Skip to main content

Overview

UTMStack’s Security Orchestration, Automation, and Response (SOAR) capabilities enable security teams to automate repetitive tasks, accelerate incident response, and orchestrate complex workflows across security tools. The SOAR platform is accessible at /soar and integrates with alerts, incidents, and external systems via /integrations.

Automated Playbooks

Pre-built and custom workflows for common security scenarios

Alert Orchestration

Automatically enrich and respond to alerts from /iframe

Incident Response

Streamline response to incidents from /incident

Integration Hub

Connect security tools via /integrations

SOAR Components

Core Elements

Playbooks

Automated workflows that execute a series of actions

Actions

Individual tasks performed by playbooks (query, block, notify)

Triggers

Events that initiate playbook execution (alerts, schedules)

Variables

Dynamic values used in playbooks from /variables

Conditions

Logic that controls playbook flow and decision-making

Integrations

Connected tools and systems from /integrations

Playbook Structure

Playbooks consist of:
  1. Trigger - What initiates the playbook
  2. Inputs - Data provided to the playbook (IOCs, incident details)
  3. Actions - Steps executed by the playbook
  4. Conditions - Decision points and branching logic
  5. Outputs - Results returned by the playbook
  6. Error Handling - What happens if actions fail

Common Use Cases

Alert Enrichment

Automatically enhance alerts from /iframe with additional context:
1

Alert Trigger

New alert created in alert management system
2

Extract IOCs

Parse alert to extract IPs, domains, hashes, and other indicators
3

Threat Intel Lookup

Query /threat-intelligence feeds for IOC reputation
4

WHOIS/DNS Lookup

Gather domain registration and DNS information
5

Asset Context

Retrieve asset details from /data-sources (owner, criticality, location)
6

Historical Search

Query /discover for previous occurrences of IOCs
7

Update Alert

Add enrichment data to alert for analyst review

Phishing Response

Automate response to phishing emails:
1

Phishing Alert

Alert triggered for suspicious email
2

Extract Indicators

Parse email for:
  • Sender address and headers
  • URLs and domains
  • Attachments and file hashes
3

Analyze Attachments

  • Submit files to sandbox for analysis
  • Extract file hashes and scan with antivirus
4

Check URLs

  • Scan URLs with threat intelligence feeds
  • Take screenshots of landing pages
5

Search for Similar

Query email logs for similar phishing emails sent to other users
6

Containment Actions

  • Delete phishing emails from all mailboxes
  • Block sender at email gateway
  • Add URLs to web proxy blocklist
7

Notify Users

Send security awareness notification to affected users
8

Create Incident

If malicious, create incident at /incident with all findings

Malware Response

Automate malware incident response:
1

Malware Detection

Alert from endpoint security or file analysis
2

Isolate Endpoint

Automatically quarantine infected system via EDR integration
3

Collect Forensics

  • Capture memory dump
  • Collect process list and network connections
  • Gather file artifacts
4

Extract IOCs

Identify malware hashes, C2 IPs, and related indicators
5

Threat Intelligence

  • Query /threat-intelligence for known malware family
  • Submit samples to malware analysis platforms
6

Hunt for Spread

Search other endpoints at /discover for same indicators
7

Block IOCs

Add indicators to blocklists:
  • Firewall rules for C2 IPs
  • Proxy blocks for C2 domains
  • Endpoint blocklists for file hashes
8

Notify and Document

  • Alert security team
  • Create detailed incident at /incident
  • Update threat intelligence

Account Compromise

Automate response to compromised user accounts:
1

Compromise Detection

Alert for suspicious login or account activity
2

Verify Legitimacy

  • Check login location against user baseline
  • Compare with user’s normal login times
  • Review recent user activity in /discover
3

Immediate Containment

If confirmed malicious:
  • Force password reset
  • Revoke all active sessions
  • Disable account temporarily
4

Investigate Activity

  • Review all account activity during compromise window
  • Check for data access or exfiltration
  • Identify other affected accounts
5

Reset Access

  • Reset password via /active-directory
  • Revoke API tokens and service credentials
  • Require MFA re-enrollment
6

Monitor

Enable enhanced monitoring for the account
7

Notify User

Contact user about compromise and new security requirements

Building Playbooks

Playbook Design

1

Define Objective

Clearly state what the playbook should accomplish (e.g., “Respond to phishing emails”)
2

Map Manual Process

Document current manual steps analysts perform
3

Identify Integrations

Determine which tools from /integrations are needed
4

Design Workflow

Create flowchart of:
  • Actions to perform
  • Decision points
  • Error handling
  • Output requirements
5

Define Variables

Create automation variables at /variables for configurable values
6

Build in SOAR

Navigate to /soar and construct the playbook
7

Test Thoroughly

Test with various inputs including edge cases
8

Document

Document playbook purpose, inputs, outputs, and dependencies

Action Types

Enrichment Actions

  • Threat intelligence lookups
  • WHOIS/DNS queries
  • Asset database searches
  • User directory queries

Investigation Actions

  • Log searches via /discover
  • File analysis and sandboxing
  • Network traffic analysis
  • Endpoint queries

Containment Actions

  • Network isolation
  • Account disablement
  • Firewall rule updates
  • Endpoint quarantine

Notification Actions

  • Email notifications
  • Slack/Teams messages
  • SMS alerts
  • Ticket creation

Remediation Actions

  • File deletion
  • Registry key cleanup
  • Service termination
  • Patch deployment

Documentation Actions

  • Create incidents at /incident
  • Update alerts at /iframe
  • Generate reports
  • Update knowledge base

Conditional Logic

Playbooks can include decision-making: 
IF alert.severity = "Critical" AND asset.criticality = "High"
  THEN
    - Isolate asset immediately
    - Notify CISO
    - Create P1 incident
  ELSE IF alert.severity = "High"
  THEN
    - Alert SOC team
    - Create P2 incident
  ELSE
    - Add to analyst queue
    - Create alert for review

Error Handling

Implement robust error handling:

Retry Logic

Retry failed actions with exponential backoff

Fallback Actions

Alternative actions if primary fails

Notifications

Alert on playbook failures

Logging

Detailed logging of all actions and errors

Integration Management

Available Integrations

Connect SOAR to tools via /integrations:

Security Tools

  • Firewalls and IPS/IDS
  • EDR/XDR platforms
  • Email security gateways
  • SIEM systems

Threat Intelligence

  • Commercial TI feeds
  • OSINT sources
  • MISP and TI platforms
  • Sandbox services

IT Systems

  • Active Directory (via /active-directory)
  • Asset management (via /data-sources)
  • Ticketing systems
  • CMDB platforms

Communication

  • Email (SMTP)
  • Slack
  • Microsoft Teams
  • SMS/paging systems

Configuring Integrations

1

Navigate to Integrations

Go to /integrations to view available integrations
2

Select Integration

Choose the tool or service to integrate
3

Provide Credentials

Enter API keys, usernames, passwords, or tokens
4

Configure Settings

Set endpoints, regions, and integration-specific options
5

Test Connection

Verify connectivity and authentication
6

Set Permissions

Configure which playbooks can use the integration

Automation Variables

Variable Management

Manage automation variables at /variables:

Configuration Values

  • API endpoints
  • Timeout values
  • Retry counts
  • Thresholds

Credentials

  • API keys (encrypted)
  • Passwords (encrypted)
  • Tokens
  • Certificates

Lists

  • Whitelisted IPs
  • Approved domains
  • Critical assets
  • VIP users

Dynamic Data

  • Playbook outputs
  • Shared state
  • Temporary data
  • Cache values

Variable Best Practices

  1. Use Variables for Configurability - Avoid hardcoding values in playbooks
  2. Encrypt Sensitive Data - Always encrypt credentials and secrets
  3. Descriptive Names - Use clear, consistent naming conventions
  4. Document Purpose - Add descriptions for all variables
  5. Version Control - Track variable changes over time
  6. Regular Audits - Review and remove unused variables

Playbook Triggers

Trigger Types

Alert Triggers

Execute when specific alerts fire from /iframe

Incident Triggers

Launch when incidents are created at /incident

Schedule Triggers

Run on a schedule (daily, weekly, hourly)

Manual Triggers

Analyst-initiated playbook execution

Webhook Triggers

External system calls trigger playbook

Event Triggers

Specific log events from /discover trigger execution

Trigger Configuration

1

Select Trigger Type

Choose appropriate trigger for the playbook use case
2

Define Conditions

Specify conditions that must be met:
  • Alert severity level
  • Incident category
  • Time of day
  • Asset criticality
3

Set Throttling

Configure rate limits to prevent excessive executions
4

Test Trigger

Validate trigger fires correctly

Playbook Execution

Execution Modes

Fully Automated

Playbook runs without human intervention

Semi-Automated

Analyst approval required at key decision points

Advisory Only

Playbook provides recommendations, analyst executes

Simulation

Test mode that doesn’t execute actual actions

Monitoring Execution

1

View Execution Log

Navigate to /soar to see playbook execution history
2

Review Status

Check if playbook completed successfully or failed
3

Examine Actions

Review each action performed and its result
4

Check Outputs

Verify playbook produced expected outputs
5

Investigate Failures

Review error logs for failed playbooks

Pre-built Playbooks

Alert Response Playbooks

  • Extract IOCs from alert
  • Query threat intelligence at /threat-intelligence
  • Lookup asset information from /data-sources
  • Search for related alerts
  • Calculate priority score
  • Assign to appropriate queue
  • Identify recurring false positive patterns
  • Update allow lists
  • Modify alert rules at /alerting-rules
  • Document in knowledge base

Threat Response Playbooks

  • Receive IOC (IP, domain, hash, URL)
  • Validate IOC via threat intelligence
  • Block at multiple control points:
    • Firewall rules
    • Proxy/web filter
    • EDR/endpoint protection
    • Email gateway
  • Document block action
  • Create alert rule at /alerting-rules for detection
  • Detect suspicious lateral movement activity
  • Map affected systems
  • Check for additional compromised accounts
  • Contain spread by isolating affected systems
  • Collect forensic evidence
  • Create incident at /incident

Compliance Playbooks

  • Extract user access lists
  • Identify excessive permissions
  • Flag dormant accounts
  • Generate review reports
  • Track via compliance at /compliance
  • Detect policy violation
  • Gather evidence from /discover
  • Notify responsible party
  • Create compliance incident
  • Track remediation

Performance and Optimization

Playbook Metrics

Track playbook effectiveness:

Execution Time

Average time for playbook to complete

Success Rate

Percentage of successful executions

Resource Usage

CPU, memory, and API call consumption

Time Saved

Manual effort eliminated by automation

Error Rate

Frequency of playbook failures

ROI

Value delivered vs development cost

Optimization Strategies

1

Profile Performance

Identify slow actions and bottlenecks in playbooks
2

Optimize Queries

Improve searches in /discover to reduce execution time
3

Implement Caching

Cache frequently queried data using /variables
4

Parallelize Actions

Run independent actions concurrently instead of sequentially
5

Reduce API Calls

Batch operations to minimize integration overhead
6

Set Timeouts

Prevent playbooks from hanging on slow actions

Governance and Control

Playbook Approval Workflow

High-risk playbooks (destructive actions, production changes) should require approval before deployment.
1

Develop Playbook

Create and test playbook in development environment
2

Document Risk

Assess potential impact of playbook actions
3

Peer Review

Have another analyst review playbook logic
4

Security Review

Security team approves high-risk playbooks
5

Test in Staging

Validate in non-production environment
6

Gradual Rollout

Start in advisory mode, then semi-automated, then fully automated

Access Controls

Implement SOAR access controls via /management:
  • Playbook Execution - Who can run playbooks manually
  • Playbook Creation - Who can create new playbooks
  • Playbook Editing - Who can modify existing playbooks
  • Integration Access - Which playbooks can use which integrations
  • Approval Rights - Who can approve high-risk playbooks

Best Practices

Development

  1. Start Simple - Begin with basic workflows and add complexity gradually
  2. Reuse Components - Build libraries of common actions
  3. Version Control - Track all playbook changes
  4. Test Thoroughly - Test with various inputs and edge cases
  5. Document Everything - Clear documentation of purpose and usage
  6. Error Handling - Always include proper error handling
  7. Idempotency - Ensure playbooks can safely run multiple times

Operations

  1. Monitor Performance - Track execution metrics regularly
  2. Review Logs - Regularly review playbook execution logs
  3. Update Regularly - Keep playbooks current with evolving threats
  4. Gradual Automation - Move from manual to semi-automated to fully automated
  5. Maintain Integrations - Keep integration credentials and configs current
  6. Regular Audits - Quarterly review of all active playbooks

Security

Least Privilege

Grant minimum permissions necessary for playbooks

Credential Security

Encrypt all credentials in /variables

Audit Logging

Log all playbook executions and actions

Change Control

Require approval for playbook changes

Measuring SOAR Success

Key Metrics

MetricTargetDescription
Alert MTTR-50%Reduce mean time to respond to alerts
Analyst Time Saved20+ hrs/weekHours freed from manual tasks
Playbook Success Rate>95%Percentage of successful executions
Incident MTTR-40%Faster incident response with automation
Coverage80%Percentage of common scenarios automated
False Positive Reduction-30%Automated enrichment reduces FPs

ROI Calculation

1

Baseline Manual Effort

Document time spent on manual processes
2

Implement Automation

Deploy playbooks for common scenarios
3

Measure Time Saved

Track reduction in manual effort
4

Calculate Value

(Hours Saved × Hourly Rate) - (Development + Maintenance Costs)

Integrations

Connect tools for playbook orchestration

Automation Variables

Manage playbook variables and secrets

Alert Management

Source of alert-triggered playbooks

Incident Response

Automate incident response workflows

Build docs developers (and LLMs) love

Get started for freeTalk to us