Security Orchestration, Automation and Response - SOAR

Before talking about SOAR directly, it is necessary to understand the context in which this type of tool is inserted.

Security Operations Center (SOC)

The SOC (Security Operations Center) is a team dedicated to defending the company, monitoring and responding to security threats in real time.

SOC = Blue Team in practice.

The Blue Team is who defends; the SOC is the structure (team + processes + tools) where this defense happens. It is the Blue Team's headquarters.

Term	What is it?
Blue Team	The team that defends and protects (can exist outside or inside a SOC)
SOC	The place (physical or logical) where the Blue Team operates, with processes, playbooks and tools

SOC Team Responsibilities:

• Continuous monitoring (24x7): Tracking firewall, SIEM, EDR, cloud, network logs.
• Incident detection: Malware, ransomware, brute-force, phishing attempt alerts.
• Alert investigation and analysis: Determine if it is a false positive or real threat.
• Incident response: Isolate machine, block IP, reset password, etc.
• Report creation: For compliance, audit, risk management.
• Continuous improvement of security processes: Adjustment of rules in SIEM, detection tuning, SOAR automations.

---

SOAR is a category of tool used in a SOC to:

• Orchestrate: Integrate various data sources and security tools (SIEM, EDR, Firewalls, Threat Intelligence, etc).
• Automate: Execute automatic responses based on rules or intelligence (e.g., isolate machine, block IP, open incident ticket).
• Respond: Allow security incidents to be handled with minimal human intervention, faster, more accurate and with traceable history.

---

Main SOAR Functions

Function	What does it do?	Real example
Alert Ingestion	Receives alerts from SIEM, EDR, IDS, etc.	CrowdStrike alert arrives in SOAR.
Playbook Automation	Runs automatic flows to handle incidents.	If it's malware → isolates endpoint, creates incident in Jira.
Intelligence Query (Threat Intel)	Performs lookup in sources like VirusTotal, MISP, AlienVault.	Checks if IP is malicious.
Incident Response (IR)	Executes automatic defensive actions.	Blocks IP on firewall via API.
Audit / Compliance	Generates complete incident response logs.	Report of how incident X was handled.

Let's detail with some examples of what is expected from a SOAR:

1. Automatic Alert Enrichment: When an alert arrives from SIEM (like Splunk or QRadar), SOAR:

   • Queries IPs/domains in services like VirusTotal, AbuseIPDB, IBM X-Force.
   • Gets user details in AD or AzureAD.
   • Performs whois of suspicious domain.
   • Real example: "Suspicious login alert?"
     • SOAR already searches if the IP is known for botnets or brute-force attacks.

2. Automatic Blocking of Malicious Activities

   • Isolates the machine on the network via EDR (Crowdstrike, SentinelOne).
   • Blocks IP or domain on firewall (Palo Alto, Fortigate).
   • Removes user from critical AD groups automatically.
   • Real example: "Detected ransomware on endpoint?"
     • SOAR triggers EDR to cut off the machine's network by itself.

3. Automatic Notification to Team: Sends nice alert on Slack, Teams or email to SOC (Security Operations Center) analyst.

   • Creates incident ticket in Jira, ServiceNow or PagerDuty.
   • Real example: "Critical malware alert on production server?"
     • Infrastructure team receives a Teams notification in seconds.

4. Investigation Playbook Generation: SOAR assembles an automatic action checklist:

   • Check suspicious processes.
   • Validate if the machine is updated.
   • Check strange network connections.
   • Real example: "New executable running on server"
     • SOAR lists the hashes and compares with malware databases.

5. Complete Response without Human Intervention: If the event is low criticality or false positive, it closes the incident by itself.

   • "User trying to open a blocked link repeatedly?" → SOAR resolves and closes the case automatically.

SOAR vs SIEM

SIEM = Security Information and Event Management. It is a platform that collects, centralizes and analyzes logs from everything in the environment: firewall, AD, servers, cloud, endpoints... everything.

Function	SIEM	SOAR
What does it do?	Detects threats and generates alerts	Responds automatically to threats
Key function	Event correlation + alert generation	Incident response automation
Example	"Detected suspicious login from Iran"	"Blocked Iran IP automatically"
Helps who?	SOC analysts see the problem	SOC respond quickly and without manual effort
Without what?	Does not respond by itself, only alerts	Does not detect by itself, depends on alerts (e.g., from SIEM)
Tools	Splunk, QRadar, Elastic SIEM, Sentinel	Palo Alto XSOAR, Splunk Phantom, Tines, Shuffle

SIEM detects (Eye 👁️), SOAR responds (Hand ✋), simple as that. They don't compete, they complement each other.

[Firewall / EDR / Cloud Logs] → SIEM → SOAR → Automatic actions (blocking, isolate machine, alert team).

Top SOAR Platforms on the Market

The first 3 are preferred by banks, telecom companies and government.

Tool	Manufacturer	Observation
Palo Alto Cortex XSOAR	Palo Alto Networks	The most complete and famous. Used by giant SOCs. Lots of ready features.
Splunk SOAR (ex-Phantom)	Splunk	Strong integration with Splunk SIEM. High customization. Complex, but powerful.
IBM Security QRadar SOAR	IBM	Integrated with QRadar SIEM. Strong in companies already using IBM stack.
Swimlane	Swimlane	Flexible platform, allows use beyond security. Popular in the USA.
Tines	Tines Security	Simple, 100% low-code. Gaining space quickly for being simple SaaS for smaller/medium teams.
DFLabs IncMan SOAR	DFLabs	Strong in Europe. Focus on critical incident response.
Siemplify (by Google Cloud)	Google Cloud	Gained strength after acquisition. Integration with Google Chronicle. (Note: in transition to Google SecOps Suite)
FortiSOAR	Fortinet	Focused on companies already using Fortinet (Firewall, EDR, etc). Strong native integration.
ServiceNow Security Operations (SecOps)	ServiceNow	Ideal for companies already using ServiceNow. IR process well integrated.

Tines has gained a lot of space in the DevSecOps world:

• It's real low-code (not that misleading marketing).
• Simple interface (really drag-and-drop, without hidden workarounds).
• Fully SaaS, no infrastructure pain.
• Affordable price for medium companies (well below Cortex/Splunk), but still expensive.
• Stack agnostic — does not force specific SIEM/EDR.
• Easy contract growth (scalable license model).

We could mention some Open Source projects (Shuffle, TheHive, StackStorm), but NO Open Source project delivers the experience of a paid platform:

• Without a truly modern UX.
• Without ready and validated playbooks by real SOCs.
• Without easy native integrations with SIEM/EDR.
• Fragile or non-existent auditability and compliance.
• Requires coding, customization and constant manual maintenance.

n8n as SOAR?

When an open source tool is needed, there are cases of teams using n8n, but does this really make sense?

n8n looks very similar to Tines in visual orchestration proposal (low-code), even with more flow freedom, but it does not bring out of the box the facilities that define a real SOAR.

1. The truth about n8n use in security:

   • It is not a native SOAR — it is a generic orchestrator (DevOps, BizOps, ETL).
   • No natural focus on SIEM, EDR, IR or Threat Intelligence.
   • No playbooks or ready response frameworks for SOC.

2. Why does the market still use it?

   • Zero cost in Community version.
   • Flexible: any REST API can be plugged.
   • You can do integrations with SIEM (e.g., Wazuh, Splunk) or EDR (CrowdStrike, SentinelOne) manually — the same effort needed in any open source project, but with the advantage of a decent workflow UX/UI.
   • Works well for:
     • Simple enrichment (e.g., VirusTotal, AbuseIPDB).
     • Notifications (Slack, Teams).
     • Ticket opening (Jira, ServiceNow).
     • Automatic reports.

3. The real limitations (that cannot be ignored):

   • No native focus on automated Incident Response.
   • No native audit/compliance support — needs to be built manually.
   • SIEM/EDR integration 100% manual (via raw APIs).
   • No direct support for Threat Intel feeds, IOC parsing or complete incident handling.
   • Not recommended for mature SOCs that need ready and certified IR playbooks.

We can use n8n to build an artisanal "SOAR-like", taking advantage of its workflow interface similar to Tines, but it requires heavy manual effort: integrations, incident handling, enrichments, audit. Everything will need to be built by the security team.

In summary: n8n is great for general automation, but does not yet replace a real SOAR in a SOC that requires audit, compliance and validated response.