The dirty secret of security operations is that the alert is cheap and the investigation is expensive. A SIEM can fire a thousand alerts; the cost is in the human hours spent triaging, pivoting, and documenting each one. Workflow automation is the attempt to make that human labor scale.
Splunk Inc.'s US11132111B2, “Assigning workflow network security investigation actions to investigation timelines” (issued September 28, 2021; CPC H04L 63/1416 — network intrusion detection, and H04L 63/1425 — anomaly monitoring), describes structuring investigation actions onto timelines so the workflow itself is organized and trackable. Read it at US11132111B2.
Mechanically, the system represents an investigation as a timeline of assignable actions — each step in working an incident becomes a tracked task, ordered and attributable. This is the bones of security orchestration, automation, and response (SOAR): turning the analyst's ad-hoc process into a repeatable, measurable workflow.
Why this is a business story: this is the SOAR layer that made Splunk's security business more than a log store — and it is a major reason Cisco paid $28 billion to acquire Splunk in a deal that closed in 2024. The strategic logic was that observability plus security workflow is a platform, not a feature, and the investigation-automation IP is part of what justified that price. Workflow tooling is also stickier than raw search — once a SOC runs its playbooks in your product, switching costs soar.
The grounded read: investigation workflow automation industrializes the expensive half of security operations — the human response. Splunk's 2021 grant names the timeline-based action-assignment model behind SOAR, the capability that helped justify Cisco's $28 billion acquisition.