1. What is SOAR?
SOAR (Security Orchestration, Automation and Response) is a
cybersecurity platform that allows you to:
- Orchestrate security tools (SIEM, antivirus, firewall…)
- Automate security responses
- Respond quickly to incidents
Example:
When a phishing alert appears → SOAR can automatically:
- block the URL
- isolate the infected machine
- create an incident ticket
- notify the SOC analyst
2. Objectives of a SOAR Lab
This lab helps you learn how to:
- Understand the automated incident response cycle
- Connect multiple security tools together
- Build automated playbooks
- Reduce response time (MTTR)
- Simulate a real SOC environment
3. Tools Used in a SOAR Lab
SOAR Platform (choose one)
- Splunk SOAR
or
- Shuffle SOAR
SIEM (alert source)
- Splunk Enterprise
Case Management
- TheHive Project
Automation tools
- Cortex (malware analysis, IP reputation, hash lookup)
4. Main SOAR Interface Tabs and Their Purpose
Dashboard
- Global overview:
- active alerts
- open incidents
- executed playbooks
Alerts / Ingestion
- Incoming alerts from SIEM:
- phishing
- brute force
- malware detection
Entry point of SOC operations
Incidents
- Converts alerts into structured cases:
- severity level
- source IP
- affected machine
- status (open/closed)
Playbooks (core of SOAR)
Automated workflows such as:
1. Receive phishing alert
2. Analyze URL
3. Check IP reputation
4. Block malicious domain
5. Create SOC ticket
This is the automation brain of the SOC
Integrations
- Connects with:
- SIEM systems
- firewall
- antivirus
- external APIs (VirusTotal, etc.)
Cases / Tickets
- Full incident management:
- analyst assignment
- action timeline
- evidence collection
Logs / Audit
- Tracks everything:
- who did what
- when
- results
5. SOAR Lab Installation (Step-by-Step)
Step 1: Prepare the environment
Install:
- VirtualBox or VMware
- Ubuntu Server VM
Step 2: Install Docker
```bash
sudo apt update
sudo apt install docker.io -y
sudo systemctl start docker
sudo systemctl enable docker
```
Step 3: Install SOAR (Shuffle)
```bash
git clone https://github.com/frikky/Shuffle
cd Shuffle
docker compose up -d
```
Access:
http://localhost:3001
Step 4: Install SIEM (Splunk)
- Install Splunk Enterprise
- Open:
http://localhost:8000
Login:
- admin / password
Step 5: Install TheHive
```bash
docker run -d -p 9000:9000 thehiveproject/thehive
```
Access:
http://localhost:9000
6. Full Practical Scenario (Click-by-Click)
Case: Phishing Attack Detected
Step 1: Alert in Splunk
- Go to Search & Reporting
- Run query:
```bash
index=security phishing
```
Result:
- suspicious URL detected
Step 2: Send to SOAR
In Splunk:
- Click Alert Action
- Select: “Send to Shuffle SOAR”
Step 3: SOAR receives alert
In Shuffle:
- Go to Workflows
- New alert appears
Step 4: Run Playbook
Click:
“Run Workflow”
Automatic actions:
- URL analysis
- IP reputation check
- malware scanning
Step 5: SOAR Result
- Safe URL → ignore
- Malicious URL → action required
Step 6: Automated Response
If malicious:
- firewall blocks domain
- ticket created in TheHive
- SOC notification sent
Step 7: Incident in TheHive
New case contains:
- source IP
- URL
- threat level
Step 8: Closure
SOC analyst:
- validates action
- closes incident
7. Final Result of the Lab
You now have a system that can:
- detect attacks
- analyze them automatically
- block threats
- create SOC tickets
- notify analysts
All with minimal human intervention
Simple Conclusion
A SOAR is:
The automated brain of a modern SOC
It transforms:
- raw alerts
into
- intelligent automated responses
Copyright © All rights reserved.