What You'll Learn
- Define SOAR (Security Orchestration, Automation, and Response) and distinguish between orchestration, automation, and response capabilities
- Explain why SOC workflow automation is essential for scaling detection and response beyond human capacity
- Identify which SOC tasks should be automated (enrichment, triage, containment, notification) and which should remain human-driven (complex decisions, novel threats)
- Compare major SOAR platforms (Shuffle, XSOAR, Phantom, Tines) and understand their architectural differences
- Calculate the ROI of automation using time-saved, consistency, and coverage metrics
- Navigate the Shuffle platform architecture — triggers, apps, and workflows — to prepare for Lab 14.1
The Scale Problem
You have spent 13 modules building analyst skills: reading SIEM alerts, enriching IOCs, investigating endpoints, triaging incidents, writing detection rules, and producing reports. Every one of those skills is essential. None of them scale.
A skilled analyst can triage 30-50 alerts per shift. A modern SOC generates 500-5,000 alerts per day. Even with perfect detection engineering that eliminates 80% of noise, that leaves 100-1,000 alerts requiring human attention. The math does not work.
This is not a staffing problem you can hire your way out of. The global cybersecurity workforce gap is over 3.4 million positions. Even organizations that can afford to hire struggle to find qualified analysts. The solution is not more humans — it is making each human more effective by automating the repeatable parts of their workflow.
Automation does not replace analysts. It replaces the repetitive, mechanical steps that consume analyst time without requiring analyst judgment. The goal is to automate the first 80% of a workflow (data collection, enrichment, context gathering) so the analyst can focus on the last 20% that requires human decision-making.
What Is SOAR?
SOAR stands for Security Orchestration, Automation, and Response. Each word describes a distinct capability:
Orchestration
Connecting multiple security tools so they can share data and trigger actions across the stack. Orchestration is the plumbing — it handles API calls, data format translation, authentication, and routing between tools.
Example: When Wazuh fires an alert, orchestration sends the IOCs to MISP for lookup, then sends the results to TheHive to create a case, then sends a notification to Slack.
Automation
Executing predefined actions without human intervention. Automation is the engine — it runs playbooks, evaluates conditions, and takes actions based on rules.
Example: If the MISP lookup returns a high-confidence match, automatically set the TheHive case severity to HIGH and assign it to the L2 queue.
Response
Taking containment and remediation actions to neutralize threats. Response is the muscle — it blocks IPs at the firewall, disables accounts, isolates endpoints, and quarantines emails.
Example: If the enriched alert matches a known ransomware campaign, automatically isolate the endpoint via Velociraptor and block the C2 IP at the firewall.
| Capability | What It Does | Example |
|---|---|---|
| Orchestration | Connects tools, routes data | Wazuh alert → MISP lookup → TheHive case → Slack notification |
| Automation | Executes logic without human input | If MISP match AND severity > 8: assign to L2 queue |
| Response | Takes defensive actions | Block IP at firewall, isolate endpoint, disable account |
Why Automate SOC Workflows?
The Case for Automation
| Problem | Manual Approach | Automated Approach |
|---|---|---|
| Alert enrichment | Analyst copies IP → opens MISP → searches → copies result → pastes into case (3-5 min per alert) | Workflow enriches every alert in <5 seconds |
| Case creation | Analyst creates TheHive case, fills in fields, attaches observables (5-10 min) | Case auto-created with pre-populated fields from alert data |
| IOC blocking | Analyst emails firewall team → waits for change window → manual rule update (hours-days) | Confirmed malicious IP blocked at firewall in <30 seconds |
| Phishing response | Analyst extracts URLs/attachments → checks reputation → determines verdict → notifies user (20-40 min) | Automated extraction, detonation, verdict, and user notification (2-5 min) |
| Shift handoff | Analyst writes summary of open cases, pending tasks (15-30 min) | Automated status report generated from case management data |
Automation ROI
Manual alert enrichment: 4 minutes × 200 alerts/day = 800 min (13.3 hours)
Automated alert enrichment: 5 seconds × 200 alerts/day = 17 min (0.3 hours)
Time saved per day: 13 hours of analyst time
Time saved per year: 4,745 hours (2.4 FTE equivalent)
Beyond time savings, automation provides:
- Consistency — Every alert is enriched the same way, every time. No steps skipped during busy shifts.
- Speed — Containment in seconds instead of hours. Dwell time measured in minutes instead of days.
- Coverage — Every alert gets attention, not just the ones an analyst has time to reach.
- Documentation — Every automated action is logged with timestamps, creating a complete audit trail.
- Scalability — Workflow handles 50 or 5,000 alerts with the same resource cost.
What to Automate (and What NOT to Automate)
This is the most critical decision in SOAR deployment. Automating the wrong things creates more problems than it solves.
Automate: Repeatable, Data-Driven Tasks
| Task | Why Automate It |
|---|---|
| IOC enrichment (IP, domain, hash lookups) | Pure data retrieval — no judgment needed |
| Alert triage (initial severity scoring) | Rule-based scoring based on known criteria |
| Case creation (from enriched alerts) | Template-driven, repetitive data entry |
| Notification (Slack, email, PagerDuty) | Time-sensitive, no decision needed |
| Containment (for confirmed, high-confidence threats) | Speed is critical; human delay costs money |
| Report generation (status updates, metrics) | Data aggregation, formatting |
| Deduplication (merging related alerts) | Pattern matching, no judgment needed |
Do NOT Automate: Complex, Judgment-Required Decisions
| Task | Why Keep It Human |
|---|---|
| Novel threat analysis | New attack patterns require creative investigation |
| Escalation decisions (ambiguous cases) | Context-dependent judgment that algorithms cannot replicate |
| Stakeholder communication (during major incidents) | Requires empathy, nuance, political awareness |
| Root cause analysis | Requires understanding of business context and systems |
| Legal/regulatory decisions | Notification obligations require legal interpretation |
| Containment of critical systems | Isolating a production database server has business impact that requires human approval |
The automation boundary is not fixed. As you gain confidence in your playbooks and your data quality improves, you can push the boundary further. Start by automating enrichment and notification. Once those are reliable, add automated triage scoring. Once scoring is validated, add automated containment for high-confidence, low-impact scenarios. Never jump to automated containment on day one.
The Automation Decision Matrix
Use this matrix to evaluate whether a task should be automated:
| Low Risk of Error | High Risk of Error | |
|---|---|---|
| High Repeatability | AUTOMATE NOW — IOC enrichment, case creation, notifications | AUTOMATE WITH APPROVAL — Containment actions, account disablement |
| Low Repeatability | CONSIDER AUTOMATING — Monthly report generation, compliance checks | KEEP HUMAN — Novel threat investigation, escalation decisions, legal notification |
SOAR Platform Overview
Shuffle (Open Source — Used in CyberBlueSOC)
Shuffle is the open-source SOAR platform in your CyberBlueSOC environment. It provides a visual workflow builder with drag-and-drop playbook creation.
| Feature | Details |
|---|---|
| License | Open source (Apache 2.0) |
| Deployment | Docker containers (self-hosted) |
| Workflow builder | Visual drag-and-drop |
| App ecosystem | 200+ pre-built integrations (Wazuh, TheHive, MISP, VirusTotal, Slack) |
| Triggers | Webhook, schedule, manual, email |
| Learning curve | Moderate — visual builder lowers the barrier, but complex workflows require understanding API patterns |
Other Major Platforms (For Awareness)
| Platform | Vendor | Key Differentiator | Typical Customer |
|---|---|---|---|
| Cortex XSOAR | Palo Alto Networks | Largest marketplace of integrations (700+); strong war room collaboration | Enterprise SOCs with Palo Alto stack |
| Splunk SOAR (Phantom) | Cisco/Splunk | Deep Splunk integration; visual playbook editor | Splunk-centric environments |
| Tines | Tines (independent) | No-code builder; story-based workflow design | Organizations wanting simplicity without vendor lock-in |
| Google SecOps (Chronicle SOAR) | Google Cloud | Integrated with Google threat intel; cloud-native | Google Cloud customers |
| Microsoft Sentinel SOAR | Microsoft | Native Azure/M365 integration via Logic Apps | Microsoft-centric enterprises |
The concepts transfer across platforms. Triggers, conditions, actions, loops, and error handling work the same way in every SOAR platform. If you learn playbook design on Shuffle, you can build playbooks on XSOAR or Tines with minimal ramp-up. The workflow logic is universal; only the UI and API syntax change.
Shuffle Platform Architecture
Understanding Shuffle's architecture prepares you for Lab 14.1 where you set up and configure the platform.
Core Components
Triggers start a workflow. They listen for events and kick off the playbook when conditions are met:
| Trigger Type | How It Works | Example |
|---|---|---|
| Webhook | Receives HTTP POST from external tool | Wazuh sends alert via webhook → workflow starts |
| Schedule | Runs at defined intervals | Every 15 minutes → check for new MISP events |
| Manual | Analyst clicks "Run" in Shuffle UI | Ad hoc investigation playbook |
| Monitors mailbox for new messages | Phishing report inbox → triage workflow |
Apps are the building blocks that perform actions. Each app connects to one tool or service:
App Name | What It Does
-----------------|------------------------------------------
Wazuh | Query alerts, manage agents, run commands
TheHive | Create cases, add observables, update tasks
MISP | Search events, add attributes, create events
VirusTotal | Look up IPs, domains, hashes, URLs
Shuffle Tools | Built-in utilities (parse JSON, regex, HTTP)
Email | Send notifications, parse incoming messages
Slack | Post messages, create channels, mention users
Velociraptor | Run VQL queries, collect artifacts, isolate
Workflows chain triggers and apps together with conditions and loops:
[Trigger: Wazuh Webhook]
↓
[App: Extract IOCs from alert JSON]
↓
[App: MISP — search each IOC]
↓
[Condition: Any match found?]
↙ ↘
Yes No
↓ ↓
[App: TheHive [App: TheHive
Create case Create case
Severity: HIGH] Severity: LOW]
↓ ↓
[App: Slack [End]
Notify L2 channel]
Shuffle Data Flow
Every step in a Shuffle workflow passes data to the next step as JSON. Understanding this data flow is essential for building effective playbooks:
{
"execution_id": "abc123",
"workflow_id": "def456",
"results": {
"trigger": { "alert_id": "92101", "agent": "WIN-SERVER-01", "src_ip": "185.220.101.42" },
"misp_search": { "found": true, "event_id": "1234", "threat_level": "high" },
"thehive_case": { "case_id": "~847291", "severity": 3, "status": "Open" }
}
}
Each app's output becomes available to all subsequent apps in the workflow. You reference previous results using Shuffle's variable syntax: $trigger.alert_id, $misp_search.found, etc.
Getting Started with Shuffle
In Lab 14.1, you will:
- Access the Shuffle interface in your CyberBlueSOC environment
- Explore the app ecosystem and authenticate Shuffle to Wazuh, TheHive, and MISP
- Create your first workflow: a simple webhook trigger → Slack notification
- Test the workflow with a sample payload
- Verify the notification arrives in the configured channel
This first workflow is deliberately simple. It establishes the fundamental pattern — trigger → action — that every subsequent playbook builds upon. By the end of Lab 14.1, you will understand how data flows through Shuffle and how to connect it to your SOC tools.
Shuffle runs alongside your other CyberBlueSOC tools. It does not replace Wazuh, TheHive, or MISP — it connects them. Think of Shuffle as the conductor of an orchestra: the individual instruments (tools) produce the sound, but the conductor ensures they play together in coordination.
Key Takeaways
- SOAR provides three capabilities — orchestration (connecting tools), automation (executing logic), and response (taking defensive actions) — that together enable SOC workflows to scale beyond human capacity
- The global analyst shortage (3.4M+ open positions) makes automation not optional but essential — you cannot hire your way out of the alert volume problem
- Automate repeatable, data-driven tasks (enrichment, case creation, notification, high-confidence containment) and keep complex, judgment-dependent tasks human (novel threats, escalation decisions, legal matters)
- Use the automation decision matrix (repeatability vs. risk of error) to evaluate what to automate; start with low-risk, high-repeatability tasks and expand gradually
- Shuffle is an open-source SOAR with a visual workflow builder, 200+ app integrations, and webhook/schedule/manual triggers that connect your entire SOC stack
- SOAR concepts transfer across platforms — triggers, conditions, actions, and data flow work the same way in Shuffle, XSOAR, Phantom, and Tines
- Every automated action is logged with timestamps, providing consistency, speed, coverage, and audit trails that manual processes cannot match
What's Next
You understand what SOAR is, why it matters, and what belongs in automated workflows versus human decision-making. In Lesson 14.2 — Building Automated Playbooks, you will design and build your first real playbook: a phishing response workflow that receives an alert, extracts IOCs, enriches them through VirusTotal and MISP, creates a TheHive case, and notifies the analyst — all without human intervention.
Knowledge Check: SOAR Fundamentals
10 questions · 70% to pass
What does SOAR stand for, and what are its three distinct capabilities?
An analyst manually enriches each alert by copying an IP, searching it in MISP, and pasting the result into a case. This takes 4 minutes per alert across 200 daily alerts. What is the primary benefit of automating this task?
Which of the following tasks should NOT be automated according to the automation decision matrix?
In the automation decision matrix, which quadrant describes 'high repeatability, high risk of error' tasks?
In Shuffle, what component starts a workflow when an external tool sends an HTTP POST request?
In Lab 14.1, you set up Shuffle and create your first workflow. What is the purpose of starting with a simple webhook → Slack notification workflow?
How does Shuffle pass data between steps in a workflow?
What is the recommended approach for expanding automation scope over time?
Which open-source SOAR platform is used in the CyberBlueSOC environment and provides a visual drag-and-drop workflow builder?
Beyond time savings, what are the other key benefits of SOC workflow automation?
0/10 answered