Definition
Security Orchestration, Automation and Response (SOAR) automates security operations workflows. Playbooks define multi-step response sequences (e.g., on phishing alert → check user behavior in SIEM → query EDR for endpoint compromise → if compromised, isolate host and reset credentials → create ticket → notify analyst). SOAR integrates with dozens of security tools via API. Major platforms: Splunk SOAR (Phantom), Microsoft Sentinel automation, Palo Alto XSOAR, Tines, Torq, Swimlane. SOAR is most valuable for repetitive high-volume tasks (phishing triage, IOC enrichment, account compromise response) where analyst time is the bottleneck.
Related terms
- SIEM (Security Information and Event Management) - Platform that aggregates security events from across the environment for correlation, search, and alerting.
- SOC (Security Operations Center) - Centralized team responsible for monitoring, detecting, investigating, and responding to security incidents.
- EDR (Endpoint Detection and Response) - Endpoint security capability focused on detection, investigation, and response to threats that have evaded prevention.