1. Home
  2. /Compliance Frameworks
  3. /SIEM & SOAR Automation
Feeling StupidKeyboard Layout

Integrating SIEMs and SOAR Platforms

Streamline detection and response by connecting Security Information and Event Management (SIEM) systems with Security Orchestration, Automation, and Response (SOAR) tooling.

SIEM vs. SOAR: Roles in the SOC

SIEM (Security Information and Event Management)
  • Ingests logs, telemetry, and alerts from diverse sources.
  • Correlates events, applies detection analytics, and raises incidents.
  • Supports compliance reporting, dashboards, search, and threat hunting.
SOAR (Security Orchestration, Automation & Response)
  • Automates response actions through playbooks and workflows.
  • Integrates with ticketing, communication, identity, endpoint, and cloud tools.
  • Supports case management, analyst collaboration, and metrics.
Goal: Use the SIEM to provide high-fidelity detections and the SOAR to automate triage, enrichment, containment, and reporting.

Reference Architecture

  • Data Flow: Sources → SIEM data lake → Detection content → Alert API → SOAR ingestion → Playbooks → Response actions.
  • Authentication: API tokens, OAuth 2.0, client certificates, or service accounts with least privilege.
  • Transport: RESTful APIs (JSON), syslog over TLS, message queues (Kafka, Pub/Sub), webhooks.
  • Data Formats: CSV for bulk indicators, JSON/YAML for playbooks, STIX/TAXII for threat intel, XML for legacy connectors.
  • Event Normalisation: Use schemas (Elastic Common Schema, ASIM, CEF, LEEF) to ensure consistent field names.

Automation Use Cases

Alert Ingestion
  • SOAR polls SIEM REST API for new alerts (JSON payload).
  • SIEM triggers outbound webhook to SOAR when rule fires.
  • Batch export via CSV / S3 for bulk analysis (ensuring timestamp & ID preservation).
Enrichment
  • SOAR playbook queries threat intel APIs (STIX/TAXII, JSON).
  • Lookup asset data via CMDB REST or GraphQL APIs.
  • Enrich indicators with GeoIP, WHOIS, reputation scoring.
Response Actions
  • Contain endpoint via EDR API or PowerShell Remoting.
  • Block IP/domain using firewall/cloud network APIs (JSON/YAML policies).
  • Create tickets (ServiceNow REST, JIRA REST), send notifications (Teams/Slack webhooks).
  • Update SIEM status through incident management API to avoid duplicate handling.

Working with Formats & Schemas

Structured Data
  • JSON: Default for SIEM REST APIs (Elastic, Splunk, Microsoft Sentinel).
  • YAML: SOAR playbooks / workflows (Cortex XSOAR, Swimlane, StackStorm).
  • CSV: Bulk indicator import/export, quick triage spreadsheets.
  • XML: Legacy platforms (ArcSight CEF XML, QRadar XML event feeds).
Automation Playbooks
  • Define triggers, inputs, conditional logic, and outputs.
  • Use version control (Git) for playbook YAML/JSON files.
  • Adopt naming conventions for actions, connectors, and custom scripts.
  • Leverage secure secrets storage (vaults, Key Vault, HashiCorp) for API tokens.

API & Integration Tips

  • Consult vendor SDKs / client libraries (Python, PowerShell, Go). Many SIEM/SOAR vendors provide wrappers.
  • Handle pagination and rate limits when polling large alert volumes.
  • Normalise timestamp/timezone fields to UTC for correlation.
  • Secure API endpoints with TLS, IP allowlists, and strong authentication.
  • Log integration failures and implement retries/backoff logic.
  • Document API contracts (OpenAPI/Swagger) and test with Postman or similar tools.

Example: Suspicious Login Playbook

  1. SIEM rule detects impossible travel login → sends JSON alert (user, IP, location, risk score).
  2. SOAR ingests alert, enriches with GeoIP, last MFA activity, recent password resets.
  3. Conditional logic: if risk high → auto-disable account via identity provider API; otherwise escalate to analyst queue.
  4. Generate CSV or JSON summary, attach to ticket, notify Slack/Teams channel.
  5. Update SIEM incident status to "In Progress" via REST PATCH call.
  6. Upon closure, SOAR pushes final notes back to SIEM and updates metrics dashboard.

Measuring Automation Success

  • Mean Time to Respond (MTTR): Compare baseline vs. post-automation.
  • Automation Coverage: % of alert types handled end-to-end without analyst intervention.
  • Error Rates: API failures, playbook rollback counts, manual overrides.
  • Compliance: Evidence of response steps for audits (SOX, PCI, ISO 27001).
  • Feedback loops: Collect analyst feedback to refine playbooks and SIEM detections.

Further Reading & Tooling