SOC Automation Playbook

Your security team's practical guide to implementing automation.


What is SOC Automation?

Whether your security team consists of a pair of IT managers sharing a corner office or a distributed Security Operations Center (SOC) spanning the globe, efficiency is the key to a successful threat detection and response program. SOC automation—the process of automating and optimizing your security programs—is the ultimate efficiency.

The best solution to industry-wide struggles with threat detection and response is to increase efficiency using Security information & Event Management (SIEM) and Security Orchestration and Automation & Response (SOAR) platforms.

  • SIEM platforms - Centralize, correlate, and analyze data across the IT network to detect security issues. Core functionality of a SIEM includes log management and centralization, security event detection and reporting, and search capabilities. This combination helps companies meet compliance needs and identify and contain attackers faster.
  • SOAR platforms - Streamline security operations in three key areas: threat and vulnerability management, incident response, and security operations automation. Automation allows for automatic handling of processes such as scanning for vulnerabilities, or searching for logs. Security orchestration refers to a method of connecting security tools and integrating disparate security systems.

Why Do SOCs Need Automation?

Not only does SOC automation improve your security posture, it improves the job of a security analyst. It enables security analysts to achieve more, in less time, while still allowing for human decision-making when it’s most critical. Rather than relying on point-to-point integrations for your technology stack, SOC automation empowers you to build out your various processes, as well as connects you with the right people and technology to achieve your security goals. SOC automation is a thoroughly comprehensive solution that offers a reprieve from pain points that plague modern security teams.

For example, the IT ecosystem that security professionals must monitor and respond to grows more complex and sophisticated each day. Today’s security teams are monitoring hundreds of applications, multiple clouds, on-premises assets, and remote endpoints. That’s a lot of data. And with more data comes more alerts. Analysts are drowning in unmanageable–often false positive–alerts. DarkReading has found that 40% of organizations can’t act on at least a quarter of their security alerts. 

And for most organizations, the solution isn’t as simple as hiring another analyst–just look at the 3.5 million unfilled cybersecurity positions around the world. The cyber world is a buyer’s market, and that’s not changing anytime soon. So it’s no surprise that investigations are taking way too long. A recent Ponemon study found that it takes 206 days on average to identify a data breach post-attack and another 73 days to remediate the incident. While attacks happen in minutes, a typical response will take your team months. 

In short, security teams are under-resourced and over-leveraged, while threats continue to grow exponentially and become more sophisticated every day. With a SOAR platform you are more easily able to learn from the idiosyncrasies of your organization’s environment, continuously amassing knowledge about how to best detect and respond to future cyber threats.

What are the Market Drivers Behind SOC Automation?

More and more security teams are leveraging automation solutions to eliminate redundant and manual processes, expedite response, and accelerate operations.  Gartner predicted in 2019 that by year-end 2022, 30% of organizations with a security team larger than five people will leverage SOAR tools in their security operations (up from less than 5% today). In 2020 they fleshed out this forecast, predicting that such an appetite will result in the overall SOAR market hitting $550 Million USD by 2023—a compound annual growth rate of 14.9%.

This may have something to do with the ROI of automation—which is significant. Rapid7 has found that automation, when compared to manual processes, can reduce the time and cost of security analysis & response by 83%. This number might shift based on a specific organization’s needs, but that calculation illustrates how a SOC can offload a good chunk of their workload, enabling analysts to be much more efficient, freeing them up to do what they are actually paid for.

How Should Teams Leverage SOC Automation?

Security teams can automate tasks as simple as looking up an internal hostname or IP address, just to assign it a name or other classification. Alternatively, teams who are farther along their automation journey can orchestrate massively complex workflows, involving multiple teams and decision points. In between, most teams find it helpful to focus on automating, integrating, and simplifying the tasks, tools, and processes they use every day. Below, you can find some workflows that can help you get up and running with automation, as well as examples of some more complex use cases that you might consider when your security team has established itself as automation aficionados.

Alert Enrichment


Today’s security teams are receiving an average of 12,000 security alerts per day. Bouncing between tools when SIEM alerts roll in every day is mind-numbing work that disguises the value of Tier 1 cyber analysts. Orchestration and automation solutions can help you accelerate detection by enriching the quality of the security alerts you receive and automatically weeding out many false positives. 

Automatically enrich your security alerts with important information, such as geo-IP lookups, domain analysis, malware detonation, and more. Orchestrate your favorite threat intelligence platforms, or use a variety of free and open source tools to ensure your team is equipped with the context they need to take action. This will give your team more time and greater context to tackle actual threats. 

Key outcomes of alert enrichment include:

  • Enrich alerts with intel on threat indicators such as hashes, IPs, domains, and more
  • Several threat intel sources can be “daisy-chained” without needing to copy and paste indicators into multiple websites or the command line
  • You can save time and enjoy enriched context by automating end-to-end analysis & remediation

Technologies: WhoIs, VirusTotal, Recorded Future, Anomali, Cisco Umbrella, Team Cymru, Threat Quotient

Existing Workflows: OSINT & Recorded Future

Distributed Alerting and Custom Escalation Pathways

When it comes to KPIs, time is paramount. Teams are always striving to reduce the time between security alert generation and resolution down to a theoretical null. A Distributed Alerting strategy avoids alert fatigue and staffing issues in the SOC by immediately bringing up alerts into the Slack instance of the person who generated it. Augmented with multi-factor authentication (MFA), analysts spend less time dealing with multiple alerts and more time triaging true positives due to a better signal-to-noise ratio.

Distributed alerting streamlines business operations, resulting in more collaboration and efficiency. For example, you can trigger actions to push alerts, incident notifications, comments, and other data  to solutions like JIRA or Slack. Automation can also deliver alerts that come in from your security tools straight into your chat applications, as well as delegate tasks back to other connected tools. Such integrations allow your team to maintain maximum uptime without having to be physically present in the SOC to keep your organization safe. In short, distributed alerting allows you to:

  • Work out of your ChatOps solutions and prevent the need to jump into dozens of tools
  • Sync your automated activities with your organization’s ITSM or Case Management tools
  • Build custom alert pathways and notifications with your comms stack

Technologies: MS Teams, Slack, Jira, SNOW, PagerDuty, SMTP, Duo Auth, Okta Auth

Existing Workflows: Malicious Hash Remediation with CB Response, Suspicious User Login with IDR and Slack Chatops

User Containment

Compromised user credentials are a common thread among security incidents and breaches—across both organizations and threat actors. User containment workflows help you disrupt the attacker’s kill chain by preventing them from using compromised user credentials for infiltration and lateral movement. Some highlights of such a use case include:

  • Organizations can take low-risk actions immediately such as password reset to drop mean-time-to-response (MTTR)
  • Analysts can enjoy direct access to a “kill switch” to block all access points from a compromised user
  • Users & their managers can be directly lopped into security processes, so that all employees share responsibility for remediation and recovery

Technologies: Active Directory/LDAP, Azure AD, AWS IAM, Okta, Duo, Office 365
Existing Workflows: User Containment

Endpoint Containment

Endpoint containment is a key strategy for endpoint threat detection and response. With automation, you can quickly quarantine a threat by disconnecting a vulnerable endpoint from your network—as soon as a critical alert is generated. Endpoint containment empowers your team to:

  • Query endpoint logs and identify suspicious process start/stop times and parents
  • Run AV scans to remediate by removing malware and malicious artifacts
  • Ban hashes to locally and globally prevent running malware

Technologies: Cylance, Symantec, Crowdstrike, SentinelOne, VMWare, Cb EDR, Trend Micro

Existing Workflows: Asset Quarantine and Blacklist Hash

Firewall Containment

Firewall technologies are essential to an organization’s security posture, but are often a pain to manually manipulate. Automatic configuration changes, as well as ChatOps workflows that allows teams to protect against threats without leaving Slack or Microsoft Teams, are a game-changer. 

Firewall Containment can empower your security operations team to:

  • Check the block status of a specific host or IP
  • Pull down existing firewall policies and modify them at will to block malicious IPs and hosts
  • Leverage next-gen firewall technologies to block malicious URLs identified through phishing investigations

Technologies: Fortinet Fortigate, Palo Alto Panorama, Checkpoint NGFW, Sonicwall, Cisco ASA [Coming Soon], Cisco Sourcefire [Coming Soon]

Existing Workflows: Firewall Blocks

Threat Hunting

Threat hunting is time consuming and demands a highly technical skill set that most organizations, for better or worse, have to consider a luxury. According to a recent SANS Institute study, only 31% of organizations have staff dedicated to hunting threats. But being proactive in this area can enable your analysts to better uncover and defend against complex advanced persistent threats (APTs)—which are almost guaranteed to succeed and can allow hackers to wreak widespread havoc. Automation lowers the barrier to threat-hunting as well as bolsters your team’s ability to compete with today’s most-capable adversaries. 

Rapid7’s platforms allow you to:

  • Operationalize disparate data sets: Hunting is not just time-intensive; it’s also unbounded. The more data sets you are able to analyze, the more thorough your proactive search for compromise will be. Add additional tools to your data set without adding substantial time to your hunt cycle.
  • Automate repeatable tasks: Automating ongoing tasks,, such as recurring scans, means your team will have more time to do what they do best: find and thwart the bad guys. Bring team members into this process strategically for maximum efficiency.
  • Notify and respond faster: Create and kick off designated response workflows based on the type of threat you’ve discovered. This ensures that you follow proper protocol, your stakeholders are notified as quickly as possible, and that everyone works from the same set of data. In short, a complete end-to-end investigation.

Technologies: Splunk

Existing Workflows: Splunk App SSH Alert IP Enrichment

Malware Analysis and Containment

Security teams are bogged down by an overabundance of ransomware, viruses, spyware, and more. Automating the investigation and containment of malware gets the job done before it does significant damage to your network. Here are some key features of this workflow:

  • Identify malicious activity: It’s important to know how to spot and stop malware in a timely manner to reduce the spread of infection. Automate these processes to identify indicators like misspelled process names or abnormal log activity.
  • Investigate the threat: When malware is detected, you can leverage workflows to analyze it using plugins from today’s leading malware analysis solutions as well as common sandbox tools, such as Cuckoo. This means you can investigate malicious files in a safe space, before they get into your network.
  • Containment and removal: All malware will require some type of containment/removal action. You can leverage automation to identify the affected users and assets, leaving decision points for security practitioners to remove the necessary user accounts, isolate the malware, or disconnect machines from the network.

Technologies: VirusTotal, Hybrid Analysis, Cuckoo, Palo Alto Wildfire, VMRay, Cortex, JIRA

Buyer’s Guide

Who Should be Thinking about Automation?

Effectively leveraging SIEM and SOAR solutions starts with understanding the day-to-day problems your team faces. Any SOC that can pinpoint the pain points in their established workflows —and is willing and able to address them—should consider an automation solution. Believe it or not, organizations of all sizes and from countless industries can see improvements to both their efficacy and efficiency with SOAR + SEIM. Over 8,500 customers rely on Rapid7’s platforms such as InsightConnect and InsightIDR to improve security outcomes and securely advance their organizations.

Not surprisingly, InsightConnect offers a growing library of over 300 integrations. We recognize Insight products are far from the only tools in your team’s tech stack, after all. The specific technologies your team relies on may be as diverse as our customer base. That’s why any and all of these can be swapped out or “daisy-chained” together based on your team’s needs—no coding required. That means many different needs can be met for many kinds of organizations –with relative ease. That’s a lot of upside.

When is the Right Time to Think about Automation?

Automation is a journey, not a destination. It’s important to remember that SOAR + SIEM require some customization and regular maintenance. They will make your job easier and your organization safer, but your team must have the will, bandwidth, and appetite to make some adjustments as well as regularly monitor a new framework. 

Furthermore, every SOC has a unique set of needs and resources, as well as their own special risk tolerance. The learning curve that’s inherent to any SaaS could lead to some inconvenience, or even disruption. Kinks will be sorted out, insights will inspire new ideas, and easy wins will lead to more complex workflows. This is why it’s critical to establish an incremental plan for your team’s automation journey. Start small and win big!

Finally, as with any transition, your whole team needs to be all in on this adventure—all stakeholders should understand your goals, so that everyone can reap the rewards. It’s probably not difficult to illustrate to your team how certain processes could be more efficient, but if anyone needs more convincing, just remind them that Rapid7 is here for you. You won’t ever feel alone. Whether you need to sketch out your first workflow or sort out a complex challenge, we’re your partners on your automation journey.

How Does Rapid7 Support SOC Automation?

Rapid7 offers two key solutions on as part of its InsightCloud platform to support SOC Automation:

  • Rapid7’s threat-focused Security Incident & Event Management (SIEM) platform, InsightIDR, addresses all of the major pain points listed earlier -- visibility, alert fatigue, and response time. It unifies diverse data sets across modern environments, and turns that data into insights, resulting in early and reliable detection and analytics. InsightIDR includes built-in automation workflows for containment, such as quarantining assets and disabling users; ticketing integrations for streamlined incident response processes between teams; and investigation enrichment.

  • InsightConnect, Rapid7’s Security Orchestration and Automation Response (SOAR) solution, accelerates and streamlines time-intensive processes for security teams -- no code needed. This frees up analysts to tackle other challenges, while still leveraging their expertise when it’s most critical. It’s a centralized hub within your security program, connecting your teams and tools, so that you can go from overwhelmed to operating at maximum efficiency in no time. 

The bottom line is that together, Rapid7’s SOAR and SIEM platforms improve visibility, reduce alert fatigue, automate containment, and improve investigation handling -- a complete solution for the needs of a modern security operations team.

Case Studies

Hilltop Holdings

Hilltop Holdings, a mid-sized financial services holding company, is a great example of an automation success story. They have subscribed to InsightIDR specifically for log collection, because they realized that user behavioral analytics was no longer just nice-to-have—it became a requirement. They next signed onto InsightConnect to automate, for example, the phishing email triage process.

In a Q&A with Rapid7 from 2020, Hilltop’s Director of Security Operations, Andrew Edwards, remarked on the value that the combination of InsightConnect and InsightIDR holds. “In a space like security operations, it’s incredibly valuable to have that single pane of glass,” he shared. “You waste time trying to navigate multiple platforms in order to administer or respond to threats or gain insight into what’s going on within the environment. It reduces your time to respond, and it reduces your time to detect or contain. And all of those solutions integrate into each other so that you can see a more holistic view of what’s going on if you’re using a single platform.”

According to Edwards, Hilltop’s team has reduced the amount of time spent on phishing triage from 77 hours a week to 3 minutes! “The only time we spend is digesting the data that has come out of the reporting solution in order to make a determination on whether it’s malicious spam or legitimate,” he recalled, illustrating how his team’s expertise is not only still essential to Hilltop’s security, but put to much better use.

But Hilltop isn’t stopping there. “I would like to leverage InsightConnect in the future to integrate or bridge the gap in between our firewalls and our detection solution, or our monitoring solution, or our endpoint security solution, to be able to share threat intelligence and IoCs across multiple platforms,” remarked Edwards.

Hillwood Development

Hillwood Development is a commercial real estate firm that develops and acquires premier industrial properties across North America and Europe. They have used InsightConnect and InsightIDR to make their security operations more fluid, as part of a broader effort to achieve integration, automation, and orchestration.

Like Hilltop, Hillside is very happy with the ability of Rapid7’s platforms to integrate and simplify diverse technologies. “InsightIDR does a great job of taking the logs from our other solutions to not only ingest them but alert them or utilize the data for user behavior analytics,” Tony Hamil, a Senior Cybersecurity Engineer for Hilltop, explained in another blog post. “This has allowed us to use InsightIDR as our source of truth for alerts, data, and user activity so we can quickly figure out what’s going on. And now that InsightConnect integrates with InsightIDR, I can see whether a user has done lateral movement and can disable them or kick them off the network, giving us more capabilities on the same platform without the need to jump through multiple platforms.”

One of Hillwood’s greatest achievements with InsightConnect addresses one of their biggest challenges -- user and asset management. “When employees join or leave our company, we needed to onboard and offboard them from an IT and security perspective,” Edwards indicated. With InsightConnect, that entire process has been automated at Hillwood -- everything happens seamlessly.

“Our success is determined by if we lost any data, revenue, or reputation. If that hasn’t happened, I consider that a success,” concluded Edward. “And since we have Rapid7’s products, these issues are usually stopped or blocked before anything malicious happens."

More Info