SOAR: Security Orchestration, Automation and Response

SOAR: Security Orchestration, Automation and Response

If we were to guess, you’ve heard a lot of talk about automation. Your CISO or manager wants everything automated, especially repetitive incident response tasks like investigating phishing submissions or dynamic blocking.

Without a doubt, one of the newest and most exciting technologies to enter the cyber enterprise are Security Automation, Orchestration and Response tools.

Regardless of your professional cyber security experience, you will find takeaways from this article. Welcome to our SOAR tool guide.

What is a SOAR Tool?

Security Automation, Orchestration and Response (SOAR) solves two challenges: case management and automating incident response. A standard SOAR tool comes with hundreds of API integrations with other cyber security and software vendors that allow you to automate those vendor tools. A combination of these integrations allows cyber security engineers to build ‘playbooks’ to automate incident response with actions like containing endpoints, blocking indicators of compromise or even resetting employee passwords.

Having said that, the main cyber security enterprise tools that integrate into SOAR are endpoint detection and response (EDR), security information and event management (SIEM), and firewalls – however, other software like Microsoft Exchange, Slack, and ServiceNow can easily connect and integrate as well.

Now, these automated actions can be built in-house with a scripting language like Python, but enterprise-grade SOAR tools include re-usable and pre-built actions. These pre-built actions form playbooks and communicate with other vendor tools with API requests.

In conclusion, a SOAR tool and its components form a case management system that automatically responds to cyber security incidents.


Playbooks and their actions run on cases or incidents within the SOAR tool. Cases and incidents – depending on what the vendor names them – are treated as objects. These object contain relevant information such as malicious IP addresses or events generated from a different tool like your EDR.

To put it another way, cases contain all of the information relating to the original incident. An example could be an account lockout alert: the relevant information being the username, source IP address, and source host name.

What is the Difference Between a SOAR Tool and SIEM?

The only similarity between a security information and event management (SIEM) and a SOAR tool is incident management. Both tools help security teams manage and response to alerts. The main differences are below:

Collecting and Aggregating Logs

SIEM tools centrally collect and aggregate log and security event data from various security tools, servers, databases, and applications. Cyber security engineers build correlation rules using this data to alert on malicious activity. These SIEM generated alerts require constant manual tuning and response.

On the other hands, a SOAR tool doesn’t collect or aggregate log data. It lets the SIEM handle this. Instead, the SIEM forwards its alerts to the SOAR tool for automation.

Built-in Automation

soar technology

In short, a SIEM doesn’t have built-in playbooks that can automate tasks. For the most part, the closest a SIEM gets to automation are reusable saved search queries. On the other hand, a typical SOAR tool includes hundreds of pre-built customizable actions and playbooks.

SOAR Use Cases

Phishing Response

It’s common practice to have employees report suspected phishing emails. If we were to guess, it’s likely people aren’t jumping up and offering to review these emails. In fact, it is an often overlooked manual and tedious process – however, that isn’t to say reviewing reported phishing emails isn’t important.

Typically, reported emails arrive in a designated inbox for manual review. This tends to be a repetitive task of inspecting URLs, the sender’s domain, and any other indicators. After inspecting indicators and determining if the email is malicious an analyst will manually search and delete similar emails.

This is where a phishing playbook helps. SOAR tools like Phantom and XSOAR can monitor and poll email inboxes. Every time SOAR polls an email, it ingests and creates an incident for it. The best part is tools like Phantom and XSOAR will parse all domains, URLs, and IP addresses from the email for you. Before any significant automation has been done, you are already saving a lot of time.

Next, threat intelligence and reputation tools like Recorded Future or VirusTotal enrich the IOCs. If an IOC has a malicious or suspicious risk associated to it, you can be confident that it was a phishing attempt.

To finish off, simply run a search on emails throughout your Exchange server to find similar emails from the same sender. For each email, either delete it or move it to a designated inbox for further review.

To summarize a phishing response playbook:

  • Configure SOAR to monitor and poll a phishing inbox
  • Configure SOAR to ingest and create incident for each email
  • Extract IOCs from phishing email and add to incident
  • Build a playbook to run each IOC through an enrichment lookup
  • Identify sender email addresses for IOCs that return as malicious
  • Search Exchange for emails from the sender
  • Delete or move any found emails

Dynamic Blocking

Most SOAR tools can host external dynamic lists (EDL) via HTTP. A typical EDL contains single column entries of IP addresses or URLs. The popular method is to host three lists on your SOAR: URL, Domain, and IP lists. You can configure firewall policies to read and ingest entries on the EDL for blocking purposes. The firewall will constantly poll the lists to reflect changes.

Moreover, once you have created a list you can build a playbook to automatically add new IOCs from incidents to it. Think about all of the times where you manually identified malicious IOCs in incidents and added them to a block list. A playbook can do this for you.

Ultimately, dynamic blocking works well with the phishing use case. After all, the phishing email IOCs are already extracted. By automating blocking IOCs, engineers can spend their time tuning and building additional correlation rules.

In conclusion, there are dozens of SOAR use cases besides dynamic blocking and phishing; however, dynamic blocking and phishing should get you started. Here are several more ideas for SOAR automation:

  • Creating tickets
  • Resetting compromised account credentials
  • Vulnerability management scans
  • Malware analysis and sandboxing
  • Indicator hunting