Top 8 Security Orchestration Automation and Response (SOAR)

Microsoft SentinelPalo Alto Networks Cortex XSOARSplunk PhantomNetWitness XDRExabeam Fusion SIEMServiceNow Security OperationsMcAfee ePolicy OrchestratorSumo Logic Security
  1. leader badge
    We are able to deploy within half an hour and we only require one person to complete the implementation.Another area where it is helping us is in creating a single dashboard for our environment. We can collect all the logs into a log analytics workset and run queries on top of it. We get all the results in the dashboard. Even a layman can understand this stuff. The way Microsoft presents it is really incredible.
  2. Its agility and scalability are valuable.Many different playbooks are available and can be customized.
  3. Buyer's Guide
    Security Orchestration Automation and Response (SOAR)
    November 2022
    Find out what your peers are saying about Microsoft, Palo Alto Networks, Splunk and others in Security Orchestration Automation and Response (SOAR). Updated: November 2022.
    656,862 professionals have used our research since 2012.
  4. Technical support is helpful. The most valuable features of Splunk Phantom are the easy integration with other solutions, including other Splunk solutions. The most important playbooks we need on a market come already on the Frontend. However, nowadays, Splunk changed its name, it's not Frontend anymore, it's Splunk Store. This is a very strong point.
  5. Technical support is knowledgeable. It's a scalable solution. We have around five to eight customers using RSA NetWitness Endpoint, and we hope to increase the number of users.
  6. The most valuable feature of Exabeam Fusion SIEM is the easy-to-use user interface.It's a very user-friendly product and it's a very comprehensive technology.
  7. The ease of use is great.The product has a very simple UI.
  8. report
    Use our free recommendation engine to learn which Security Orchestration Automation and Response (SOAR) solutions are best for your needs.
    656,862 professionals have used our research since 2012.
  9. The most valuable feature of the McAfee ePolicy Orchestrator is agent communication.The policy auditing, policy management, and device auditing are all valuable features. Our customers appreciated the ability to get alerts to system-wide events from a single view.
  10. Sumo Logic is an easy solution to use. You can set it up very quickly, and it includes a lot of training videos.The solution is quite stable.

Advice From The Community

Read answers to top Security Orchestration Automation and Response (SOAR) questions. 656,862 professionals have gotten help from our community of experts.
Rony_Sklar - PeerSpot reviewer
PeerSpot (formerly IT Central Station)
SIEM and SOAR have a lot of components in common. How do they differ in the role they play in Cyber Security? If you've been working in cybersecurity, you've likely come across SOAR and SIEM technologies. There are differences between their capabilities, although they have a fair amount of commo...
Read More »
Ashraf Abbas - PeerSpot reviewer
Ashraf AbbasSIEM involves in collection, correlation and aggregation of security logs and… more »
8 Answers
Shibu Babuchandran - PeerSpot reviewer
Shibu Babuchandran
Regional Manager/ Service Delivery Manager at ASPL INFO Services

Hi community,

What are your top 5 (or less) cyber security trends in 2022?

Thanks in advance!

Pablo Cousino - PeerSpot reviewer
Pablo Cousino1) Security in endpoints (especially because of remote work), especially to… more »
10 Answers
Rony_Sklar - PeerSpot reviewer
PeerSpot (formerly IT Central Station)

Hi dear community,

Can you explain what an incident response playbook is and the role it plays in SOAR? How do you build an incident response playbook? 

Do SOAR solutions come with a pre-defined playbook as a starting point?

Maged Magdy - PeerSpot reviewer
Maged MagdyHi, what an incident response playbook?  Incident Response Playbook is the… more »
4 Answers

Security Orchestration Automation and Response (SOAR) Articles

Evgeny Belenky - PeerSpot reviewer
Evgeny Belenky
PeerSpot (formerly IT Central Station)
Jul 18 2022
Dear PeerSpot community members, Welcome to the latest PeerSpot Community Spotlight, where we sum up the most relevant recent postings by your peers in the community.  Check out the latest questions, articles and professional discussions contributed by PeerSpot community members!  Tren...
Read More »
Evgeny Belenky - PeerSpot reviewer
Evgeny Belenky
PeerSpot (formerly IT Central Station)
Hi peers, This is our new bi-weekly Community Spotlight that includes recent contributions (questions, articles and discussions) by the PeerSpot community members.  Articles Check the top products and solutions below (selected based on peer reviews) or contribute your own article! ...
Read More »
Janet Staver - PeerSpot reviewer
Janet Staver
Tech Blogger
PeerSpot’s crowdsourced user review platform helps technology decision-makers around the world to better connect with peers and other independent experts who provide advice without vendor bias. Our users have ranked these solutions according to their valuable features, and discuss which features...
Read More »

Security Orchestration Automation and Response (SOAR) Topics

How does a SOAR playbook work?

Here is an example of a playbook for the event of a malware threat:

  1. Data is gathered from security tools, SIEM, threat intelligence feed, etc.
  2. The suspected malware file is found and extracted.
  3. The file is sent to malware analysis to be detonated and reported.
  4. The detonation report is displayed.
  5. If the file is not determined to be a threat, the playbook is closed.
  6. If the file is determined to be malicious, the database is updated to include it and then the playbook is closed.

This process is standardized, so analysts know what to do at every step of the incident response.

Why is SOAR important?

One of the biggest challenges for companies today is the tech sprawl of security tools. As the number of threats keeps rising, companies add more security tools to their stack to keep all potential threats covered.

The problem is that in most cases, these security tools don’t talk to each other. A report of NASDAQ Information Services found the typical SOC (security operations center) uses on average 15 different security products. Because most of these products don’t offer automation, an increasing number of security teams become overwhelmed by manual tasks and having to deal with managing a sprawled tech stack. To add to this challenge, security teams usually have limited to no visibility across the entire tool stack, data, and environments.

Another challenge is the massive volume of threat intelligence (TI) data and alerts produced by security tools. This requires security teams to manually prioritize, investigate, and respond to each one. In addition, the talent shortage in the cybersecurity industry makes it difficult for companies to find enough security staff to deal with the increasing number of manual jobs.

Security Orchestration, Automation, and Response solutions (SOAR) help companies overcome these challenges. SOAR helps improve security operations by:

  • Using security automation to automate repetitive manual tasks and streamline the security incident lifecycle.
  • Coordinating their existing security tools. It centralizes data collection and analysis and provides visibility across the environment.
  • Standardizing incident analysis and response procedures by using security playbooks. This provides a consistent and documented way to respond to threats.
  • Identifying, prioritizing, and managing potential vulnerabilities, proactively and reactively.
What is SOAR vs SIEM?

Organizations use these tools to handle the overflow of security-related information and events generated by the typical organization today. Security Operations Center (SOC) staff often manually manage the identification and response to cyber threats. However, as data streams and threat alerts continue to grow, it becomes nearly impossible to manually handle all this data. Here is where Security Orchestration, Automation and Response (SOAR) and Security Information and Event Management (SIEM) come in.

What is SIEM?

SIEM solutions collect and aggregate log and event data from applications, security devices, and systems into a centralized platform, then analyze this data to identify indicators of compromise (IoC) that may point to a cyber attack. These solutions use machine learning to improve their detection capabilities.

A SIEM platform collects, processes, correlates, aggregates, and monitors for anomalies across data logs, then notifies users through alerts when it detects suspicious behavior.

How is SOAR different from SIEM?

SIEM focuses on finding suspicious behavior and triggering alerts, leaving the actual response and remediation to humans. Thus, while it improves threat detection, it actually creates more work for SOC teams. In addition, it can contribute to alert fatigue if there is a large number of false positives. That being said, SIEM excels at ingesting and parsing large datasets of internal logs, thus complementing SOAR’s capabilities.

SOAR solutions go several steps further than SIEM by increasing the pre-processing of detected threats before the system alerts a cybersecurity officer. SOAR can ingest data from external sources, like threat intelligence sources. In addition, as the main function of SOAR technologies is the ability to coordinate and leverage different security products, the system gives organizations the possibility of streamlining existing tools, using them in new ways.

So, which should you choose? You should use both. SIEM tools are better for processing large volumes of data, while SOAR can leverage SIEM’s capabilities, orchestrating SIEM together with other security tools.

Benefits of SOAR

Security operations teams need to coordinate the results and filter the noise of alerts resulting from disparate systems. This increasing volume of manual processes leads to errors and missing alerts. Security Orchestration and Automation Response (SOAR) solutions improve the security posture and minimize the incident response time. Here are some benefits of implementing a SOAR platform:

1. Reduces response time

    By using automation capabilities, security orchestration aggregates related alerts from different systems into a single incident. The system then can respond to low-level alerts without human intervention, elevating complex or high-severity alerts to the SOC (security operations center). This enables a faster response time.

    2. Standardizes communication for incident response

      SOC teams usually need to reach outside the SOC when responding to incidents, including external stakeholders like legal teams, law enforcement, human resources, and public relations. Having a standard communications process through the SOAR playbook ensures no stakeholder misses critical information during an incident response.

      3. Leverages threat intelligence

        In many cases, SOC teams fail to pay enough attention to threat intelligence data due to information overload. SOAR platforms ingest, process, and leverage threat intelligence information, correlating it with events in real-time. This reduces the manual workload of SOC teams while providing actionable information.

        4. Minimizes manual operations

          The “automation” part of SOAR saves SOC analysts from conducting repetitive tasks manually, instead integrating them into the general incident response. Automation can handle low-level alerts and incidents through automated playbooks, thus freeing SOC teams from manual event handling.

          5. Easy integration

            A key benefit of SOAR platforms is the ability to aggregate and correlate alerts from disparate tools and sources. A SOAR platform integrates with products across the spectrum of security tools, including:

            • Email security
            • Endpoint security
            • Malware analysis
            • Identity and Access Management
            • SIEM
            • Vulnerability management
            • Network security
            • Data security
            • Cloud security
            Features of SOAR

            There are various SOAR solutions available with an array of features. The four basic functions of a SOAR platform include:

            1. Flexible integrations

              The system should support common methods of data ingestion, such as Syslog, APIs, online forms, and database connections. A SOAR platform should support creating unidirectional integrations - such as ingesting data from a security product to the platform - and bidirectional integrations with new security products. The integration should be easy to implement and use.

              2. Easy to create and use process workflows

                One of the basic features of SOAR platforms is the drag-and-drop capability to create playbooks. Additionally, the solutions should support different methods for creating and controlling workflows, allowing for the analyst to make the decision before the workflow continues. It is important that analysts can create workflows without a high level of scripting or programming.

                3. Incident management

                  In addition to basic case management functionality, many SOAR solutions offer advanced features such as evidence and chain of custody management, detailed task tracking, asset management, and objective tracking.

                  4. Threat intelligence

                    SOAR solutions gather and correlate threat intelligence information, providing context to help with incident management. A SOAR platform can access all incident information from related sources, thus providing actionable threat intelligence.

                    Buyer's Guide
                    Security Orchestration Automation and Response (SOAR)
                    November 2022
                    Find out what your peers are saying about Microsoft, Palo Alto Networks, Splunk and others in Security Orchestration Automation and Response (SOAR). Updated: November 2022.
                    656,862 professionals have used our research since 2012.