Top 8 Security Orchestration Automation and Response (SOAR) Tools

CRITICALSTARTSplunk PhantomPalo Alto Networks Cortex XSOARExabeamMcAfee ePolicy OrchestratorServiceNow Security OperationsIBM ResilientThreatConnect
  1. leader badge
    Their Zero Trust Analytics Platform (ZTAP) engine, which is kind of their correlation engine, is by far and away one of the best in the business. We can filter and utilize different lists to build out different alerts, such as, what to alert on and when not to alert. This engine helps reduce our number of alerts and false positives.
  2. leader badge
    I like the integration capabilities of Phantom. It has a lot of integrations with other products. Its searching methodologies are also good. It is also easy to understand and easy to create playbooks.
  3. Find out what your peers are saying about Critical Start, Splunk, Palo Alto Networks and others in Security Orchestration Automation and Response (SOAR). Updated: May 2021.
    501,499 professionals have used our research since 2012.
  4. The pricing is very good.The automation part and the playbook creation part are awesome. The way it is responding to the customers and incidents is also very good. In the SOC environment, I guess it will carry out around 50% of the work.
  5. It's a very user-friendly product and it's a very comprehensive technology.Exabeam's easy to use.
  6. The security is a key feature and the console is very user friendly.The graphical interface of the solution is its most valuable aspect.
  7. My favorite feature is the application vulnerability scanner.The solution is available over the cloud and is easy to manage.
  8. report
    Use our free recommendation engine to learn which Security Orchestration Automation and Response (SOAR) solutions are best for your needs.
    501,499 professionals have used our research since 2012.
  9. The solution is very easy to use.It's really simple and has a flexible interface.
  10. ThreatConnect has a highly user-friendly interface. The most valuable features are ease of use and the ability to customize it.

Security Orchestration Automation and Response (SOAR) Articles

Matthew Shoffner
IT Central Station

Security Operations Centers (SOCs) are putting SOAR tools to work in a rich variety of use cases. By automating security incident response workflows, Security Orchestration Automation and Response (SOAR) solutions enable SOC teams to work faster, and, in most cases, more effectively. SOAR machine learning is often part of the story, with algorithms helping SOAR solutions improve response processes over time. SOAR use cases for cybersecurity depend on many organization factors, but some of the most common applications of SOAR include vulnerability management, phishing and malware mitigation and responding to malicious network traffic—among many others.

There have been inquiries about the difference between SOAR and SIEM, but you'll see below that SOAR and SIEM have a unique relationship and can create a great synergy. 

Here are the common use cases of SOAR:

  1. Handling Alerts Related to Malicious Network Traffic. SOCs get inundated with alerts related to suspicious network traffic. Frequently, the SOAR solutions get their alerts forwarded to them by a SIEM tools. The SOAR solution then typically enriches the alert data by automatically researching the suspected threat through using a threat intelligence source. The analyst reviewing the alert will then have more information to work with as he or she determines if the alert is worthy of further response. In that case, the SOAR solution can orchestrate the process of detecting similar occurrences in the network, which may have been missed, and blocking IP addresses to prevent the threat from doing further damage.
  2. Protecting Endpoints. Able to ingest high-volume threat feeds from EDR solutions, it may then compare the feeds with SIEM data and cross-reference any relevant hashes. In this way, SOAR can automatically spot potential problems while quickly moving past unimportant “noise” in the feeds. Upon identifying a serious threat, the SOAR tool can automate the EDR tool’s response processes across multiple endpoints. As the SOAR solution spots problems like unmanaged endpoints, it is able to add contextual data and automatically open a ticket on ITSM software like ServiceNow to resolve the issue.
  3. Managing Vulnerabilities. SOAR solutions can augment the data from vulnerability scanning tools by automatically correlating data from newly discovered vulnerabilities with information from other security tools—enriching the vulnerability data set. As incidents are traced to vulnerabilities, SOAR can add notations about context to the incident response workflow. Security analysts can be informed, automatically, about the severity of the vulnerability and how it might affect the way an incident is handled. This way, analysts can work more quickly, and with greater impact, to mitigate problems before they grow serious. SOAR can also trigger patching processes to remediate vulnerabilities.
  4. Stopping Phishing Attacks. As phishing attacks proliferate, SOAR tools can mitigate the risks they pose by automating the phishing triage process. This is a significant countermeasure, as phishing attacks are becoming more sophisticated and thus harder to detect. The SOAR solution can analyze suspected phishing messages and extract artifacts like words contained in the header and compare them to known phishing signatures. SOAR is also useful for speeding up the process of reviewing emails flagged by email filters. The SOAR solution can submit the suspected message to threat reputation services and so forth. If the message is determined to be a risk, SOAR can orchestrate the response processes of blocking the sender’s email address and related IP addresses.
  5. Managing SSL Certificates. A SOAR solution can be configured to query a certificate management tool to check endpoints for expired or about-to-expire SSL certificates. The solution can also extract user details for problematic certificates from directory stores like Microsoft Active Directory. It can then send the endpoint user, along with his or her manager, an automated email letting them know that the certificate has a problem and sharing information on how to fix the problem. The SOAR workflow may also be set up to re-check certificates that received this treatment, potentially escalating the matter if it is not handled.
  6. Investigating Failed User Logins. A series of failed log in attempts may be a signal that an attack is underway. SOAR responds to this suspicious activity by automatically asking the user to confirm if they have actually been attempting to log into their device. The SOAR solution is able to reset the password automatically and notify the user if that is required by the workflow. The same process can unfold if the system detects log in attempts from unusual locations (e.g., out of the country) or from unrecognized devices. The SOAR solution can automatically query the VPN service to determine the originating IP address and then check the GeoIP lookup for timestamp on those addresses.
  7. Hunting Compromised Indicators. Compromised indicators include things like URLs, IP addresses and hashes. A SOAR solution ingests a list of such compromised indicators, often in the form of csv file. It is then capable of hunting for threats based on information from threat intelligence tools, updating watch lists as it discovers serious threats.
  8. Analyze Malware. SOAR solutions can be set up to ingest data from threat intelligence feeds, SIEMs, malware analysis tools and email boxes. In the process, they are able to extract files that need to be “detonated” (opened) in a safe area away from the network and other digital assets. SOAR can also automatically send suspicious files to malware analysis tools and forward the resulting report to relevant stakeholders. The solution can also automatically establish quarantines for endpoints that may have been infected by malware.
  9. Managing Cases. Some SOCs use their SOAR tools for case management. It’s not an orchestration or automation use case, but it’s still a common use of the technology. SOAR can help streamline case management by providing case stakeholders with enriched information about security incidents and automating case management workflow steps. The solution can also aid users in tracking digital assets affected by security incidents.
Find out what your peers are saying about Critical Start, Splunk, Palo Alto Networks and others in Security Orchestration Automation and Response (SOAR). Updated: May 2021.
501,499 professionals have used our research since 2012.