What is SOAR

Security Orchestration, Automation, and Response (SOAR) platforms allow organizations to analyze threat intelligence efficiently, automate response workflows and triage incidents using human and machine power.
Orchestration chains together individual security tools, tasks and processes to work together towards the same tune.

SOAR Capabilities

Three software functions are combined in SOAR: automating security operations, responding to security incidents, and managing threats and vulnerabilities. Thus, SOAR security offers a comprehensive threat management solution from top to bottom. Following the identification of threats, a response plan is put into action. Next, the system is automated as much as possible to improve its efficiency. One useful solution for reducing the burden on IT personnel is an efficient SOAR system.


Both SOAR and SIEM identify security flaws and gather information about the nature of the issue. They also handle notifications that can be used by security staff to address issues. They do, however, differ greatly from one another.

Similar to SIEM, which solely notifies security analysts, SOAR gathers data and notifies security personnel via a centralized platform. However, by automating the responses, SOAR security goes one step farther. It learns pattern behaviors through artificial intelligence (AI), allowing it to anticipate similar dangers before they materialize. IT security personnel can identify and handle attacks more easily as a result.

SOAR Use Cases

Handling security alerts: phishing attacks for example can be effectively handled by SOAR. SOAR solutions can automatically analyze attachments and URLs in the background while other investigations are ongoing. Additionally, remediation can be performed when a positive phishing email is identified.

Managing security operations

Hunting for threats and responding to incidents

Automating data enrichment

Definition of SOC

SOC center is the first line of defense and should be based on the below strategies

  • Single management and reporting structure
  • Complete awareness of both the business objectives and the IT environment
  • Enough budget to invest in people and technology.
  • Training and supporting SOC analysts
  • Establishing area of operation which could be any Information security standard along with the corporate policy.
  • Creating the SOC charter and mission

What does the SOC do?

  • Security monitoring of the environment and responding to the alarms and threats.
  • Performing incident response and patch management.
  • Vulnerability analysis and management.
  • Forensics whether performed in-house or with a third-party.
  • Reporting
  • Malware analysis
  • Intrusion detection and prevention.
  • Threat Hunting
  • Cyber Threat Intelligence
  • Internal Training

Blue Team Study Notes

Cyber Security Study Notes

Overview of SOC Generations

  • First-Generation: Initial SOC functions were handled by the IT operations teams; thus, tasks were more blended. The main functions included device monitoring, managing antivirus security and log collection, which was limited and often referred to in the event an incident was reported.
  • Second-Generation: SIEM tools emerged here and were meant to add to the previous SOC functions. The added operational aspects included events correlation, network and Syslog log collection and case management. This meant that security threat management was the main focus and aimed at correlating events to establish links and provide analysts with visuals that would assist them in investigating incidents.
  • Third-Generation: Expanded the use of SIEMs by adding vulnerability management and incident response capabilities.
  • Fourth-Generation: Advance security capabilities are introduced here, including big data security and data enrichment. With this generation, SOCs can analyse large amounts of data to uncover threats in real-time. As an example, threat intelligence feeds have become valuable to SOC teams, expanding the horizons of security investigations.

Task Scenario | TryHackMe SOAR

You are a SOC Lead who has recently faced a large breach investigation that took ages to complete due to a lack of automation. Your friend, McSkidy, recently advised you to adopt a SOAR and set up automation workflows to help your security investigations. McSkidy sent you a checklist for a Threat Intelligence integration workflow, and your task is to figure out how it works. Click the View site button at the top of the task to launch the site in split view. To automate the process, use the different screens to activate the elements required for the SOAR workflow. Run and test the workflow until you obtain a smooth transition on the flowchart to complete the task.

Room Answers | TryHackMe SOAR

Under which SOC generation did SIEM tools emerge?


How would you describe the experience of having an overload of security events being triggered within a SOC?

Alert fatigue

AThe act of connecting and integrating security tools and systems into seamless workflows is known as?

security orchestration

What do we call a predefined list of actions to handle an incident?

Are manual analyses vital within a SOAR workflow? yay or nay?


What is the flag received?


Video Walkthrough | TryHackMe SOC Level 2 Playlist

About the Author

I create cybersecurity notes, digital marketing notes and online courses. I also provide digital marketing consulting including but not limited to SEO, Google & Meta ads and CRM administration.

View Articles