Security Automation & SOAR Fundamentals

The Scale Problem

You have spent 13 modules building analyst skills: reading SIEM alerts, enriching IOCs, investigating endpoints, triaging incidents, writing detection rules, and producing reports. Every one of those skills is essential. None of them scale.

A skilled analyst can triage 30-50 alerts per shift. A modern SOC generates 500-5,000 alerts per day. Even with perfect detection engineering that eliminates 80% of noise, that leaves 100-1,000 alerts requiring human attention. The math does not work.

This is not a staffing problem you can hire your way out of. The global cybersecurity workforce gap is over 3.4 million positions. Even organizations that can afford to hire struggle to find qualified analysts. The solution is not more humans — it is making each human more effective by automating the repeatable parts of their workflow.

What Is SOAR?

SOAR stands for Security Orchestration, Automation, and Response. Each word describes a distinct capability:

Orchestration

Connecting multiple security tools so they can share data and trigger actions across the stack. Orchestration is the plumbing — it handles API calls, data format translation, authentication, and routing between tools.

Example: When Wazuh fires an alert, orchestration sends the IOCs to MISP for lookup, then sends the results to TheHive to create a case, then sends a notification to Slack.

Automation

Executing predefined actions without human intervention. Automation is the engine — it runs playbooks, evaluates conditions, and takes actions based on rules.

Example: If the MISP lookup returns a high-confidence match, automatically set the TheHive case severity to HIGH and assign it to the L2 queue.

Response

Taking containment and remediation actions to neutralize threats. Response is the muscle — it blocks IPs at the firewall, disables accounts, isolates endpoints, and quarantines emails.

Example: If the enriched alert matches a known ransomware campaign, automatically isolate the endpoint via Velociraptor and block the C2 IP at the firewall.

Why Automate SOC Workflows?

The Case for Automation

Automation ROI

Manual alert enrichment:    4 minutes × 200 alerts/day = 800 min (13.3 hours)
Automated alert enrichment: 5 seconds × 200 alerts/day = 17 min (0.3 hours)
Time saved per day:         13 hours of analyst time
Time saved per year:        4,745 hours (2.4 FTE equivalent)

Beyond time savings, automation provides:

• Consistency — Every alert is enriched the same way, every time. No steps skipped during busy shifts.
• Speed — Containment in seconds instead of hours. Dwell time measured in minutes instead of days.
• Coverage — Every alert gets attention, not just the ones an analyst has time to reach.
• Documentation — Every automated action is logged with timestamps, creating a complete audit trail.
• Scalability — Workflow handles 50 or 5,000 alerts with the same resource cost.

Click to enlarge

What to Automate (and What NOT to Automate)

This is the most critical decision in SOAR deployment. Automating the wrong things creates more problems than it solves.

Automate: Repeatable, Data-Driven Tasks

Do NOT Automate: Complex, Judgment-Required Decisions

The Automation Decision Matrix

Use this matrix to evaluate whether a task should be automated:

Click to enlarge

SOAR Platform Overview

Shuffle (Open Source — Used in CyberBlueSOC)

Shuffle is the open-source SOAR platform in your CyberBlueSOC environment. It provides a visual workflow builder with drag-and-drop playbook creation.

Other Major Platforms (For Awareness)

Shuffle Platform Architecture

Understanding Shuffle's architecture prepares you for Lab 14.1 where you set up and configure the platform.

Core Components

Triggers start a workflow. They listen for events and kick off the playbook when conditions are met:

Apps are the building blocks that perform actions. Each app connects to one tool or service:

App Name         | What It Does
-----------------|------------------------------------------
Wazuh            | Query alerts, manage agents, run commands
TheHive          | Create cases, add observables, update tasks
MISP             | Search events, add attributes, create events
VirusTotal       | Look up IPs, domains, hashes, URLs
Shuffle Tools    | Built-in utilities (parse JSON, regex, HTTP)
Email            | Send notifications, parse incoming messages
Slack            | Post messages, create channels, mention users
Velociraptor     | Run VQL queries, collect artifacts, isolate

Workflows chain triggers and apps together with conditions and loops:

[Trigger: Wazuh Webhook]
       ↓
[App: Extract IOCs from alert JSON]
       ↓
[App: MISP — search each IOC]
       ↓
[Condition: Any match found?]
      ↙          ↘
   Yes             No
    ↓               ↓
[App: TheHive    [App: TheHive
 Create case      Create case
 Severity: HIGH]  Severity: LOW]
    ↓               ↓
[App: Slack      [End]
 Notify L2 channel]

Shuffle Data Flow

Every step in a Shuffle workflow passes data to the next step as JSON. Understanding this data flow is essential for building effective playbooks:

{
  "execution_id": "abc123",
  "workflow_id": "def456",
  "results": {
    "trigger": { "alert_id": "92101", "agent": "WIN-SERVER-01", "src_ip": "185.220.101.42" },
    "misp_search": { "found": true, "event_id": "1234", "threat_level": "high" },
    "thehive_case": { "case_id": "~847291", "severity": 3, "status": "Open" }
  }
}

Each app's output becomes available to all subsequent apps in the workflow. You reference previous results using Shuffle's variable syntax: $trigger.alert_id, $misp_search.found, etc.

Getting Started with Shuffle

In Lab 14.1, you will:

1. Access the Shuffle interface in your CyberBlueSOC environment
2. Explore the app ecosystem and authenticate Shuffle to Wazuh, TheHive, and MISP
3. Create your first workflow: a simple webhook trigger → Slack notification
4. Test the workflow with a sample payload
5. Verify the notification arrives in the configured channel

This first workflow is deliberately simple. It establishes the fundamental pattern — trigger → action — that every subsequent playbook builds upon. By the end of Lab 14.1, you will understand how data flows through Shuffle and how to connect it to your SOC tools.

Key Takeaways

• SOAR provides three capabilities — orchestration (connecting tools), automation (executing logic), and response (taking defensive actions) — that together enable SOC workflows to scale beyond human capacity
• The global analyst shortage (3.4M+ open positions) makes automation not optional but essential — you cannot hire your way out of the alert volume problem
• Automate repeatable, data-driven tasks (enrichment, case creation, notification, high-confidence containment) and keep complex, judgment-dependent tasks human (novel threats, escalation decisions, legal matters)
• Use the automation decision matrix (repeatability vs. risk of error) to evaluate what to automate; start with low-risk, high-repeatability tasks and expand gradually
• Shuffle is an open-source SOAR with a visual workflow builder, 200+ app integrations, and webhook/schedule/manual triggers that connect your entire SOC stack
• SOAR concepts transfer across platforms — triggers, conditions, actions, and data flow work the same way in Shuffle, XSOAR, Phantom, and Tines
• Every automated action is logged with timestamps, providing consistency, speed, coverage, and audit trails that manual processes cannot match

What's Next

You understand what SOAR is, why it matters, and what belongs in automated workflows versus human decision-making. In Lesson 14.2 — Building Automated Playbooks, you will design and build your first real playbook: a phishing response workflow that receives an alert, extracts IOCs, enriches them through VirusTotal and MISP, creates a TheHive case, and notifies the analyst — all without human intervention.