⭐ Day 17 – SOAR Basics (Automation in SOC) + Simple Splunk Automation Concepts

Today students will learn how SOC teams automate repetitive work using SOAR tools.
SOAR = Security Orchestration, Automation & Response.

This is the future of SOC — less manual work, faster investigations.

🧠 1. What Is SOAR? (Very Simple Explanation)

SOAR tools combine:

✔ Automation
✔ Playbooks
✔ Threat intelligence
✔ API integrations
✔ Response actions

SOAR helps SOC analysts handle alerts faster and more accurately.

⚙️ 2. Common SOAR Platforms

• Splunk Phantom (very popular)
• Palo Alto Cortex XSOAR
• Microsoft Sentinel Automation
• IBM Resilient
• Swimlane
• FortiSOAR
• Rapid7 SOAR

🔥 3. Why SOC Needs SOAR

SOAR automates:

✔ Repetitive tasks

• IP lookup
• URL reputation check
• Extracting IOCs
• User disabling
• Blocking IP on firewall
• Sending email notifications

✔ Alert enrichment

✔ Report generation

✔ Incident response

SOAR can reduce workload by 60–70%.

🧩 4. How SOAR Works (Step-by-Step Flow)

1. Alert comes from Splunk
2. SOAR receives it
3. SOAR runs automated playbook
4. Playbook collects extra info
5. Playbook decides: malicious or not
6. SOAR takes actions (block IP, disable user)
7. Analyst reviews and closes ticket

🔧 5. What Are Playbooks? (Very Easy)

Playbook = a set of automatic steps SOAR performs.

Example Playbook:

1. Receive brute-force alert
2. Check IP reputation
3. Search logs for similar behavior
4. If malicious → block IP in firewall
5. Notify SOC team

This saves HOURS.

🛠 6. Splunk Automation Basics (Mini SOAR Concepts)

Even without full SOAR, Splunk can do automation using:

✔ Alerts + Actions

✔ Adaptive response actions

✔ Scripts

✔ Saved searches

✔ Webhooks

✔ Integrations

🚀 7. Simple Splunk Automation Examples

Example 1 – Auto-Email on High Brute Force

index=* EventCode=4625 
| stats count by IpAddress 
| where count > 10

Action:

• Send email to SOC team
• Attach search results

Example 2 – Auto Block IP (Using Script / SOAR)

When alert fires → run script:

block-ip.sh <ip>

Example 3 – Auto Upload to VirusTotal

SOAR Playbook:

• Extract hash
• Check on VirusTotal
• Return reputation

Example 4 – Auto Disable User Account

Triggered when:

• Login success after 20 failures
• Suspicious RDP login

SOAR action:

• Disable Active Directory user

🧪 8. Hands-On Day 17 Activities (Simple)

Task 1 – Create an Alert in Splunk

Alert query:

index=* "Failed password"
| stats count by src_ip
| where count > 5

Set action:

• Email
• Webhook
• Script

Task 2 – Explain a Playbook Flow

Choose:

• Brute force
• Malware detection
• Suspicious PowerShell

Students should write:

1. Trigger
2. Data enrichment
3. Decision
4. Response action

Task 3 – Create a Flow Diagram

Example:

Alert → SOAR → Check reputation → Block IP → Notify SOC

🎤 Trainer Script

“SOAR is the future of SOC work.
With automation, analysts reduce 70% manual effort and focus on real attacks.
Day 17 teaches how automated response works.”

📝 Homework (Day 17)

Students submit:

1. One SOAR playbook example
2. One Splunk alert with automated action
3. One flow diagram (any tool: draw.io, paper photo)