SOAR — Security Orchestration, Automation and Response — is how security teams act on what their SIEM detects, faster and more consistently than by hand. It connects tools, automates repetitive response steps into playbooks, and manages cases end to end. The hard part is not the automation; it is deciding what an agent or playbook may do on its own. This guide explains SOAR and where the human stays in control.
What is SOAR?
Security Orchestration, Automation and Response (SOAR) is a category of tooling that helps security operations respond to incidents by coordinating across systems, automating routine actions, and managing the response workflow. Where a SIEM detects, SOAR acts.
The three pillars
- Orchestration — connect the tools in your stack (firewall, identity, EDR, ticketing) so they can work together in one flow.
- Automation — turn repetitive response steps into automated sequences, so analysts do not do them by hand every time.
- Response — manage the incident end to end: case management, evidence, notes, and escalation.
What is a playbook?
A playbook is a defined sequence of response steps that runs when a trigger fires — for example: enrich the alert with threat intel, open a ticket, notify the on-call analyst, and (optionally) contain the threat by blocking an IP or disabling an account. Playbooks make response fast and consistent, and they document exactly what happened.
SOAR vs. SIEM
| SIEM | SOAR | |
|---|---|---|
| Primary job | Detect — collect, correlate, alert | Respond — orchestrate, automate, manage |
| Input | Logs and security telemetry | Alerts and incidents (often from the SIEM) |
| Output | Prioritised detections / notables | Executed response and managed cases |
The line has blurred: modern SIEMs increasingly embed SOAR-style response rather than requiring a separate product. See what is SIEM.
The governance question: how much to automate
The benefit of SOAR is speed; the risk is an automated action you did not intend. Notifying a human or opening a ticket is safe to fully automate. Destructive actions — disabling a user, blocking traffic, isolating a host — can disrupt the business if triggered on a false positive.
Automate enrichment, gate the consequences
A sound default: automate the low-risk, reversible steps (enrich, ticket, notify) and put a human approval gate in front of anything destructive. This is doubly important for regulated teams and when AI agents drive the response.
How LogPulse approaches response
LogPulse response actions — notify, create a ticket, block an IP, disable a user — run behind a human approval gate and can be composed into playbooks. AI agents (over the MCP server) can draft response playbooks, but they are created inactive until a human approves, and destructive actions need owner approval. That is the difference between an agentic SOC with a human in the loop and unattended automation. See Agentic SOC for how it fits.