SOAR (Security Orchestration, Automation and Response)

SOAR combines three functions that reduce the workload on SOC teams: orchestration (integration of all security tools), automation (manual routine tasks are automated via scripts), and response (structured incident response workflows).

The problem SOAR solves

Without SOAR – typical phishing alert process:

Step	Time
Analyst receives SIEM alert	2 min
Analyst manually opens suspicious email	3 min
Analyst extracts URLs, hashes	5 min
Analyst checks URLs in VirusTotal	5 min
Analyst checks sender IP in threat feeds	5 min
Analyst decides: real threat?	5 min
Analyst locks user account	5 min
Analyst deletes email from all inboxes	10 min
Analyst documents incident	15 min
Total	55 minutes - often 10+ simultaneous alerts

With SOAR - automated phishing playbook:

Step	Time
SIEM alert → SOAR trigger	0 min
URL/hash extraction via API	Seconds
VirusTotal + threat intelligence check	Seconds
Decision logic: Score > Threshold?	Seconds
Automatic: Lock account, delete email	Seconds
Analyst receives notification + context	2 min
Analyst validates/escalates if necessary	5 min
Total	~7 minutes - fully automated up to validation

SOAR Components

Playbooks (Automated Workflows)

# Example: Phishing Response Playbook (simplified)
name: phishing_response
trigger:
  source: siem
  condition: alert_type == &quot;phishing_email&quot;

steps:
  1_extract_indicators:
    action: parse_email
    extract: [urls, attachments, sender_ip, sender_domain]

  2_enrich_iocs:
    parallel:
      - virustotal.check_url(urls)
      - threatintel.check_ip(sender_ip)
      - whois.lookup(sender_domain)

  3_decision:
    if: virustotal_score &gt; 5 OR threatintel_hit == true
    then: escalate_to_confirmed_phishing
    else: mark_as_benign_and_close

  4_response_confirmed:
    parallel:
      - o365.block_sender(sender_domain)
      - o365.quarantine_similar_emails(sender, subject)
      - ad.lock_user(recipient) if clicked_link
      - ticketing.create_incident(severity=HIGH)

  5_notify:
    email: soc_team@firma.de
    content: &quot;Phishing confirmed - automatic measures initiated&quot;
    include: [ioc_report, affected_users, actions_taken]

Integrations (Connectors)

SOAR integrates all security tools:

SIEM: Splunk, Microsoft Sentinel, Elastic
EDR: CrowdStrike Falcon, SentinelOne, Microsoft Defender
Threat Intel: VirusTotal, Recorded Future, MISP
Ticketing: ServiceNow, Jira, PagerDuty
Identity: Active Directory, Azure AD (Entra ID)
Email: Microsoft 365, Google Workspace
Network: Palo Alto, Fortinet, Cisco
Cloud: AWS Security Hub, Azure Defender

Case Management

SOAR offers structured incident management:

Automatic ticket creation from alerts
Timeline of all events and actions
Analyst comments and decisions
SLA tracking
Post-incident reports

SOAR Solutions on the Market

Provider	Key Feature
Palo Alto XSOAR	Market leader, most comprehensive playbook marketplace
Splunk SOAR (formerly Phantom)	Strong in Splunk environments
Microsoft Sentinel	Integrated into Azure, "Logic Apps" as SOAR
IBM Security QRadar SOAR	Enterprise, good DACH support
TheHive + Cortex	Open source, for teams with budget constraints
Shuffle	Open source, simpler playbooks

When is SOAR worth it?

SOAR is valuable when:

SOC receives > 100 alerts/day
Analysts spend > 30% of their time on routine enrichment
Incident response processes are well documented
Budget for integration is available
Tools are API-enabled

SOAR is not yet necessary if:

Team has < 3 SOC analysts
Alert volume is manageable
Playbooks are not defined (processes first, then automation)

SOAR vs. SIEM

SIEM: Collects logs → correlates → alerts
SOAR: Receives alert → analyzes → responds

Interaction: SIEM detects a brute-force attack → alerts SOAR → SOAR checks the real IP, number of attempts, and account status → SOAR decides: temporary account lock + analyst notification.

SOAR and SIEM are complementary, not competing. Most modern platforms (Microsoft Sentinel, Splunk) integrate both.