ejmenov\u00e1n\u00ed soubor\u016f s podez\u0159el\u00fdmi p\u0159\u00edponami jako .locked nebo .enc.<br><br>SIEM rozpoznal, \u017ee tento vzorec odpov\u00edd\u00e1 chov\u00e1n\u00ed ransomwaru, a okam\u017eit\u011b vygeneroval alert. Ten byl n\u00e1sledn\u011b p\u0159ed\u00e1n n\u00e1stroj\u016fm pro reakci na incidenty, kter\u00e9 automaticky izolovaly napaden\u00e1 za\u0159\u00edzen\u00ed od s\u00edt\u011b. T\u00edm se \u0161\u00ed\u0159en\u00ed ransomwaru poda\u0159ilo zastavit.<br><br>Tento p\u0159\u00edklad ukazuje jednu z kl\u00ed\u010dov\u00fdch v\u00fdhod SIEM \u0159e\u0161en\u00ed: nespol\u00e9h\u00e1 se na rozpozn\u00e1n\u00ed konkr\u00e9tn\u00edho malwaru, ale sleduje typick\u00e9 vzorce a chov\u00e1n\u00ed kybernetick\u00fdch \u00fatok\u016f. D\u00edky tomu dok\u00e1\u017ee reagovat rychle, a to i v p\u0159\u00edpad\u011b dosud nezn\u00e1m\u00e9 hrozby.V\u00fdsledkem bylo, \u017ee poskytovatel zdravotn\u00ed p\u00e9\u010de se vyhnul plo\u0161n\u00e9mu za\u0161ifrov\u00e1n\u00ed dat, v\u00fdpadk\u016fm syst\u00e9mu a ztr\u00e1t\u011b citliv\u00fdch informac\u00ed.&nbsp;<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">SOAR<\/h3>\n\n\n\n<p><strong>Automatizace reakce na incidenty<\/strong><strong><br><\/strong>Hlavn\u00ed funkc\u00ed SOAR platforem je automatizace reakce na bezpe\u010dnostn\u00ed incidenty. Opakuj\u00edc\u00ed se a \u010dasov\u011b n\u00e1ro\u010dn\u00e9 \u00fakony, jako je t\u0159\u00edd\u011bn\u00ed alert\u016f, sb\u011br informac\u00ed o hrozb\u00e1ch nebo izolace napaden\u00fdch \u00fa\u010dt\u016f, zvl\u00e1d\u00e1 SOAR se strojovou rychlost\u00ed.<\/p>\n\n\n\n<p>D\u00edky tomu zvy\u0161uje efektivitu bezpe\u010dnostn\u00edch operac\u00ed, zkracuje dobu reakce a umo\u017e\u0148uje analytik\u016fm v\u011bnovat se strategi\u010dt\u011bj\u0161\u00ed pr\u00e1ci.<\/p>\n\n\n\n<p><strong>\u0160k\u00e1lovatelnost<\/strong><strong><br><\/strong>SOAR syst\u00e9my zvl\u00e1dnou paraleln\u011b spou\u0161t\u011bt des\u00edtky a\u017e stovky playbook\u016f. A\u0165 u\u017e jde o phishingovou kampa\u0148 nebo ransomwarov\u00fd \u00fatok, SOAR pom\u00e1h\u00e1 v re\u00e1ln\u00e9m \u010dase koordinovat reakci nap\u0159\u00ed\u010d n\u00e1stroji i t\u00fdmy.<\/p>\n\n\n\n<p>Tato vlastnost je kl\u00ed\u010dov\u00e1 zejm\u00e9na pro v\u011bt\u0161\u00ed nebo exponovan\u011bj\u0161\u00ed organizace \u010del\u00edc\u00ed v\u011bt\u0161\u00edmu po\u010dtu hrozeb<\/p>\n\n\n\n<p><strong>Centralizace alert\u016f z r\u016fzn\u00fdch zdroj\u016f<\/strong><strong><br><\/strong>SOAR platformy sb\u00edraj\u00ed alerty z n\u00e1stroj\u016f jako jsou firewally, EDR syst\u00e9my \u010di antiviry a zobrazuj\u00ed je v jednotn\u00e9m rozhran\u00ed. D\u00edky tomu maj\u00ed analytici kompletn\u00ed p\u0159ehled o \u0161kodliv\u00fdch aktivit\u00e1ch nap\u0159\u00ed\u010d prost\u0159ed\u00edm.<\/p>\n\n\n\n<p>Zat\u00edmco SIEM zpravidla nab\u00edz\u00ed hlub\u0161\u00ed analytiku a dlouhodob\u00e9 uchov\u00e1v\u00e1n\u00ed dat, SOAR usnad\u0148uje rychl\u00e9 vyhodnocen\u00ed, t\u0159\u00edd\u011bn\u00ed a okam\u017eitou reakci na p\u0159\u00edchoz\u00ed alerty.<\/p>\n\n\n\n<p><strong>Case management<\/strong><strong><br><\/strong>D\u00edky case managementu mohou na jednom incidentu spolupracovat r\u016fzn\u00ed \u010dlenov\u00e9 t\u00fdmu. Pozn\u00e1mky k incident\u016fm, rozhodnut\u00ed i dal\u0161\u00ed informace jsou uchov\u00e1v\u00e1ny na jednom m\u00edst\u011b, co\u017e zlep\u0161uje p\u0159ehlednost a usnad\u0148uje sd\u00edlen\u00ed poznatk\u016f.<\/p>\n\n\n\n<p><strong>Sn\u00ed\u017een\u00ed chybovosti<\/strong><strong><br><\/strong>P\u0159i vysok\u00e9m objemu dat a ud\u00e1lost\u00ed je lidsk\u00e1 chyba b\u011b\u017en\u00fdm rizikem. SOAR syst\u00e9my analyzuj\u00ed v\u00fdstrahy konzistentn\u011b a p\u0159esn\u011b, \u010d\u00edm\u017e sni\u017euj\u00ed riziko, \u017ee bude podez\u0159el\u00e1 aktivita p\u0159ehl\u00e9dnuta nebo \u017ee se vynech\u00e1 kl\u00ed\u010dov\u00fd krok v postupu jej\u00ed eliminace.<\/p>\n\n\n\n<p><strong>Integrace threat intelligence feed\u016f<\/strong><strong><br><\/strong>SOAR n\u00e1stroje se napojuj\u00ed na extern\u00ed zdroje threat intelligence, kter\u00e9 poskytuj\u00ed kontext. Jde nap\u0159\u00edklad o zn\u00e1m\u00e9 indik\u00e1tory kompromitace (IOC), taktiky \u00fato\u010dn\u00edk\u016f nebo signatury malwaru. To analytik\u016fm pom\u00e1h\u00e1 rychleji posoudit, zda jde o skute\u010dnou hrozbu a jak na ni reagovat.<\/p>\n\n\n\n<p>Mnoho SOAR platforem nav\u00edc umo\u017e\u0148uje vytv\u00e1\u0159et vlastn\u00ed logiku pro obohacen\u00ed alert\u016f, p\u0159izp\u016fsobenou konkr\u00e9tn\u00edmu prost\u0159ed\u00ed organizace.<\/p>\n\n\n\n<figure class=\"wp-block-table is-style-regular\"><table class=\"has-light-grey-background-color has-background has-fixed-layout\"><tbody><tr><td><strong>P\u0159\u00edklad z praxe: SOAR a zrychlen\u00ed reakce na incidenty<\/strong><br>Glob\u00e1ln\u00ed <a href=\"https:\/\/www.subrosacyber.com\/en\/blog\/soar-security-examples\" target=\"_blank\" rel=\"noopener\">telekomunika\u010dn\u00ed spole\u010dnost<\/a> byla denn\u011b zahlcena mno\u017estv\u00edm bezpe\u010dnostn\u00edch alert\u016f.V\u011bt\u0161inu z nich tvo\u0159ily m\u00e9n\u011b z\u00e1va\u017en\u00e9 ud\u00e1losti, nap\u0159\u00edklad opakovan\u00e1 selh\u00e1n\u00ed p\u0159ihl\u00e1\u0161en\u00ed u\u017eivatel\u016f. I p\u0159esto je v\u0161ak museli bezpe\u010dnostn\u00ed analytici kontrolovat ru\u010dn\u011b.<br><br>Aby spole\u010dnost zrychlila reakce a sn\u00ed\u017eila z\u00e1t\u011b\u017e t\u00fdmu, nasadila <strong>SOAR platformu<\/strong>. Ta byla propojena s jejich SIEMem a dal\u0161\u00edmi detek\u010dn\u00edmi syst\u00e9my, tak\u017ee alerty bylo mo\u017en\u00e9 zpracov\u00e1vat automaticky.Nap\u0159\u00edklad v p\u0159\u00edpad\u011b upozorn\u011bn\u00ed na podez\u0159el\u00e9 p\u0159ihl\u00e1\u0161en\u00ed, tedy n\u011bkolik ne\u00fasp\u011b\u0161n\u00fdch pokus\u016f n\u00e1sledovan\u00fdch \u00fasp\u011b\u0161n\u00fdm p\u0159ihl\u00e1\u0161en\u00edm z ciz\u00ed IP adresy, SOAR automaticky:<br>\u2013 ov\u011b\u0159il IP adresu v threat intelligence feedech<br>\u2013 zablokoval u\u017eivatelsk\u00fd \u00fa\u010det, pokud byla IP rizikov\u00e1<br>\u2013 vytvo\u0159il ticket v syst\u00e9mu pro spr\u00e1vu incident\u016f<br>\u2013 informoval bezpe\u010dnostn\u00ed t\u00fdm<br><br>Cel\u00fd tento workflow prob\u011bhl bez z\u00e1sahu \u010dlov\u011bka. V\u00fdsledkem bylo, \u017ee rutinn\u00ed hrozby byly \u0159e\u0161eny b\u011bhem n\u011bkolika sekund m\u00edsto hodin. Analytici se mohli v\u011bnovat slo\u017eit\u011bj\u0161\u00edm p\u0159\u00edpad\u016fm.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Srovn\u00e1n\u00ed SIEM vs. SOAR<\/h2>\n\n\n\n<figure class=\"wp-block-table is-style-stripes\"><table class=\"has-fixed-layout\"><tbody><tr><td><\/td><td><strong>SIEM<\/strong><\/td><td><strong>SOAR<\/strong><\/td><\/tr><tr><td><strong>Hlavn\u00ed \u00fa\u010del<\/strong><\/td><td>Detekce hrozeb, anal\u00fdza, uchov\u00e1n\u00ed dat<\/td><td>Koordinuje a automatizuje reakci na incident<\/td><\/tr><tr><td><strong>Integrace<\/strong><\/td><td>Integruje se se zdroji dat, jako jsou bezpe\u010dnostn\u00ed za\u0159\u00edzen\u00ed, koncov\u00e1 za\u0159\u00edzen\u00ed, firewally, opera\u010dn\u00ed syst\u00e9my, cloudov\u00e9 slu\u017eby atd.<\/td><td>Propojuje se s n\u00e1stroji zam\u011b\u0159en\u00fdmi na akci, jako jsou firewally, EDR, ticketovac\u00ed syst\u00e9my i se zdroji dat jako jsou SIEM, threat intelligence feedy, IDS\/IPS, apod.<\/td><\/tr><tr><td><strong>Reakce na incidenty<\/strong><\/td><td>Detekuje hrozby a generuje alerty; samotn\u00e1 reakce zpravidla vy\u017eaduje ru\u010dn\u00ed z\u00e1sah<\/td><td>Standardizuje a automatizuje reak\u010dn\u00ed workflow na z\u00e1klad\u011b alert\u016f z jin\u00fdch syst\u00e9m\u016f<\/td><\/tr><tr><td><strong>Sb\u011br dat<\/strong><\/td><td>Sb\u00edr\u00e1 a ukl\u00e1d\u00e1 velk\u00e9 objemy dat (logy, ud\u00e1losti)<\/td><td>Neprov\u00e1d\u00ed vlastn\u00ed sb\u011br log\u016f; pracuje s alerty z jin\u00fdch syst\u00e9m\u016f (nap\u0159. SIEM)<\/td><\/tr><tr><td><strong>V\u00fdstup<\/strong><\/td><td>Poskytuje p\u0159ehled o d\u011bn\u00ed v infrastruktu\u0159e z provozn\u00edho a bezpe\u010dnostn\u00edho pohledu; slou\u017e\u00ed k anal\u00fdze a reportingu<\/td><td>Umo\u017e\u0148uje rychlou, opakovatelnou a konzistentn\u00ed reakci na bezpe\u010dnostn\u00ed hrozby s minim\u00e1ln\u00edm manu\u00e1ln\u00edm z\u00e1sahem<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p class=\"has-xs-font-size\"><em>Tab 1: Srovn\u00e1n\u00ed vlastnost\u00ed SIEM a SOAR <\/em><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">SIEM, SOAR, nebo oboj\u00ed? Jak se rozhodnout<\/h2>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"685\" src=\"https:\/\/logmanager.com\/wp-content\/uploads\/2025\/07\/cybersec-img-1024x685.png\" alt=\"cybersec man img\" class=\"wp-image-4107\" srcset=\"https:\/\/logmanager.com\/wp-content\/uploads\/2025\/07\/cybersec-img-1024x685.png 1024w, https:\/\/logmanager.com\/wp-content\/uploads\/2025\/07\/cybersec-img-300x201.png 300w, https:\/\/logmanager.com\/wp-content\/uploads\/2025\/07\/cybersec-img-768x514.png 768w, https:\/\/logmanager.com\/wp-content\/uploads\/2025\/07\/cybersec-img.png 1432w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p class=\"has-xs-font-size\"><a href=\"https:\/\/www.canva.com\/\" data-type=\"link\" data-id=\"https:\/\/www.canva.com\/\" target=\"_blank\" rel=\"noopener\">zdroj<\/a><\/p>\n\n\n\n<p>Ne ka\u017ed\u00e1 organizace pot\u0159ebuje hned od za\u010d\u00e1tku kombinaci SIEM a SOAR.<\/p>\n\n\n\n<p>Pokud je hlavn\u00edm c\u00edlem detekce hrozeb, monitoring aktivit nebo spln\u011bn\u00ed po\u017eadavk\u016f na compliance, SIEM je solidn\u00ed prvn\u00ed krok. Poskytne v\u00e1m p\u0159ehled o d\u011bn\u00ed v infrastruktu\u0159e a pom\u016f\u017ee l\u00e9pe prioritizovat bezpe\u010dnostn\u00ed incidenty.<\/p>\n\n\n\n<p>Pokud u\u017e samotn\u00e1 viditelnost nesta\u010d\u00ed, pokud hrozby p\u0159ich\u00e1zej\u00ed rychle nebo je v\u00e1\u0161 t\u00fdm p\u0159et\u00ed\u017een\u00fd, p\u0159ich\u00e1z\u00ed ke slovu SOAR.<\/p>\n\n\n\n<p>Pokud u\u017e m\u00e1te stabiln\u00ed tok alert\u016f a chcete zefektivnit reakci, SOAR v\u00e1m umo\u017en\u00ed jednat rychleji a z\u00e1rove\u0148 uvoln\u00ed kapacity t\u00fdmu pro d\u016fle\u017eit\u011bj\u0161\u00ed pr\u00e1ci.<\/p>\n\n\n\n<p>Mnoho firem, zejm\u00e9na t\u011bch v\u011bt\u0161\u00edch, p\u0159itom vyu\u017e\u00edv\u00e1 kombinace obou \u0159e\u0161en\u00ed.<\/p>\n\n\n\n<p>SIEM syst\u00e9my v re\u00e1ln\u00e9m \u010dase sb\u00edraj\u00ed data nap\u0159\u00ed\u010d cel\u00fdm IT stackem, koreluj\u00ed je a identifikuj\u00ed podez\u0159el\u00e9 vzorce. Jejich hlavn\u00edm \u00fakolem je p\u0159ev\u00e1d\u011bt syrov\u00e9 logy na smyslupln\u00e9 bezpe\u010dnostn\u00ed alerty. Jakmile SIEM identifikuje a ohodnot\u00ed alert, p\u0159ed\u00e1v\u00e1 jej do SOAR, kter\u00fd se postar\u00e1 o reakci.<\/p>\n\n\n\n<p>Spole\u010dn\u011b tak SIEM a SOAR uzav\u00edraj\u00ed cel\u00fd cyklus od detekce po reakci, a to bez zahlcen\u00ed analytik\u016f a zbyte\u010dn\u00fdch prodlev.<\/p>\n\n\n\n<p>A\u0165 u\u017e za\u010dnete s jedn\u00edm n\u00e1strojem, nebo nasad\u00edte oba, to spr\u00e1vn\u00e9 \u0159e\u0161en\u00ed z\u00e1vis\u00ed na va\u0161em prost\u0159ed\u00ed, objemu alert\u016f a vysp\u011blosti va\u0161eho bezpe\u010dnostn\u00edho t\u00fdmu.Pokud se chcete dozv\u011bd\u011bt v\u00edce o odhle\u010den\u00e9 SIEM platform\u011b, kterou lze z\u00e1rove\u0148 jednodu\u0161e integrovat se syst\u00e9my typu SOAR, rezervujte si <a href=\"https:\/\/logmanager.com\/cs\/demo\/\">uk\u00e1zku Logmanageru<\/a> s na\u0161\u00edm produktov\u00fdm specialistou nebo si projd\u011bte <a href=\"https:\/\/logmanager.com\/cs\/prohlednout-produkt\/\">interaktivn\u00ed demo produktu<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Zjist\u011bte, jak\u00fd je rozd\u00edl mezi n\u00e1stroji SIEM a SOAR.<\/p>\n","protected":false},"author":4,"featured_media":4084,"parent":0,"template":"","learning_hub_tag":[],"class_list":["post-7160","learning_hub","type-learning_hub","status-publish","has-post-thumbnail","hentry"],"acf":[],"_links":{"self":[{"href":"https:\/\/logmanager.com\/cs\/wp-json\/wp\/v2\/learning_hub\/7160","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/logmanager.com\/cs\/wp-json\/wp\/v2\/learning_hub"}],"about":[{"href":"https:\/\/logmanager.com\/cs\/wp-json\/wp\/v2\/types\/learning_hub"}],"author":[{"embeddable":true,"href":"https:\/\/logmanager.com\/cs\/wp-json\/wp\/v2\/users\/4"}],"version-history":[{"count":1,"href":"https:\/\/logmanager.com\/cs\/wp-json\/wp\/v2\/learning_hub\/7160\/revisions"}],"predecessor-version":[{"id":7162,"href":"https:\/\/logmanager.com\/cs\/wp-json\/wp\/v2\/learning_hub\/7160\/revisions\/7162"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/logmanager.com\/cs\/wp-json\/wp\/v2\/media\/4084"}],"wp:attachment":[{"href":"https:\/\/logmanager.com\/cs\/wp-json\/wp\/v2\/media?parent=7160"}],"wp:term":[{"taxonomy":"learning_hub_tag","embeddable":true,"href":"https:\/\/logmanager.com\/cs\/wp-json\/wp\/v2\/learning_hub_tag?post=7160"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}