SOAR & Friends (Security Orchestration and Automation)
Hey, Boys&Girls I’m back again with another one.

This time I’d like to talk about SOC, SOC Maturity and where SOAR (like our friends at Demisto) Comes in place, more like — When should it come to Place.
This post is divided into two parts — This first post, and the 2nd Post which will focus on how to Design a SOAR Project.

Don’t get me wrong — I really like Security Orchestration and Highly believe it can make some Tedious work automated and more efficient (And can help you get rid of the T1 Analysts), but I also think everything should be in due time — as the Wise Anton Chuvakin said before me — Maturity cannot be bought (last time I checked at least).
So, let’s cover some basics
For a SOC to be called a SOC — there are a few ground rules that should be achieved.
First and foremost —
- Use Cases and SLA’s are Defined.
- Incident Response exists for Every use case.
- Investigation is a part of the IR, and the SOC knows how to do them.
- The Personnel is well trained to handle the Triggered Cases.
- Tiers are Known, SOC Manager is in place.
- Roles and Responsibilities are well known (Teams, who does what).
Other Ground Rules (Not really)
- Big Screen TV with Pew pew Dashboards.
Now , Assuming you are a New SOC (less then 1–1.5 years old — although SOC is not really measured in time, but I Am making an assumption) you are probably running around in toddler mode (Building stuff from the ground up, Getting to know the Systems, Getting to Interact with other teams and Building your way up).
So — a word of advice, if you’re in Toddler mode, Don’t get yourself ahead of the Curve, don’t start a SOAR Project as you will probably fu*k things up and show no ROI.
SOC CMM Module — well defines what I call Toddler mode as levels 0–1 (Maybe even 2 in some cases).

Well, Now that we are done with the Intro, where can SOAR Help?
im glad you asked young Padawan, There are more then a few ways SOAR can reduce SOC Fatigue and enable the Analysts to do Deep Investigations instead of day to day tasks.
Reduce MTTR
Yea, I know that the usual buzz (Reduce mean time to response) — But if you automate — you do it by default.
So, no need to talk too much here other then the SOC will be free for other tasks! YAY !
Automate Tedious sh*t
Since you are a Mature SOC — you defined your IR. Your IR Has a lot of tedious tasks (that you might have scripted or you might have not) — a Well written Playbook with Good Pre-classification can reduce the amount of Tasks your SOC Does manually to almost 0.
Again — these Playbooks should be well defined before even writing them.
Double Assure (or Head shot)
One of the things I love doing is Double Assuring, in my first post (LINK) i said False positives (unfortunately) still exist, So the Idea in double Assuring is to Assure one thing we have with another thing we have.
Let’s say we have an Alert in regards to Phishing Email Attempts (I Don’t care if Blocked or Not Currently), a Good Soar can double Assure for you :
- Check the Link does exist in several Intelligence lists (+Priority).
- Check whether the Link was clicked — if we have Proxy Logs (+Priority).
- No Proxy logs? No Problem — a good Soar will be able (via Playbook) to Check on the local suspected host machine whether the URL Exists in the Browsing history or not (Well it’s more complicated, but you get the idea).
- Broader Search — See who else got the email on our Log Repo (SIEM or Similar)
- The link was not clicked? Cool — Close the Case, Make sure the Link is blocked on other systems.
- The link was clicked — Remediate — Let the user know and see what happened after
Kill Duplicates & Merge Bigger Things
Yes, i know this stage can be done on a SIEM Level. However — it’s much simpler to do on a Case Management Solution.
A Good SOAR can Merge and help you see the bigger picture (or dedup if that’s your thing)
Hive mind for All
SOAR can tell you weather a Similar case was handled before — by whom and how was the matter resolved.
To make a long story short
SOAR is the Next Evolution of a well defined SOC; it can help mitigate, remediate and respond faster.
Remember you will need a Mix and Match of Good People and Good Technologies in order to achieve a well working SOC.
Just don’t get drifted into the Hype , Start a SOAR Project after you’r SOC is well defined and ready to accept “the force”.
