The 10 Essential Capabilities of a Best-of-Breed SOAR

Ask a group of security analysts about the challenges of working in cybersecurity, and you’ll likely hear some common themes....

  • Published: 15-05-2022

  • Related Category: Security Operations

  • Type of Content: Articles

  • Owner: Splunk

Security Operations Must Evolve

Ask a group of security analysts about the challenges of working in cybersecurity, and you’ll likely hear some common themes:

  • A shortage of skilled cybersecurity talent
  • A high volume of security alerts
  • Too many security point products to manage
  • Lack of interoperability between those products
  • Inability to scale security operations over time
  • Increasing costs, shrinking budgets
  • Increasing sophistication of malware
  • Slow speed of threat detection and response

Considering these challenges, it’s no surprise that security teams feel perpetually overwhelmed.

Many teams have turned to security orchestration, automation and response (SOAR) tools as a remedy.

A SOAR tool can orchestrate security actions (like investigations, triage, and response) across various security products in a team’s arsenal, and automate otherwise manual repetitive security tasks.

But not all SOAR tools are created equal. A best-of-breed SOAR solution will provide a set of capabilities that can completely revolutionize how you do security operations. These capabilities will allow you to:

  • Work smarter by automating manual and repetitive tasks.
  • Respond faster and reduce dwell time with automated detection, investigation and response.
  • Strengthen defenses by integrating existing security infrastructure together so that each part is an active participant in your defense.

There are 10 essential capabilities of a best-of-breed SOAR tool that will allow you to achieve these outcomes.

Essential Capabilities of a Best-of-Breed SOAR

Orchestration The machine-based coordination of complex workflows across disparate security tools should increase the efficiency and speed of your security operations.
Automation The machine-based execution of otherwise manual, interdependent security actions using “playbooks” should allow you to execute in seconds versus hours.
Event and Alert Management An event and alert management capability in a SOAR tool should queue and prioritize inbound security events and alerts to help analysts perform triage more efficiently.
Case Management A case management component should drive a broader, cross-functional lifecycle (from creation to resolution) of a security case.
Collaboration Built-in chat and notes can facilitate communication across the security team, and thereby accelerate the resolution of security events.
Metrics and Reporting Metrics and reporting are critical to understanding the effectiveness of the SOAR tool and identifying where improvements can be made to increase ROI.
Mobility Control of the SOAR tool from the convenience of the analyst’s mobile device will allow for faster response times and easy alert triage — all on-the-go.
Scalability A SOAR tool should grow with you as your organization grows. As an organization adds more use cases over time, there will be additional processing load placed on the platform.
Open and Extensible A SOAR tool should easily support incorporating new security scenarios, new products, new actions and new playbooks.
Community Powered A SOAR tool must support a strong community model and make sharing of integrations and playbooks easy.

Let’s take a deeper look at each of these capabilities:


Orchestration is defined as the machine-based coordination of complex workflows across different security tools and is an essential capability for a SOAR tool.

When a security team responds to a security incident, they use a multitude of different security tools to respond. Each tool plays a different role within a defined workflow (depending on the type of security incident). For instance, tell VirusTotal to check a file’s reputation, use your firewall to block an IP, and then use your endpoint security tool to block an executable. Without orchestration from a SOAR tool, the security team would coordinate these workflows manually. But a SOAR tool will integrate across all of these deployed security tools via their API, and then coordinate workflows across these tools to detect, investigate or respond to particular security incidents. For comparison, if your security tools are instruments that comprise a symphony orchestra, your SOAR tool is the conductor, ensuring that every instrument is playing in sync and on time.

When evaluating a SOAR tool, the orchestration function should direct and oversee all activities relating to a given security scenario from beginning to end. It should be able to ingest security data from any data source and in any format. It should be able to receive data that is pushed to the platform, and it must have the ability to poll data sources and ingest data into the platform. Furthermore, an orchestrator should ensure that the output data from one action is properly parsed, normalized and structured so that future actions can make use of it.


Automation is defined as the machine-based execution of otherwise manual, interdependent security actions using “playbooks.” In other words, it’s the workhorse of most SOAR tools. While the orchestrator enables integrations and coordination across security tools, playbooks automatically execute the interdependent actions from each security tool in a particular sequence — without the need for human interaction.

For most security analysts, their day is filled with too many repetitive and mind-numbing security tasks or actions. These actions are manually executed by the team. Automation using playbooks should allow the security team to execute a collection of these actions in seconds, versus minutes or hours if performed manually. For instance, phishing investigations that may require the use of multiple actions across four to five different security tools, and take approximately 40 minutes to perform if done manually, should now take under a minute using an automated playbook. In this way, SOAR tools can drastically reduce the meantime to detect (MTTD) and mean time to respond (MTTR).

Playbooks should be easy to create and modify. The automation editor within a SOAR tool is where an analyst or manager codifies their processes into automation playbooks. The editor should allow for both source code editing and visual editing. This allows all security team members, regardless of preference or coding expertise, to construct comprehensive and sophisticated playbooks. While constructing the playbook in a visual editor, the resulting playbook source code should be generated in real-time and be accessible to the author — with seamless toggling and editing between the visual and source code editor.

The visual playbook editor should be intuitive and user-friendly, providing a canvas where visual playbooks can be constructed. Using blocks and other shapes to represent meaningful steps in the playbook, a user should be able to build a playbook that connects actions in a one-to-one, one-to-many or many-to-one fashion to dictate the order of execution. Each shape should represent different action executions, platform API calls, conditional statements (if/then), human interaction prompts and branching statements. By clicking each shape, you can manually enter the action or parameter, or select them from a list. Also, new information resulting from preceding action executions should be available as inputs, or parameters, to downstream actions or decision blocks.

>> Download Article to continue reading.

Related Articles: