NEXUS
Documentation menu

Docs · SecOps

SOAR — Automated Response

A playbook is a trigger plus ordered steps, with a full run history. Steps run real Fleet active-response — but every destructive action is dry-run by default and guarded by three independent gates.

Best-of
Palo Alto Cortex XSOAR · Google SecOps SOAR
Module
nexus_secops/soar.py
Edition
Pro/Enterprise for real active-response
API
/api/v1/soar/playbooks · /soar/runs · /soar/run

What it does

When a trigger matches an alert or an XDR incident, SOAR runs the playbook's steps and records exactly what happened. Steps include real endpoint actions — block_ip, enable_firewall, kill_process, disable_guest, harden — plus notify and incident-status changes.

Safe by default — the triple gate. A destructive step only executes for real when all three are open: the playbook mode is active (not dry_run), the license includes active_response, and the agent policy.ar_allowed_actions permits that action. A protected-IP allowlist means you can never block yourself out. In dry-run, a step only logs what it would do.

How to use it

1
Review playbooks
The dashboard SOARview lists each playbook's trigger, mode and enabled state, plus recent runs.
bash
GET /api/v1/soar/playbooks
GET /api/v1/soar/runs
2
Arm a playbook when you trust it
Flip a playbook from dry-run to active only after you have watched its dry-runs.
bash
POST /api/v1/soar/playbook/mode   { "id": "PB-NDR-BLOCK", "mode": "active" }
3
Run manually
Trigger a playbook against a specific alert/incident from the console.
bash
POST /api/v1/soar/run   { "id": "PB-SUSPROC-KILL", "ref_id": "<alert-or-incident-id>" }

Built-in playbooks

  • PB-CRITICAL-NOTIFY — notify on any critical alert (active by default; notify is safe).
  • PB-INTRUSION-RESPOND — on an intrusion incident: notify, block the attacker IP, harden, ack.
  • PB-WEBATTACK-BLOCK — block the source IP of a web attack.
  • PB-SUSPROC-KILL — kill a suspicious process on the endpoint.
  • PB-FIREWALL-ON — re-enable a disabled host firewall.
  • PB-TI-BLOCK — block the IOC behind a threat-intel match.
  • PB-UEBA-NOTIFY — alert an analyst on a behavioral anomaly.
  • PB-CLOUD-NOTIFY — notify the cloud team on a risky misconfiguration.
  • PB-NDR-BLOCK — block a C2/beaconing destination.

How it feeds the pipeline

SOAR is the "hands" at the end of the chain. The detectors raise alerts, XDR builds incidents, the AI prioritizes and even suggests which playbook fits — and SOAR sends the action back down to the agent.

Tips

  • Keep destructive playbooks in dry_run until their run history looks right.
  • Runs are de-duplicated per (playbook, entity) so an automated response never storms.
  • Every run is auditable — who/what/when is recorded for compliance.
Automation you can trust. SOAR is built to fail closed. Nothing destructive happens until you deliberately open all three gates.
PreviousUEBA — BehaviorNext Threat Intelligence