TryHackMe: Introduction to SOAR (SOC Level 1)

Welcome to this walkthrough of the Introduction to SOAR Room on TryHackMe. What is SOAR I hear you say? SOAR stands for Security Orchestration, Automation, and Response, and is all our automation of manual security processes.

Introduction to SOAR banner

Room URL:
https://tryhackme.com/room/soar

I am making these walkthroughs to keep myself motivated to learn cyber security, and ensure that I remember the knowledge gained by these challenges on HTB and THM. Join me on learning cyber security. I will try and explain concepts as I go, to differentiate myself from other walkthroughs.

Task 1: Introduction

To defend against attacks, a SOC team relies on various security solutions, such as SIEM, EDR, firewalls, and threat intelligence platforms. They also communicate with IT and management teams as part of their processes. However, as threats grow more complex and advanced, SOC teams face challenges like alert fatigue, manual processes, too many disconnected tools, and difficulties in communication across teams.

In this room, we will explore how the Security Orchestration, Automation, and Response (SOAR) tool overcomes these challenges for a SOC team.

Learning Objectives

  • Understand the traditional SOC and its challenges
  • Explore how SOAR overcomes these challenges
  • Learn SOAR Playbooks
  • Practically walk through a threat intelligence workflow

Room Prerequisites

A look at the following rooms would be helpful before starting this room:

Questions

Let’s get started!

Answer: No answer needed

Task 2: Traditional SOC and Challenges

A Security Operations Center (SOC) is a centralized hub for monitoring and protecting an organization’s digital assets. Its purpose is to improve incident handling through continuous monitoring, analysis, and response. SOCs combine people, processes, and technology to achieve this.

Key Capabilities

  • Monitoring and Detection → Continuous scanning for suspicious activity, usually via SIEM (e.g., failed logins, unusual access).
  • Recovery and Remediation → First responders to incidents; isolate endpoints, remove malware, block IPs, disable accounts using tools like EDR, firewalls, IAM.
  • Threat Intelligence → Use feeds of malicious IPs, domains, and hashes to stay ahead of emerging threats.
  • Communication → Coordinate with IT and management, generate tickets, and ensure incidents are properly addressed.

Challenges Faced by SOCs

  • Alert Fatigue → Too many alerts, often false positives, overwhelm analysts and reduce vigilance.
  • Disconnected Tools → Lack of integration between systems (firewall logs vs endpoint logs) creates inefficiency.
  • Manual Processes → Reliance on undocumented “tribal knowledge” slows investigations and increases response times.
  • Talent Shortage → Difficulty recruiting skilled analysts; combined with alert overload, this leads to burnout and slower incident response.

Questions

How would you describe the experience of an overload of security events being triggered within a SOC?

We call the experience of an overload of events, which overwhelm analysts, alert fatigue.

Answer: Alert Fatigue

Task 3: Overcoming SOC Challenges with SOAR

Security Orchestration, Automation, and Response (SOAR) is a tool that unifies all security tools in a SOC (SIEM, EDR, firewalls, IAM, ticketing systems) into a single interface. It streamlines investigations, provides case management, and reduces manual effort.

Core Capabilities

  1. Orchestration
    • Connects multiple tools into one interface.
    • Uses playbooks (predefined workflows) to guide investigations.
    • Example: For a VPN brute force alert, the playbook queries SIEM logs, checks threat intelligence, verifies login success, and escalates if needed.
  2. Automation
    • Executes playbooks automatically without analyst clicks.
    • Example: SOAR receives alert → queries SIEM → checks IP reputation → disables user if malicious → opens ticket.
    • Saves time and reduces analyst burnout by handling large volumes of alerts.
  3. Response
    • Enables direct action from the unified interface.
    • Example: Block IP on firewall, disable user in IAM, open ticket – all automated through playbooks.

Benefits

  • Reduces alert fatigue by filtering and automating repetitive tasks.
  • Ensures tools are integrated rather than disconnected.
  • Provides structured workflows instead of undocumented manual processes.
  • Improves efficiency and consistency in incident handling.

Do We Still Need SOC Analysts?

  • Yes. SOAR cannot replace human judgment.
  • Analysts are needed for complex investigations, understanding threats in business context, and creating playbooks.
  • SOAR eases workload but analysts remain essential for decision-making and advanced triage.

Questions

The act of connecting and integrating security tools and systems into seamless workflows is known as?

We call this process orchestration.

Answer: orchestration

What do we call a predefined list of actions to handle an incident?

Playbooks are predefined steps that tell the SOAR how to investigate an alert. Without SOAR, analysts often also use playbooks to go through a munual process.

Answer: Playbook

Task 4: Building SOAR Playbooks

Playbooks are predefined workflows that guide how alerts are investigated and remediated. They automate repetitive steps but still involve SOC analysts for critical decisions.

Phishing Playbook

  • Problem: Phishing emails are common and time‑consuming to investigate (attachments, URLs, threat intel checks).
  • Workflow Example:
    1. Alert received: “Suspicious email detected.”
    2. Create a ticket.
    3. Check if the email contains a URL or attachment.
      • If neither → notify users.
      • If URL → verify reputation via threat intelligence, analyze redirection, block if malicious.
      • If attachment → analyze with sandbox/AV, block if malicious.
    4. Remediate: quarantine email, block sender, notify affected users.
  • Benefit: SOAR automates URL/attachment checks and remediation, saving analysts time.

CVE Patching Playbook

  • Problem: New CVEs are released frequently, creating patching backlogs and exposing systems.
  • Workflow Example:
    1. SOAR ingests new CVE details.
    2. Assess risk threshold (criticality, exploitability).
    3. Search asset inventory to see if vulnerable systems exist.
    4. Create a patching ticket.
    5. Test patch in staging environment.
    6. Push patch to production if validated.
  • Benefit: Automates CVE tracking, risk assessment, and ticket creation, reducing manual workload.

Summary

  • SOAR playbooks automate repetitive tasks (checking URLs, analyzing attachments, tracking CVEs).
  • Analysts remain essential for judgment calls (e.g., deciding if login behavior is suspicious, validating patch deployment).
  • Together, automation + analyst oversight ensure faster, more reliable incident response.

Questions

Is manual analysis vital within a SOAR workflow? Yay or Nay?

While SOAR reduces repetitive manual process burden, SOC analysts’ roles remain essential for crucial decisions and verifications.

Answer: Yay

From where is the CVE Patching playbook fetching the new CVEs?

Look at the flow diagram of the SVE playbook in the room. On it you can see that in the first step new CVEs get fetched from advisory lists.

Answer: Advisory lists

In the CVE Patching playbook, if the assets are found vulnerable even after the patch is deployed, what does the SOC develop next?

If the assets are still found vulnerable, the analysts creates a mitigation plan to discuss how to mitigate further vulnerabilities.

Answer: mitigation plan

Task 5: Threat Intel Workflow Practical

You are part of a SOC team that recently faced a large breach investigation that took ages due to a lack of automation. Your friend, McSkidy, recently advised adopting a SOAR and setting up automation workflows (also called playbooks) to help your security investigations. McSkidy sent you a checklist for a Threat Intelligence integration workflow, and your task is to figure out how it works. Click the View site button to launch the site in split view. To automate the process, use the different screens to activate the elements required for the SOAR workflow. Run and test the workflow until you get a smooth transition on the flowchart to complete the task.

Questions

What is the flag received?

Ok, let’s get going. We start by getting some instructions:

The objective is to simulate the actions of automating a SOC environment through toggling various settings. You will have to enable/disable in order to get the right combination of events to activate the flowchart.

And some more:

Adjust the Settings for automated and manual flows to adopt a SOAR and set up automation workflows that will help you in your security investigations.

We got 5 different settings showing up: Case ticket, threat intel, data extraction, reputation checks and course of action. We need to set the correct settings for each. I will discuss them in the specified order:

Case Ticket:

The creation, assignment, communication and updating of cases can be automated. Deletion is still better as manual process.

Threat Intel:

Fetching intelligence data, intervals, and failed fetches should be automated. Again, deletion of alerts is better done manually.

Data Extraction:

We can extract domains, IPs, URL automatically, but for unknown/new threats manual labor is required.

Reputation Checks:

We can automatically output results from VirusTotal, but running tests and validating and confirming needs to be done manually.

Course of Action:

Again, we can block domains, IPs and URLs, and update case tickets, but analyst approval needs to happen manually.

Answer: THM{AUT0M@T1N6_S3CUR1T¥}

Task 6: Conclusion

That’s all for this room. In this room, we looked at the traditional SOC processes and their challenges. Then we saw how SOAR can overcome these challenges through its Orchestration, Automation, and Response. Finally, we examined some real playbooks used in a SOC and developed a Threat Intelligence workflow for automation. 

Questions

Power to Security Orchestration and Automation.

Answer: No answer needed.

Congratulations on completing Introduction to SOAR!!!

Congratulations on completing Introduction to SOAR. I found this to be a really great practice room for getting some experience with Wireshark. I don’t know about you, but I learned a lot!

Come back soon for more walkthroughs of rooms on TryHackMe and HackTheBox, and other Cybersecurity discussions.

Find my other TryHackMe SOC Level 1 Path walkthroughs here.

Find my other walkthroughs here.

Like my articles?

You are welcome to comment on this post, or share my post with friends.I would be even more grateful if you support me by buying me a cup of coffee:

Buy me a coffee
Buy me a coffee

I learned a lot through HackTheBox’s Academy. If you want to sign up, you can get extra cubes, and support me in the process, if you use the following link:

https://referral.hackthebox.com/mzwwXlg

Tags

Newsletter Updates

Enter your email address below and subscribe to our newsletter

Related Posts

One comment

Leave a Reply

Your email address will not be published. Required fields are marked *


Trending now

TryHackMe: Introduction to SOAR (SOC Level 1)
TryHackMe: SOC Role in Blue Team Walkthrough (SOC Level 1)
TryHackMe: SOC L1 Alert Triage Walkthrough (SOC Level 1)
SOC L1 Alert Reporting
TryHackMe: SOC L1 Alert Reporting Walkthrough (SOC Level 1)