Trustwave Rapid Response: CrowdStrike Falcon Outage Update. Learn More

Trustwave Rapid Response: CrowdStrike Falcon Outage Update. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Clockwork Blue: Automating Security Defenses with SOAR and AI

It’s impractical to operate security operations alone, using manual human processes. Finding opportunities to automate SecOps is an underlying foundation of Zero Trust and an essential architecture component for enterprise-scale SOCs. Let’s discuss what SOAR is, its common uses, and the future of SOAR with AI.


What is SOAR?

SOAR is the acronym for Security, Orchestration, Automation, and Response. Simply put, SOAR is a collection of automation methods focused on security-related workflows.

Since the early days of computers, IT administrators have been trying to automate processes. (Give a Unix administrator a shell prompt, and they’ll attempt to automate their entire life with scripts.)

Image 1 The definition of automation

Image 1: The definition of automation.


SOAR solutions typically support the processing of data flows in and out of third-party APIs, which allows for the enrichment of the incoming data through customized logic flows. An example of this is an SIEM security incident being sent to a SOAR process, which matches IP addresses in the incident with threat intelligence information and then appends the new information to the incident in the SIEM.



A playbook defines ‘the gameplan’ for a SOAR logical process flow. Playbooks have a start and a finish, just like a typical computer program. They don’t necessarily require any actual coding – playbooks are usually developed in a user interface using visual objects that are connected together to create a ‘logic app’.

Figure 2 SOAR ‘Logic App’ Playbook example. Courtesy Microsoft

Figure 2: SOAR ‘Logic App’ Playbook example. Courtesy Microsoft


The playbook’s data flows are often planned out on paper before building it out in the SOAR tool.

Figure 3 SOAR data flow example for Palo Alto’s XSOAR solution

Figure 3: SOAR data flow example for Palo Alto’s XSOAR solution


Common Uses of SOAR

SOAR’s main objective is to automate many of the important steps required for investigating a security incident presented by your SIEM. SOC operators may find it challenging to remember every step to perform, so SOAR can help with the more technical or boring steps to ensure consistency in the investigative process.

Some common examples of SOAR automation are:

SIEM Incident Actions

  • Disable a user account
  • Isolate a host
  • Applying additional ‘metadata’ to an incident, such as Threat Intelligence details and user account details.
  • Escalate (or de-escalate) an incident from a medium to high severity based on the results of the SOAR operation.


Background Task Automations

Here are some examples of using SOAR to perform “housekeeping tasks.”

  • Download and update local Threat Intelligence tables and remove expired TI entries.
  • Perform threat hunts – investigate all users involved in recent SIEM incidents and create a ‘suspicious users/hosts’ lookup table based on the results of the threat hunts. Use this list for additional SIEM correlations and reports.


The Future of SOAR and AI

SOAR can be very powerful for automating security workflows; however, using it effectively can involve a significant learning curve and development cycle. The recent AI explosion has provided SOAR new capabilities that may reduce that development process. This improvement comes at a monetary cost, but as AI evolves, that should change.



SOAR is a new spin on the old concept of automation, but it’s focused on security operations. The rise of AI is bringing exciting improvements to SOAR that will drop the development cycle and open opportunities for new security threat detection capabilities.



About This Blog Series

Follow the full series here: Building Defenses with Modern Security Solutions

This series discusses a list of key cybersecurity defense topics. The full collection of posts and labs can be used as an educational tool for implementing cybersecurity defenses.



For quick walkthrough labs on the topics in this blog series, check out the story of “ZPM Incorporated” and their steps to implementing all the solutions discussed here.



All topics mentioned in this series have been mapped to several compliance controls here.

David Broggy, Trustwave’s Senior Solutions Architect, Implementation Services, was selected last year for Microsoft's Most Valuable Professional (MVP) Award.

Operational Technology Security Maturity Diagnostic


Latest SpiderLabs Blogs

Cloudy with a Chance of Hackers: Protecting Critical Cloud Workloads

If you've been following along with David's posts, you'll have noticed a structure to the topics: Part I: The Plan, Part II: The Execution and now we move into Part III: Security Operations. Things...

Read More

Trustwave Rapid Response: CrowdStrike Falcon Outage Update

Trustwave is proactively assessing and monitoring our clients who may have been impacted by CrowdStrike’s recently rolled-out update for its Windows users. The critical issue identified with...

Read More

Using AWS Secrets Manager and Lambda Function to Store, Rotate and Secure Keys

When working with Amazon Web Services (AWS), we often find that various AWS services need to store and manage secrets. AWS Secrets Manager is the go-to solution for this. It's a centralized service...

Read More