Security Orchestration, Automation, and Response (SOAR) solutions play a critical role in security automation and an integral part in most major cybersecurity team's workflows.

Source: Gartner - SOAR, huh…yeah… What is it good for?

In Gartner’s blog SOAR, huh…yeah… What is it good for?, Pete Shoard points out that SOAR itself is not going to solve the automation challenge. Even though most SOAR have capabilities, it requires manual intervention to ensure that processes are streamlined and requires a competent development team to augment your SOAR strategy. These solutions work best when paired with custom playbooks that rely heavily on the automation component of SOAR, taking quick action whenever an incident or other security event occurs.

What are Playbooks?

Playbooks are your tasks and workflows that function according to rules, events, triggers you set. Think of them as the pre-game strategy by a sports team, outlining how every separate player (or in this case, app) should act, adapt, and respond to the events that take place.

Generally, playbooks contain lists of activation conditions, tasks, functions, and scripts. As security threats take on many forms and can exploit a variety of potential vulnerabilities, most teams have multiple custom playbooks that they can quickly access.

SOAR playbooks are essential to preventing your team from being overwhelmed with tasks and routines. By managing your custom playbook effectively, you can help empower your security operators to more consistently and efficiently respond to threats, resolve issues, and manage their alerts.

Where to get started with Playbooks

In this post, we will focus on three popular SOAR solutions (and with which we also have plenty of experience): QRadar SOAR (formerly Resilient), XSOAR (formerly Demisto), and Splunk SOAR (formerly Phantom).


IBM's QRadar SOAR solution puts a lot of power in the hands of your security team as well as your integration experts. Thanks to its Playbook Designer features, operators can quickly build the playbooks they need by relying on the canvas editor which also provides a graphical representation of the workflow.

QRadar SOAR also lets users manage their libraries through the Playbook Manager, where they can access custom and conditional logic to build new playbooks.

Key features of QRadar SOAR include its quick deployment as well as its versatility. With so many resources at the fingertips of your operators, as well as the flexibility in customising your workflows, your team can effectively manage a number of scenarios, including:

  • Monitoring and Event Escalation: QRadar SOAR integrates with multiple systems, including email and ticketing apps, allowing it to send important details of breaches (such as IP addresses) quickly to the right operator.
  • Threat Identification: QRadar SOAR playbooks can be set to automatically look up potential threats, leading to quicker identification and faster response.


Palo Alto Network’s SOAR solutions roots its playbooks in their XSOAR system. Like QRadar SOAR, its playbooks focus on automating your security processes and facilitating your investigation and ticket management.

XSOAR also offers users a graphical interface to better visual playbooks, and includes a vast list of integrations and contributors, consistently expanding the capabilities of this system.

Some of the key features of XSOAR are its emphasis one rapid response speed as well as its wide ranging connectivity with other apps. Some essential playbooks the app can follow revolve around:

  • Communications: XSOAR excels at setting conditional tasks that collect and route data (both internally and externally) to the right users, either on scheduled delivery or based on incident triggers.
  • Threat Containment: XSOAR has several out of the box playbooks that are designed specifically to contain threats, such as blocking users based on indicators such as their IP, account, or even URL.

Splunk SOAR

Splunk SOAR offers many of the benefits espoused by the other two systems we listed here, including wide ranging integrations, playbook automation, and its ability to automate repetitive tasks out of your team's workflows. In this regard, one of the main selling points is its ability to help free up the resources in your security teams, enabling them more room to make better decisions and rely less on micromanagement.

Some of the built-in playbooks for Splunk SOAR  include operations that focus on:

  • Creating Cases: When set conditions are triggered and your team needs to be alerted, Phantom can easily create and categorise cases for your operators to investigate.
  • Validating False Positives: One of the most used playbooks involves checking antivirus alerts and validating false positives and ensuring malware components have not in fact been installed when an event is triggered.

Considering building a new SOAR integration, upgrade an existing one, or design custom playbooks? Metron has experience integrating multiple SOAR platforms and building custom playbooks. Metron is a development partner to leading SOAR platforms including Palo Alto Networks XSOAR, Splunk SOAR, and IBM SOAR.

If you are considering any custom cybersecurity solution that focuses on the resources and needs of your organisation, please send a note to