The Three Pillars
Orchestration
Connect tools so they can talk to each other
Automation
Run repeatable tasks without analyst intervention
Response
Execute containment at machine speed
Alert Fatigue
A typical enterprise SOC receives 1,100+ alerts per day. Analyst bandwidth handles ~35%. The other 65% go uninvestigated.
Key Concept
SOAR does not replace analysts. It handles repeatable, time-sensitive, low-judgment tasks — freeing analysts for investigations that require human context.
Ficsit Inc. · Alert Velocity (Live)
184
alerts in the last 4 hours
Discussion
If each of these 184 alerts takes 4 minutes to manually triage, how many analyst-hours does that represent? Answer: ~12 hours — more than one analyst's full shift, before doing anything else.
SOAR Fundamentals — Instructor Notes
Stress that SOAR is a process multiplier, not a headcount replacement. The three pillars have different skill implications: Orchestration requires understanding tool APIs; Automation requires playbook logic and testing discipline; Response requires security judgment to design safe automated actions. Many orgs buy SOAR and only use the Notification layer because "what if automation makes a mistake?" The Ficsit incident is the worked example of scoping containment safely — isolate endpoint: yes, delete user account: no.
Discussion Exercise
At what point in an incident should a human take over from automation? The answer depends on blast radius: automated session revocation (reversible) is safe even at low confidence. Automated endpoint isolation (business-impacting) should require higher confidence. Ask students to propose confidence thresholds for each of the 8 containment actions run during IRON CHIMNEY.
Raw Alert — ALT-2024-9821
{
"alert_id": "ALT-2024-9821",
"source": "Foyl SIEM",
"type": "AiTM Phishing Detected",
"severity": "CRITICAL",
"timestamp": "2024-11-14T09:48:33Z",
"src_ip": "185.220.101.47",
"user": "marcus.chen",
"host": "RESEARCH-STATION-01"
}
Enrichment Output
Click "Enrich +" to step through the enrichment pipeline.
Alert Enrichment — Instructor Notes
A human analyst gathers this same context in 8–12 minutes. SOAR does it in 3.2 seconds, every time, with no fatigue. Teaching point: enrichment quality depends on intel quality. If TIP has no data on the attacker IP, the risk score drops and the playbook routes to "low confidence review" — not auto-contain. SOAR enrichment exposes gaps in your intel program: consistent "no TIP data" responses tell you your feeds aren't covering relevant threat actors.
Critical Thinking
Which enrichment step is most critical for the Ficsit incident? The IP reputation check. If VirusTotal returned "benign," the playbook routes to manual review — marcus.chen's sessions are NOT revoked automatically, and the attacker has more time. Ask: what does this mean for organizations that only use free VirusTotal tier (rate-limited lookups)?
Node Types
Trigger
Starts the playbook
Condition
YES/NO branch gate
Action
Calls an integration
Notification
Alerts without acting
Delay
Pauses execution
End
Closes the run
← Select a node type
Playbook Anatomy — Instructor Notes
The most common beginner mistake: over-automating the Response layer before Orchestration and Automation are reliable. Build confidence progressively — start with Notification-only playbooks, then add enrichment Actions, then soft containment (force MFA step-up), then hard containment (isolate endpoint). The Delay node is underused but important: it enables semi-automated approval flows where a human must confirm before a high-blast-radius action executes.
Design Exercise
Design a playbook for BEC-001 (CEO wire fraud). What's the trigger? What enrichment steps? At what point should human judgment be required? Hint: every Response action in BEC-001 (notifying the bank, reversing the wire) requires human authority SOAR cannot have. This playbook should end with a Notification, not an Action.
● PB-001
Ready to run
Phishing Playbook — Instructor Notes
The key teaching moment is Step 4 — the 85% confidence threshold. This branch is not about whether the alert is real (SIEM already fired CRITICAL). It's about whether enrichment data is reliable enough to trigger automated containment without a human review. Step 9 (EDR corroboration before endpoint isolation) is equally important: by requiring an EDR corroboration, the playbook avoids isolating hosts based on email evidence alone, which has a much higher false positive rate.
Pause Point — Step 10
At Step 10 (Isolate Endpoint), pause and ask: "Who should be notified BEFORE this action runs in production?" Expected answers: the endpoint owner's manager, the SOC shift lead, IT on-call. What does PB-001 currently do? Notify #soc-critical AFTER the fact. Is that order correct? This surfaces the "notify before vs. after action" design pattern debate — a real governance question in enterprise SOAR deployments.
8
Actions Executed
4
Tools Called
142s
Total Duration
P1
Case Created
Isolation Delay
Actions 7–8 ran 100+ seconds after actions 1–6. This reflects the EDR corroboration condition in PB-001: the playbook waited for a correlated EDR alert before authorizing endpoint isolation. Without corroboration, actions 7–8 would have been skipped entirely.
What SOAR Did Not Automate
Interview the user · decide whether to re-enable the account · notify legal/compliance · approve wire transfer reversal · determine data exfiltration scope. These require human judgment and organizational authority.
Automated Containment — Instructor Notes
142 seconds vs. 20–40 minutes of manual response represents a 10–15x reduction in attacker dwell time. At 3am when an on-call analyst is woken from sleep, that estimate doubles. Ask: what single action has the highest risk of causing a business outage? Endpoint isolation — if RESEARCH-STATION-01 were running a time-sensitive financial process, isolation would interrupt it. This is why the EDR corroboration gate exists.
Class Exercise
Would you add any additional gates before endpoint isolation? Suggested: check if the host is within critical business hours window, check if a critical business process is running. How would you implement that check using the SOAR integration catalog?
INV-2024-0087
IRON CHIMNEY
CRITICAL
OPEN
P1 · 4h SLA
Key Entities
USER · marcus.chen
HOST · RESEARCH-STATION-01
IP · 185.220.101.47
DOMAIN · invoices-ficsit.io
Open in SIEM Investigation →
Automated Case Timeline
Analyst Handoff
SOAR creates the case with full enrichment context and the playbook execution log already attached. The analyst who picks it up at 09:51 doesn't re-gather context — it's already there. They go straight to investigation: what data left the network?
Case Creation & Handoff — Instructor Notes
The handoff moment (09:51:10 — pioneer assigned) is a critical design point. A poorly designed SOAR case arrives with only raw alert data, forcing the analyst to repeat the first 3 minutes of context-gathering. A well-designed case arrives pre-enriched. This is the difference between SOAR as a force multiplier vs. SOAR as just a ticketing system. Emphasize what the analyst can do IMMEDIATELY upon assignment that they couldn't have done without SOAR: the attacker IP is already blocked, the endpoint is already isolated. They can focus entirely on the investigation question.
Class Exercise
What should manual investigation focus on after SOAR's containment? Expected: verify isolation is complete, check lateral movement to other hosts, identify data accessed on RESEARCH-STATION-01 during the 17-minute dwell window (09:31–09:48), determine if marcus.chen credentials accessed any other system.
Ficsit Inc. Integrations
Integration Architecture
Each integration registers its actions (what SOAR can tell it to do) and triggers (what events it sends to SOAR). Playbooks wire triggers to action sequences. Any event in any tool can automatically trigger any action in any other tool — without custom code.
Integration Architecture — Instructor Notes
12 integrations is a mature deployment — most orgs start with 3–4 (SIEM, endpoint, Slack) and expand over time. The principle of least privilege applies to SOAR: it should only have the specific permissions it needs, not admin access to each tool. Ask why the VM integration has only 6 actions: it's write-constrained by design — SOAR creates tickets and updates status, but scanner credentials and scan schedules should not be accessible from the SOAR platform.
Extension Question
Which integration would you add to Ficsit's SOAR next? Good answers: CMDB (richer asset context), HR system (check if user is on leave before account actions), AWS/Azure (the 10.0.1.x cloud workloads have no SOAR integration today — a gap if an attacker reaches the cloud segment).
Automation Rate
71%
of alerts handled without human triage
Industry avg: 48%
MTTR Reduction
−68%
Mean time to respond vs. pre-SOAR baseline
43 min → 14 min average
Playbook Runs
1,247
total this month
47 avg/day · 3 currently failing
Alert Volume
34,122
ingested alerts this month
↑ 12% vs. last month
Analyst Hours Saved
847h
estimated time reclaimed
~5.4 FTE-weeks this month
False Positive Rate
8.3%
of auto-contained alerts required rollback
Below 10% threshold — pass
Playbook Performance
What to Automate
Automate when: the action is deterministic, the blast radius of a mistake is recoverable, volume is too high for humans, and speed matters more than nuance. Automate: email quarantine, IP blocks, session revocation. Do not automate: wire transfer reversal, account deletion, public communications.
Automation Debt
Every playbook is a liability as well as an asset. Detection rules change, tools get updated, APIs deprecate. The 3 failing playbook runs this month represent unacknowledged automation debt. Budget 15–20% of initial build time per quarter for playbook maintenance.
ROI Exercise
If SOAR saves 847 analyst-hours/month and a SOC analyst costs $85/hour fully loaded, what is the monthly ROI? ($71,995/month) If the SOAR platform costs $120,000/year, what is the payback period? (Under 3 weeks of monthly savings.) But — is "847 hours saved" a direct headcount cost or an opportunity cost? How does the answer change your budget conversation with the CFO?
SOAR Metrics & ROI — Instructor Notes
Push students on the ROI assumptions. "847 hours saved" as a direct cost implies headcount would decrease — which it won't if the SOC is already staffed. Honest framing: "SOAR lets our 4-analyst team handle alert volume that would otherwise require 7 analysts, while reducing MTTR 68%." The 8.3% false positive rate is acceptable for session revocation (reversible) but would be catastrophic for endpoint isolation (dozens of incorrectly isolated hosts per month). Per-action false positive budgets are a mature SOAR governance concept worth introducing here.
Discussion
What would happen to the false positive rate if Ficsit reduced PB-001's confidence threshold from 85% to 70%? Expected: automation rate increases, MTTR decreases, false positive rate increases — likely past the acceptable threshold. This is the core SOAR tuning tradeoff: more automation = more mistakes. The right balance depends on the reversibility of each action and the business's risk tolerance.