Most Common SOAR Use Cases: 7 Real life Examples ['25]

Historically, companies handled their security workload with manual security processes or within proprietary code, causing challenges such as likelihood of human error, and scalability issues.

SOAR software helps organizations define incident analysis and automation methods. This enables triage utilizing a combination of human and machine power and contributes to the prioritization of standardized incident response operations.  See the most common SOAR use cases to coordinate security operations:

1. Phishing detection and response

Phishing emails are the most common, easily executable security attacks. Phishing response is difficult due to the following: 

• High number of incidents: SOCs may have to deal with hundreds or thousands of security alerts. This causes alert fatigue, and analysts may miss vital indicators of threat behavior.
• Attacks coming from various sources: Phishing investigations demand the usage of several security platforms.
• Manual operations: Manual analysis of phishing attacks requires hours of labor.

SOAR helps identify phishing attacks through the following steps:

• Automated triage and prioritization: SOAR systems automatically triage phishing alerts, sorting potential threats based on severity and relevance, reducing the manual workload for security teams.
• Indicator extraction and analysis: SOAR tools extract key indicators of compromise (IOCs) like suspicious URLs, attachments, or email headers and cross-check them against known threat databases.
• False positive analysis: By leveraging machine learning and predefined rules, SOAR minimizes false positives by identifying legitimate emails that might trigger phishing alerts, improving detection accuracy.

Video: Real-life demonstration —phishing playbook demo

Source: Palo Alto Networks¹

Real-life example: Zensar’s Cybersecurity Team uses SOAR for faster email phishing attacks & incident response. The security team has automated the security investigation process by manually searching for threats. Technologies used by Zensar:

• Codeless playbooks 
• +200 integrations and thousands of automated actions integrated in SOAR
• Email threat intelligence²

For more: Incident response tools.

2. Endpoint detection and response (EDR)

Problem: Reconciling SIEM and endpoint security data is challenging for organizations due to:

• Rising security alerts
• Manual context collection
• Disparate security tools

Companies commonly combine SIEM data with threat intelligence tools to take action. Analysts spent hours with multiple windows open and manually explaining threat statuses. This left little time for responding, resulting in inefficient utilization of current technologies.

How SOAR helps endpoint detection and protection:

• Ingestion of endpoint data: SOAR systems ingest data from endpoint detection tools (like antivirus or EDR) to monitor real-time activity and identify potential threats.
• SIEM check: Check to see if any files were previously identified in SIEM.
• Notification to analysts: If a potential threat is detected, SOAR alerts security analysts, providing them with a detailed overview, including context and the severity of the threat.
• Automated response and endpoint cleaning: If no threat is confirmed (false positive), SOAR can automatically clean and restore the endpoint, removing any suspicious files.

3. Detecting suspicious user login from IP address locations

Problem: Suspicious user logins are difficult to identify due to the following reasons:

• User behavior is difficult to analyze
• Companies have multiple sources of geographical locations and cloud users to track.
• Monitoring suspicious logins is manual and repetitive

SOAR helps detect suspicious user logins through the following steps:

• Ingest behavioral anomaly: SOAR collects login data from external tools (e.g. SIEMs or authentication systems) to identify unusual login anomalies.
• Enrich user information: SOAR retrieves detailed user account information (e.g. past login history, role, permissions) to help assess whether the login behavior is legitimate.
• Enrich IP intelligence: SOAR cross-references IP addresses associated with the login attempt with threat intelligence databases to check for known malicious IP addresses.
• Determine threat status: Based on user behavior and IP intelligence, SOAR automatically decides whether the login attempt is likely malicious or safe.
• Automated response – close or act:
  • No threat: If no malicious activity is detected, SOAR can automatically close the security incidents.
  • Detected threat: If malicious activity is confirmed, SOAR takes automated actions, such as blocking the malicious IP address.

Video: IP address investigation with SOAR

Source: Palo Alto Networks³

4. SSL certificate expiration tracking

Problem: When a user attempts to access a site with an expired security certificate, modern web browsers will display warning messages. This can erode user trust and discourage visitors from returning to the site, potentially resulting in a loss of traffic and credibility for the organization.

How SOAR helps SSL certificate expiration tracking:

• Check certificate status: SOAR continuously monitors SSL certificates through integration with certificate management tools to check their expiration status.
• Inform user: When a certificate is approaching expiration, SOAR automatically sends notifications to relevant users, alerting them of the upcoming expiration date.
• Recheck certificate status:
  • If not expired: SOAR rechecks the status and automatically closes the incident if the certificate is still valid, ensuring that the alert is dismissed.
  • If expired: If the certificate has expired, SOAR escalates the incident, sending an alert to the user and other relevant stakeholders in the organization.
• Escalation and communication: SOAR automatically sends detailed emails to the user and includes other important team members, ensuring swift awareness and action.

5. Vulnerability management

Problem: Manual, time-consuming vulnerability tests that need to be performed regularly. This results in:

• Difficult data collection related to vulnerabilities 
• False positives on vulnerabilities.
• Lack of network visibility (e.g. unmanaged assets)

Organizations spend a significant amount of effort preparing reports for management and other teams on the vulnerabilities, how to fix them, and which teams are affected. It is a fairly manual effort, with a lot of emphasis frequently placed on generating and distributing these reports.

How SOAR helps vulnerability management:

• Collection of vulnerability data: SOAR transfers vulnerability data from external vulnerability management tools, such as CVE databases.
• Enrich entities: SOAR enriches the vulnerability data with additional information, including details on affected endpoints.
  • Add custom fields: SOAR can add custom fields to the vulnerability data to track organization-specific information, such as asset criticality or affected business units.

• Add vulnerability context: SOAR integrates vulnerability context into the incident data, such as exploitation history or known active threats
• Calculate Risks: SOAR calculates the overall risk of each vulnerability by combining the severity of the CVE with the context of the affected system.
• Remediation:
  • Analyst review
  • Automated remediation 

6. Cloud security orchestration

Cloud security orchestration limitations include:

• Separate security architectures (e.g. multi-cloud, on-premise)
• No specified cloud security response procedures, responses are manual
• Repetitive, high-volume tasks for post-event enrichment (e.g. retrieving details on affected endpoints)
• Team silos

Source: Palo Alto Networks⁴

Problems: Cloud policy misconfigurations such as:

• Disabled logging
• Excessive permissions
• Access control issues
• Lack of anomaly detection

How SOAR helps cloud security orchestration: With SOAR software system administrators can:

• Manage users and roles:
  • Configure local user accounts.
  • Create and manage workspaces.
  • Create and manage roles.
  • Configure notifications. 
• Configure inbound email
• Add IP whitelists to set who can connect to your organization’s SOAR platform.

7. Incident lifecycle case management

Problem: Lack of continuity across incident lifecycle due to the following:

• Siloed security products  focused on different security areas
• Lack of standardized processes that help continuity across incident lifecycle
• Slow MTTR due to silos and lack of network visibility

How SOAR helps end-to-end incident lifecycle case management:

SOAR platform leverages lifecycle process management with automated playbooks. These playbooks can streamline collecting threat feeds and blocking or alerting on identified risks.

• Retrieve alerts from data sources: SOAR continuously transfers alerts from various data sources such as SIEMs, firewalls, or threat detection tools, initiating the security incident lifecycle.
• Trigger SOAR Playbook: Upon receiving an alert, SOAR automatically triggers the appropriate playbook, outlining predefined steps to address the specific type of incident (e.g. malware detection or unauthorized access).
• Assign incidents to analysts: SOAR provides enriched data and context to analysts.
• Extract and check indicators with threat intelligence: SOAR extracts indicators of compromise (IOCs) such as file hashes, and IP addresses.
• Check for malicious activity: SOAR determines if the activity is malicious and blocks and isolates the file or IP. 

What is SOAR?

SOAR technology streamlines and automates processes across people and products on one platform, improving organizational security.

Key capabilities of SOAR

• Orchestration
  • Playbooks, workflows
  • Logically organized plan of action
  • Controlling, and activating security product stack from a central location

• Security automation
  • Automated scripts
  • Extensible product integrations
  • Machine execution of playbook tasks

• Response
  • Case management
  • Analysis and reporting collaboration

SOAR platforms also integrate with various security tools (such as SIEMs, firewalls, endpoint detection, and response systems) to automate repetitive tasks, orchestrate workflows, and improve incident management.

Benefits of SOAR

• Centralization: Integrating security orchestration, intelligent automation, incident management, and interactive investigations into a unified solution.
• Breaking down silos: SOAR increases team cooperation and allows security analysts to perform automated actions on tools throughout their security stack.
• Centralization: Providing security teams with a centralized console for managing and coordinating all company security areas.
• More consistent incident response plans: Optimizing case management, increasing efficiency in ticket opening and closing, and investigating incidents.
• Improved SOC decision-making: SOAR dashboards can help security operations teams make better decisions by providing visibility into their networks and threats. This information can assist SOCs in identifying:
  • false positives
  • prioritizing alerts
  • and selecting the appropriate reaction methods
• Handling more notifications in less time: SOARs can help manage alerts by centralizing security data, enhancing events, and automating replies. As a result, SOCs can handle more alerts.

SIEM vs SOAR vs XDR

• SIEM: SIEM tools gather and aggregate data from internal security tools, centralizing logs and flagging anomalies. 
• SOAR: SOAR systems emerged to enhance SIEMs by adding orchestration, automation, and incident response capabilities that standard SIEMs often lack. They focus on automating repetitive tasks, improving incident management, and coordinating security tools.
• XDR (extended detection and response): XDR is a newer and more powerful solution for end-to-end security event management, it is mainly used for addressing issues at internal endpoints. When preparing for an automatic response, XDR uses data captured by SIEM.

Large organizations often use all three tools, but vendors increasingly combine their features. 

• Some SIEMs now include response capabilities.
• XDRs are incorporating SIEM-like data logging.
• Vendors such as Microsoft Sentinel and ManageEngine Log360 offer SIEM and SOAR capabilities.
• Some experts predict that XDR may eventually consolidate all these tools.⁵

Key network security software to maintain a strong cybersecurity posture

• Microsegmentation tools: Segment a network into granular forms and implement security policies according to each network zone. Read more: Microsegmentation use cases.
• Network security audit tools: Identify vulnerabilities and malicious activity to help companies prevent cyber-attacks.
  NCCM software: Identify and document network device configurations; detect, audit, and notify of changes.
• DSPM vendors: Enable network insight into sensitive data locations, access levels, and use throughout the cloud. Read more: DSPM use cases.
• Network security policy management solutions (NSPM): Develop policies to protect your network and data from illegal access, use, disclosure, and interruption.
• SDP software: Secure internet-connected infrastructure (servers, routers, etc.) from external parties and attackers, whether housed on-premise or in the cloud.
• Firewall audit software: Provide visibility into your firewall’s current access and connections.

External Links

• 1. Palo Alto Networks: Resource Center Webcasts - Palo Alto Networks.
• 2. Combat phishing emails with SOAR | Zensar. Zensar
• 3. Palo Alto Networks: Resource Center Webcasts - Palo Alto Networks.
• 4. Palo Alto Networks: Resource Center Webcasts - Palo Alto Networks.
• 5. Adapt Or Die: XDR Is On A Collision Course With SIEM And SOAR.