SOAR enables security team build playbook and automations with No-code, or script language like a python, Javascript, PowerShell, and etc. SOAR is more focused for security engineers not a software developers. Thus the key-point of SOAR is how security engineers easily adopt the solution to build, operate it.
XSOAR
XSOAR is the one of SOAR solution from Paloalto Networks. It was known for Demisto. Since Demisto is acquired by Paloalto Networks.
XSOAR has an opensource based community to integrate with multiple tools. All the integrations, and automations are maintained from git repository(https://github.com/demisto/).
There are three main components in XSOAR. Integrations, automations, and playbooks. Integrations and automations are based on the Programming language like Python, Javascript, or PowerShell. Integrations are the codes connecting with other solutions like VirusTotal, Salesforce, ElasticSearch, etc. Automations are codes performing specific actions and comprised of commands, which are used in playbook tasks and when running commands in the War Room. Playbooks are the workflow to run the integrations, and automations. Security teams build the playbook to triage the incidents.
XSOAR Incident Lifecycle
There is an incident lifecycle. Security team follows this lifecycle to build a playbook. This playbook is executed from each incidents. Integrations fetch the incidents. Fetched incident data maps and classifies into XSOAR incident. and the playbook is executed from the incident. Pre-processing, and post-processing can be executed before and after the running of playbook.
Conclusion
There are more SOAR solutions, Google Chronicle(previously Siemplify), Splunk SOAR(previously Phantom), Tines, etc. Since I have the experience with XSOAR. I will deep dive into XSOAR to build a playbook, automation, and integration.
