SOAR: Security Orchestration, Automation and Response implementieren
Security Orchestration, Automation, and Response (SOAR) automates repetitive SOC tasks and reduces the Mean Time to Respond (MTTR) from hours to minutes. This guide explains SOAR architecture and platforms (Splunk SOAR, Microsoft Sentinel, Palo Alto XSOAR, TheHive), how to create playbooks for common incidents (phishing, malware, credential compromise), and how to integrate SOAR with SIEM, EDR, and ticketing systems.
Table of Contents (4 sections)
A well-functioning SOC team is inundated with alerts every day—phishing reports, EDR alerts, SIEM correlations. SOAR (Security Orchestration, Automation, and Response) automates the repetitive tasks: analyzing email headers, checking reputation, creating tickets, and notifying users. What used to take 45 minutes now takes 45 seconds with SOAR. The SOC team can focus on real threats.
SOAR Architecture
SOAR System Components:
Orchestration (connection layer):
→ Connects all security tools via APIs
→ Normalization: various formats → unified data model
→ Bidirectional: SOAR can control tools (not just read them)
Integrations: SIEM, EDR, firewall, email gateway, TI feeds, CMDB, ITSM
Automation (Playbooks):
→ Predefined workflows for common incidents
→ Triggers: SIEM alert, incoming email, manual start
→ Actions: Analyze files, block IP, deactivate user, create ticket
Response:
→ Automated Response: automatic actions without an analyst
→ Analyst-in-the-Loop: System makes a recommendation → Analyst approves
→ Case Management: all incident data collected in a single case
Typical SOAR data flow:
Alert (SIEM/EDR) → SOAR trigger
→ Enrichment (TI, WHOIS, GeoIP, CMDB)
→ Triage (severity, asset criticality)
→ Auto-response OR analyst task
→ Ticket (ServiceNow/Jira) + Documentation
→ Closure + Lessons-Learned FeedSOAR Platforms
Microsoft Sentinel (Azure Playbooks):
Basis: Azure Logic Apps (Low-Code/No-Code Workflows)
Strengths: Native M365 integration, affordable for Azure customers
Price: Pay-per-execution (cost-effective for low to medium usage)
Playbook example (JSON Logic App):
{
"triggers": {
"When_a_response_to_an_Azure_Sentinel_alert_is_triggered": {}
},
"actions": {
"Get_account_info": {
"type": "ApiConnection",
"inputs": {
"host": {"connection": {"name": "@parameters('$connections')['azuread']"}},
"method": "get",
"path": "/v1.0/users/@{triggerBody()?['Entities']?[0]?['Name']}"
}
},
"Condition_high_severity": {
"type": "If",
"expression": {
"equals": ["@triggerBody()?['Severity']", "High"]
},
"actions": {
"Disable_user": {...},
"Create_incident": {...},
"Notify_security_team": {...}
}
}
}
}
Ready-made playbooks (Community):
→ Azure Sentinel GitHub: 400+ ready-made playbooks
→ Phishing: Automatically delete email from inbox
→ MDE: Isolate endpoint on critical alert
→ Entra ID: Disable user on credential compromise
---
Splunk SOAR (formerly Phantom):
Strengths: Market leader, Python-based custom apps, most comprehensive integration
Cost: Expensive (Enterprise), but free Community Edition
Strengths: Code-first playbooks, 500+ connector apps
Python playbook example:
def phishing_triage(action=None, success=None, container=None,
results=None, handle=None, **kwargs):
"""Automatic phishing triage playbook"""
# 1. Retrieve email headers from alert
sender = container.get('data', {}).get('from_address')
subject = container.get('data', {}).get('email_subject')
urls = container.get('data', {}).get('urls', [])
# 2. Check IP reputation
phantom.act('ip reputation', parameters=[{'ip': sender_ip}],
assets=['virustotal'],
callback=check_reputation)
# 3. Check URL reputation
for url in urls:
phantom.act('url reputation', parameters=[{'url': url}],
assets=['urlvoid'],
callback=check_url_rep)
# 4. Header analysis
phantom.act('analyze email headers', parameters=[{...}],
assets=['mail_listener'],
callback=header_analysis_callback)
def check_reputation(action=None, success=None, results=None, **kwargs):
score = results[0].get('data', {}).get('positives', 0)
if score > 5: # VirusTotal: > 5 engines flag IP
# Critical: Auto-Block + High-Priority Alert
phantom.act('block ip', parameters=[{'ip': results[0]['ip']}],
assets=['fortigate_firewall'])
phantom.severity(container=container, severity='high')
---
Palo Alto XSOAR (Cortex XSOAR):
Strengths: Most comprehensive out-of-the-box playbooks, powerful visualization
Special feature: War Room – collaborative incident response interface
Integrations: 1000+ pre-built integrations
YAML Playbook Structure:
id: phishing-investigation
name: Phishing Investigation
starttaskid: "0"
tasks:
"0":
id: "0"
taskid: start
type: start
nexttasks:
'#none#': ["1"]
"1":
id: "1"
task:
id: get-indicators
name: Extract Indicators from Email
type: playbook
playbookId: Extract Indicators - Generic v2
nexttasks:
'#none#': ["2"]
"2":
id: "2"
task:
id: check-reputation
name: Check Reputation
script: VirusTotal|||file
scriptarguments:
file: ${ExtractedIndicators.File}
nexttasks:
malicious: ["3"]
clean: ["4"]
---
TheHive + Cortex (Open Source Stack):
Cost: Free (Community), Enterprise support optional
Strengths: FOSS, fully customizable, GDPR-compliant (on-premise)
Stack: TheHive (Case Management) + Cortex (Automation) + MISP (TI)
Python Cortex Analyzer:
class VirusTotalAnalyzer(Analyzer):
def run(self):
data = self.get_data()
vt = VirusTotal(api_key=self.get_param('config.key'))
result = vt.get_file_report(data)
if result['positives'] > 5:
self.report({
'summary': f"{result['positives']}/{result['total']} detected",
'level': 'malicious',
'taxonomies': [
self.build_taxonomy('malicious', 'VirusTotal',
'Score', str(result['positives']))
]
})
else:
self.report({'level': 'safe'})Playbook Design for Common Incidents
Playbook 1: Phishing Response
Trigger: User reports suspicious email
(via "Report Phishing" button in Outlook → O365 API → SOAR)
Step 1 - Automatic Analysis (0-30 seconds):
→ Extract email headers (From, Reply-To, Received)
→ Check SPF/DKIM/DMARC → Fail = +Risk
→ Extract URLs → URLVoid/VirusTotal Reputation
→ Hash attachments → VirusTotal File Hash Check
→ Sender IP → AbuseIPDB + GeoIP
→ Domain age (whois) → New domain < 30 days = +Risk
Step 2 - Triage decision:
Risk Score < 30: Benign → Notify user + Close
Risk Score 30-70: Analyst review required (Ticket + Queue)
Risk Score > 70: Malicious → Automated Response!
Step 3 - Automated Response (for Score > 70):
□ Delete email from ALL mailboxes (O365: Remove-MailboxMessage)
□ Block sender domain (Email Gateway API)
□ Block URLs (proxy/DNS filter via API)
□ Create ticket (ServiceNow/Jira) with all findings
□ Notify analyst (Teams/email)
□ SIEM correlation: other recipients of this email?
□ Update TI feed: IOCs (domain, URL, hash) in MISP
Step 4 - Analyst Actions (for scores 30-70):
□ War Room / Case: all data in a single view
□ One-Click Actions: "Confirm Malicious" → Execute Step 3
□ "Mark as Benign" → Close + Update training data
---
Playbook 2: Credential Compromise Response
Trigger: SIEM Alert: User login from an unknown country
OR: EDR Alert: mimikatz/credential dumping
Step 1 - Risk Assessment (automatic):
→ User Profile: normal login locations, normal working hours
→ Asset Criticality: regular user vs. admin vs. service account
→ Concurrent Sessions: is the user logged in elsewhere at the same time?
→ Recent Indicators: has this user appeared in other alerts?
Step 2 - Automatic Actions (high risk):
□ Entra ID: Revoke user session (Revoke-AzureADUserAllRefreshToken)
□ MFA: Forced MFA re-enrollment
□ Conditional Access: Temporary block until analyst approves
□ AD: Optional - Temporarily disable account
□ Teams notification: Security team + user’s manager
Step 3 - Analyst Approval:
□ "Confirm + Lock Account" → AD deactivation + reset
□ "Confirm + Normal Processes" → Session revocation alone is sufficient
□ "False Positive" → Add to allowlist for this IP/region
---
Playbook 3: Ransomware Detection
Trigger: EDR Alert: Mass File Encryption
OR: SIEM: Many file changes in a short period of time
Step 1 - Immediate Actions (AUTOMATED, < 60 seconds):
□ Isolate endpoint (EDR API: Network Isolation)
□ Disable user account (AD API)
□ Notify CISO + Management (Email + SMS)
□ Create incident ticket (P1 - highest priority)
□ Activate business continuity plan (document link in ticket)
Step 2 - Forensic Support:
□ Export EDR timeline (last 48 hours of activity)
□ Back up endpoint network flows (last 24 hours)
□ All other endpoints: Search for same indicators
□ Check backup status: Last good backup? (CMDB API)
Step 3 - Containment Assessment:
→ Has ransomware moved laterally? (Network flows)
→ Which file servers did the endpoint access?
→ Isolate other affected endpoints (bulk action)SOAR Integration and Metrics
Technical Integration:
API Webhooks (SIEM → SOAR):
# Sentinel → Logic App Webhook:
POST https://prod-XX.eastus.logic.azure.com:443/workflows/.../triggers/manual/paths/invoke
{
"AlertName": "Suspicious PowerShell",
"Severity": "High",
"Entities": [{
"Type": "Account",
"Name": "john.doe@firma.de"
}],
"Description": "Encoded Command detected"
}
SOAR → ITSM (ServiceNow):
# ServiceNow Table API:
POST https://instance.service-now.com/api/now/table/incident
Authorization: Basic base64(user:pass)
{
"short_description": "Security Incident: Phishing Campaign",
"priority": "1",
"category": "security",
"assignment_group": "Security Operations",
"work_notes": "Automated triage: Score=85, URLs blocked, Email deleted"
}
Bidirectional SIEM integration:
→ Alert from SIEM → Launch SOAR playbook
→ SOAR actions → Write back to SIEM alert as notes
→ Closure in SOAR → Automatically close SIEM alert
---
SOAR success metrics:
Before SOAR implementation:
MTTR (Phishing): 45 minutes (manual)
Alerts per day: 200 (50% of which are false positives)
Analyst time spent on triage: 30% of working hours
After SOAR implementation:
MTTR (phishing): < 2 minutes (automation)
Alert processing rate: +300% (more alerts processed in the same amount of time)
Analyst focus: critical incidents instead of routine triage
KPIs:
Automation rate: % of alerts fully automated
False positive rate: should decrease (SOAR learns from feedback)
MTTR per incident type: separate measurement per playbook
Playbook coverage: % of alert types with a playbook
---
SOAR Implementation - Project Plan:
Phase 1 - Foundation (Months 1-2):
□ Select SOAR platform (Sentinel/XSOAR/Splunk SOAR)
□ Connect key integrations (SIEM, EDR, AD)
□ Implement phishing playbook (most common alert type)
□ Create runbook documentation for all playbooks
Phase 2 - Expansion (Months 3-4):
□ Cover the 5 most common alert types with playbooks
□ ITSM integration (ticket automation)
□ SOC team training (how to expand playbooks?)
□ Build metrics dashboard
Phase 3 - Optimization (Month 5+):
□ Feedback loop: Analyst feedback → Playbook improvement
□ ML integration: Anomaly scoring improves triage
□ New use cases: Cloud alerts, identity events
□ Quarterly SOAR playbook review (remove outdated logic)Questions about this topic?
Our experts advise you free of charge and without obligation.
About the Author
Geschäftsführender Gesellschafter der AWARE7 GmbH mit langjähriger Expertise in Informationssicherheit, Penetrationstesting und IT-Risikomanagement. Absolvent des Masterstudiengangs Internet-Sicherheit an der Westfälischen Hochschule (if(is), Prof. Norbert Pohlmann). Bestseller-Autor im Wiley-VCH Verlag und Lehrbeauftragter der ASW-Akademie. Einschätzungen zu Cybersecurity und digitaler Souveränität erschienen u.a. in Welt am Sonntag, WDR, Deutschlandfunk und Handelsblatt.
10 Publikationen
- Einsatz von elektronischer Verschlüsselung - Hemmnisse für die Wirtschaft (2018)
- Kompass IT-Verschlüsselung - Orientierungshilfen für KMU (2018)
- IT Security Day 2025 - Live Hacking: KI in der Cybersicherheit (2025)
- Live Hacking - Credential Stuffing: Finanzrisiken jenseits Ransomware (2025)
- Keynote: Live Hacking Show - Ein Blick in die Welt der Cyberkriminalität (2025)
- Analyse von Angriffsflächen bei Shared-Hosting-Anbietern (2024)
- Gänsehaut garantiert: Die schaurigsten Funde aus dem Leben eines Pentesters (2022)
- IT Security Zertifizierungen — CISSP, T.I.S.P. & Co (Live-Webinar) (2023)
- Sicherheitsforum Online-Banking — Live Hacking (2021)
- Nipster im Netz und das Ende der Kreidezeit (2017)
IT-Grundschutz-Praktiker (TÜV) IT Risk Manager (DGI) § 8a BSIG Prüfverfahrenskompetenz Ausbilderprüfung (IHK)
