Contents
🤖 SOAR Automation Examples
Security Orchestration, Automation, and Response (SOAR) platforms help security teams respond faster by automating routine tasks, orchestrating tools, and standardising incident handling.
This page lists realistic, high-impact SOAR playbook examples you can build using tools like:
- Splunk SOAR (Phantom)
- TheHive + Cortex
- Shuffle (open source)
- XSOAR (Palo Alto)
- DFLabs / IBM Resilient / Swimlane
🚨 1. Phishing Email Triage
| Step | Action |
|---|---|
| 1️⃣ | Parse email headers and body from suspicious message |
| 2️⃣ | Extract URLs, attachments, IPs, and sender domain |
| 3️⃣ | Enrich with VirusTotal, AbuseIPDB, or URLscan.io |
| 4️⃣ | Check domain reputation and DKIM/SPF results |
| 5️⃣ | Auto-close if known good; escalate if malicious |
| 6️⃣ | Auto-quarantine email via Microsoft 365 or GMail API |
| 7️⃣ | Create analyst ticket in Jira / ServiceNow |
🛠 Tools: Microsoft Graph API, VT, URLscan, Cortex analyzers
🔍 2. Suspicious Login Alert (Geo-Anomaly)
| Step | Action |
|---|---|
| 1️⃣ | Triggered by SIEM alert (e.g. logins from two countries within 5 mins) |
| 2️⃣ | Enrich with IP geolocation, ASN, reputation |
| 3️⃣ | Correlate with user activity and baseline (e.g. new device) |
| 4️⃣ | Auto-prompt user via Slack/Teams for confirmation |
| 5️⃣ | Suspend user or force password reset if confirmed unauthorised |
| 6️⃣ | Notify SOC and update ticket status |
🛠 Tools: MaxMind GeoIP, AbuseIPDB, Azure AD, Slack API
🦠 3. Malware Detected on Endpoint
| Step | Action |
|---|---|
| 1️⃣ | Alert from CrowdStrike/SentinelOne/MDE |
| 2️⃣ | Enrich with hash lookup in VirusTotal, ReversingLabs |
| 3️⃣ | Query EDR for process tree, file origin, lateral activity |
| 4️⃣ | Isolate endpoint automatically if severity is high |
| 5️⃣ | Notify analyst and log in SIEM + IR tracker |
| 6️⃣ | Auto-generate timeline from EDR and Sysmon logs |
| 7️⃣ | Kick off playbook for evidence collection / DFIR handoff |
🛠 Tools: EDR API, Cortex, VirusTotal, Splunk, SOAR platform
🌐 4. Malicious Domain Alert from Threat Feed
| Step | Action |
|---|---|
| 1️⃣ | Daily IOC ingestion from threat intel source (TAXII/STIX/CSV/API) |
| 2️⃣ | Parse and normalise indicators |
| 3️⃣ | Match new IOC against current logs and DNS queries |
| 4️⃣ | Alert if match found in the past 7 days |
| 5️⃣ | Auto-add to blocklist in firewall, proxy, or DNS sinkhole |
| 6️⃣ | Notify TI/IR team and attach enrichment data to case |
🛠 Tools: MISP, STIX/TAXII, Sigma, Cortex, Firewall APIs
🧼 5. Credential Dumping Detection
| Step | Action |
|---|---|
| 1️⃣ | Detection from Sysmon event (e.g. LSASS access) or EDR |
| 2️⃣ | Query system for parent process, user context, and lateral movement |
| 3️⃣ | Check against whitelist (some tools may trigger false positives) |
| 4️⃣ | Isolate host and reset user credentials if malicious |
| 5️⃣ | Capture memory dump, add host to high-priority watchlist |
| 6️⃣ | Create case in IR system with timeline and evidence link |
🛠 Tools: Sysmon, Splunk, YARA, CrowdStrike API, PowerShell scripts
📩 6. Automated Threat Intel Enrichment
| Step | Action |
|---|---|
| 1️⃣ | IOC or alert triggers from SIEM |
| 2️⃣ | Auto-query MISP / OpenCTI / VirusTotal |
| 3️⃣ | Add metadata like malware family, threat actor, first seen |
| 4️⃣ | Update detection case or dashboard with new context |
| 5️⃣ | Push high-severity IOCs into blocklist or firewall ruleset |
| 6️⃣ | Notify relevant teams and tag in threat feed repository |
🛠 Tools: MISP, CTI APIs, SIEM, SOAR
🔁 7. Periodic IOC Sweep
| Step | Action |
|---|---|
| 1️⃣ | Nightly/weekly task kicks off IOC search job |
| 2️⃣ | Run Sigma/KQL/SPL queries across SIEM logs |
| 3️⃣ | Check for matches in the last N days (IOC dwell time) |
| 4️⃣ | Tag and escalate any positive hits |
| 5️⃣ | Update case management and audit trail automatically |
🛠 Tools: Splunk, Sigma, Shuffle, ElasticSearch
🧠 Summary
SOAR automation isn’t just about speed—it’s about consistency, reliability, and scale. The best use cases eliminate repetitive analyst tasks while improving incident accuracy and traceability.
⚙️ “Automate the boring. Empower the analysts.”