Key Takeaways
- MTTR dropped from 14 hours to under 4 after 6 months of SOAR-led automation across 12 high-volume incident types.
- Start with high-volume, low-judgment incidents, phishing triage, suspicious login enrichment, password reset workflows. Automating complex incidents fails.
- Playbook design is the work. The SOAR platform is the easy part; mapping decision logic to automation is where 80% of effort lives.
- Keep humans in the loop for actions with blast radius, isolating endpoints, disabling accounts, blocking domains. Approvals can be one-click, but they should exist.
- Measure everything. Analyst time saved, MTTR per incident type, automation success rate, escalation accuracy, without metrics SOAR becomes shelfware.
The Client and the Problem
The client is a mid-sized Indian SaaS company, roughly 400 employees, 1,200 customer organizations, three product lines, primarily Microsoft 365 and AWS. They had a functioning SOC running Microsoft Sentinel with reasonable coverage but were drowning in alert volume. Tier 1 analysts spent the majority of their shifts on repetitive enrichment tasks, looking up IP reputation, checking user history, gathering endpoint context, before they could even start to make decisions about whether an alert mattered.
Mean Time To Detect was already strong (under 30 minutes for most categories). The problem was Mean Time To Respond, averaging 14 hours, including 6 hours of nights and weekends where Tier 1 was working with limited Tier 2/3 backup. By the time many incidents were properly triaged and acted on, the attacker (or insider, or misconfiguration) had had hours of free reign.
The objective for our engagement: reduce MTTR for high-volume incident types to under 4 hours without expanding the SOC team beyond its current 7 analysts.
Why SOAR Was the Right Lever
Security Orchestration, Automation and Response (SOAR) platforms sit on top of detection tools and automate the repetitive parts of incident response. They take an alert, enrich it from 10+ data sources, apply decision logic, and either resolve the incident automatically or hand the analyst a fully-prepared case to act on.
For this client, SOAR was the right lever because alert volume was high (200+ tier-1 alerts per day) and a significant fraction of incidents followed repeatable patterns: phishing triage, suspicious login enrichment, malware detection follow-up, M365 risky-sign-in review. These are exactly the workflows SOAR handles well.
We deployed Microsoft Sentinel's built-in SOAR capabilities (Logic Apps + Automation Rules) rather than bringing in a separate platform, the integration was already there, the per-action cost was low, and the team was already trained on the Microsoft stack. For clients on other ecosystems we have deployed Splunk SOAR, Palo Alto Cortex XSOAR, and Tines.
Discuss Your SOAR Roadmap
Free 45-minute consultation with our SOC engineering lead. Bring your current SIEM and top 5 alert types; leave with a SOAR ROI sketch.
Book Free SOAR Discussion →Playbook Design: Where Most SOAR Projects Fail
The platform is easy; the playbooks are hard. A playbook codifies how a human analyst would handle a specific incident type, what they would check, in what order, with what thresholds, and what they would do based on the result. Writing playbooks forces uncomfortable conversations: "What do you actually do when you see this alert?" often reveals that the answer is inconsistent across the team.
We started by shadowing tier 1 analysts for two weeks. For each common alert type, we documented the actual decision logic, not the documented logic, the real one. Then we sat down with the SOC manager to standardize: this is how we will handle this incident type going forward.
Phase 1 playbooks: phishing email triage, suspicious M365 login, EDR malware detection, password reset workflow, leaked credential check, DNS sinkhole match. These covered roughly 60% of total alert volume.
- Enrichment first, every playbook starts with parallel enrichment from 5-10 sources (IP reputation, user history, asset criticality, threat intel, similar past incidents)
- Deterministic decisions, codify clear rules; do not try to automate ambiguous judgment calls
- Human in the loop for blast radius actions, isolate endpoint, disable account, block domain, one-click approval, not full automation
- Standardized output, every playbook closes with a structured case summary an analyst or auditor can read in 30 seconds
- Versioning, playbooks are code; treat them with the same change control as code
Integrations: The Boring Work That Determines Success
A SOAR platform is only as good as its integrations. We connected Sentinel to: Microsoft Defender XDR (endpoint actions, identity actions), Microsoft Entra ID (user signals, conditional access), Exchange Online Protection (email actions), VirusTotal (file/URL/IP reputation), Recorded Future (threat intelligence), the client's ITSM (Jira), the client's communications platform (Slack), and the client's internal CMDB (asset criticality).
Each integration involved authentication design, scope minimization, error handling, and testing. The actual time spent here vastly exceeded what the project plan estimated, a common pattern. Plan for 50% more integration time than the vendor demos suggest.
Governance: Who Approves What an Automation Does
Automated actions have real consequences. An automation that isolates an endpoint is making a business decision, the employee using that endpoint cannot work until human intervention restores access. An automation that disables an account locks a user out of every system they access through SSO.
We established a tiered governance model. Tier A actions (enrichment, ticket creation, notification) run fully automated. Tier B actions (forced password reset, block sender, quarantine email) run automated with audit trail and rollback option. Tier C actions (isolate endpoint, disable account, block domain at firewall) require one-click human approval, a Slack button that the on-call analyst hits. This preserves speed (5 seconds to act) without surrendering judgment.
All automated actions are logged with the playbook version, input data, decision branch, and outcome. Quarterly review compares automation outcomes to what a human analyst would have done, drift in either direction triggers playbook revision.
Managed Incident Response
Retainer-based incident response with 24x7 on-call, named lead responders, and rehearsed playbooks for ransomware, BEC, account takeover and data exfiltration.
See IR Retainer Service →Results After 6 Months
MTTR for the 12 incident types under SOAR dropped from a baseline of 14 hours to 3 hours 40 minutes, a 73% improvement. Median MTTR (less skewed by outliers) dropped from 6 hours to under 90 minutes. Tier 1 alert backlog at end of shift dropped to near zero, allowing analysts to spend more time on proactive threat hunting.
Side benefits: alert quality improved because every alert now arrived with rich context, false-positive recognition got faster (no more "start enrichment, then realize it's a known FP"), and analyst satisfaction improved measurably (we ran an internal pulse survey).
The cost: roughly INR 18 lakh in platform/integration work plus 4 months of one of our SOC engineers' time. Payback period: under 9 months on labor savings alone, before counting incident-cost-avoidance.
Frequently Asked Questions
What is the difference between SIEM and SOAR?
SIEM detects, it correlates logs and raises alerts. SOAR responds, it takes alerts (from SIEM, XDR, or anywhere else), enriches them, applies decision logic, and executes actions (notify, ticket, contain, remediate). Most modern SIEM platforms include built-in SOAR capability; standalone SOAR platforms (Splunk SOAR, Cortex XSOAR, Tines) offer deeper automation for organizations with complex needs.
Which incident types should be automated first?
High-volume, low-judgment workflows: phishing triage, suspicious login enrichment, malware detection follow-up, leaked credential checks, DNS sinkhole matches. These cover 50-70% of typical SOC alert volume and have well-understood decision logic. Save complex, judgment-heavy incidents (insider threats, sophisticated APT activity, business email compromise) for human investigation.
How do we prevent SOAR automations from causing damage?
Tiered governance. Enrichment actions can be fully automated. Reversible actions (forced password reset, email quarantine) should have audit and rollback. Blast-radius actions (endpoint isolation, account disable, firewall block) should require one-click human approval, preserves speed while keeping judgment. Test playbooks in a staging environment with realistic data before production deployment.
Can SOAR replace SOC analysts?
No, and that is not the goal. SOAR removes repetitive enrichment work so analysts can spend time on judgment, hunting, and incident commander roles. Our experience: a SOC that adds SOAR can handle 2-3x the alert volume with the same headcount, but the headcount remains essential.
How long does a SOAR deployment take?
Initial deployment with 3-5 playbooks: 6-10 weeks. Mature deployment covering 15-25 playbooks across most common incident types: 6-9 months. Most of the time goes into playbook design (mapping real decision logic) and integration testing, not into the SOAR platform itself.
What does SOAR cost for an Indian enterprise?
Highly variable. Microsoft Sentinel SOAR (Logic Apps) costs essentially nothing beyond per-execution Azure consumption, typically INR 5-15 lakh/year. Standalone SOAR platforms (Splunk SOAR, Cortex XSOAR) license at INR 30-80 lakh/year for mid-size deployments. Implementation by experienced consultants: INR 15-40 lakh one-time. Most enterprises see payback in 9-15 months from labor savings.
Is SOAR a fit for a small SOC with 3-4 analysts?
Yes, arguably more so than for a large SOC. Small SOCs benefit disproportionately because their analyst time is the bottleneck. The constraint is engineering capacity to build and maintain playbooks. Many small SOCs partner with a managed SOC provider (like our team) to operate SOAR on their behalf rather than building the capability in-house.
Automate Your SOC Without Losing Control
Codesecure designs and operates SOAR-led detection and response programs for Indian enterprises. ISO/IEC 27001:2022 certified, named engineers, Microsoft Sentinel + Splunk + Tines expertise. Fixed-price engagements.
