SOAR
What is SOAR?
SOARA platform that automates and orchestrates SOC workflows by chaining detections, enrichments and response actions into playbooks executed across security tools.
Security Orchestration, Automation and Response (SOAR) sits next to the SIEM and EDR/XDR to operationalize incident response. It uses connectors and APIs to query threat intelligence, IAM, endpoint, network and ticketing systems, and runs codified playbooks that triage alerts, enrich indicators, contain hosts, disable accounts and document the case. SOAR reduces analyst toil, enforces consistent process, and improves MTTR by automating repeatable steps while keeping humans in the loop for high-risk actions. Common platforms include Splunk SOAR, Palo Alto Cortex XSOAR, Microsoft Sentinel automation rules and Tines.
● Examples
- 01
A phishing-triage playbook that detonates URLs in a sandbox, queries VirusTotal and quarantines the email.
- 02
An XSOAR playbook that isolates a host in EDR and resets the user's password when ransomware behaviour is detected.
● Frequently asked questions
What is SOAR?
A platform that automates and orchestrates SOC workflows by chaining detections, enrichments and response actions into playbooks executed across security tools. It belongs to the Defense & Operations category of cybersecurity.
What does SOAR mean?
A platform that automates and orchestrates SOC workflows by chaining detections, enrichments and response actions into playbooks executed across security tools.
How do you defend against SOAR?
Defences for SOAR typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for SOAR?
Common alternative names include: Security Orchestration, Automation and Response.