SOAR & Playbook Engine
AuroraSOC includes a built-in SOAR (Security Orchestration, Automation, and Response) engine that executes predefined playbooks for automated incident response. Playbooks combine automated actions, conditional logic, and human approval gates into repeatable response workflows.
Playbook Architecture
Available Playbooks
AuroraSOC ships with six pre-built playbooks:
| Playbook | Trigger | Actions | Approval Required |
|---|---|---|---|
| Malware Response | Malware detection alert | Isolate → Scan → Block → Report | Yes (isolate) |
| Phishing Response | Phishing alert | Extract IOCs → Block URLs → Notify users → Report | No |
| Ransomware Emergency | Ransomware indicator | Isolate all → Snapshot → Forensics → Exec brief | Yes (isolate) |
| Brute Force Mitigation | 5+ failed logins | Block source → Reset credentials → Audit → Report | Yes (credential reset) |
| Data Exfiltration | DLP/network anomaly | Block egress → Capture traffic → Forensics → Report | Yes (block) |
| CPS Anomaly | CPS device alert | Quarantine segment → Verify firmware → Attestation → Report | Yes (quarantine) |
Playbook Execution Detail
Step Types
Each playbook step executes one of eight registered actions:
| Action | Description | Reversible |
|---|---|---|
| isolate_host | Network-isolate an endpoint | Yes |
| block_ip | Block IP at firewall/NGFW | Yes |
| disable_user | Disable Active Directory account | Yes |
| revoke_certificate | Revoke TLS/device certificate | No |
| run_scan | Execute endpoint scan | N/A |
| collect_forensics | Gather forensic evidence | N/A |
| enrich_ioc | Enrich IOC via threat intel | N/A |
| notify | Send notification | N/A |
Conditional Branching
Steps can include conditions based on:
- Alert severity
- Asset criticality
- Device type (IT vs. OT/CPS)
- Previous step results
- Time of day (business hours vs. after-hours)
Rollback on Failure
If any step fails, the engine automatically rolls back completed actions in reverse order:
Playbook Dashboard
Execution List
Shows all playbook runs with:
- Playbook name and triggered alert
- Start time and duration
- Status: Running / Completed / Failed / Rolled Back
- Steps completed vs. total steps
Execution Detail
Click any execution to see:
- Step-by-step progress with timestamps
- Approval request status and responder
- Action outputs and return values
- Error details for failed steps
- Rollback log if applicable
Dry Run Mode
Test playbooks without executing real actions:
curl -X POST /api/v1/soar/playbooks/execute \
-H "Authorization: Bearer $TOKEN" \
-d '{
"playbook_id": "pb-malware-response",
"alert_id": "alert-123",
"dry_run": true
}'
Dry run mode simulates each step and reports what would happen, allowing you to verify playbook logic before production use.
Always run new or modified playbooks in dry-run mode first. Review the simulated execution carefully before enabling live execution, especially for playbooks with irreversible actions like certificate revocation.
Creating Custom Playbooks
Playbooks are defined as JSON documents stored in PostgreSQL:
{
"name": "Custom Response",
"description": "Custom incident response workflow",
"trigger": "manual",
"steps": [
{
"order": 1,
"action": "enrich_ioc",
"parameters": {"sources": ["virustotal", "alienvault"]},
"on_failure": "continue"
},
{
"order": 2,
"action": "block_ip",
"parameters": {"duration": "24h"},
"requires_approval": true,
"condition": {"field": "severity", "operator": ">=", "value": "high"}
},
{
"order": 3,
"action": "notify",
"parameters": {"channel": "slack", "template": "incident-update"}
}
]
}