Building a SOAR Platform: Lessons from 5 Production Playbooks

When I started building Presidio's SOAR component using Shuffle, I thought most of the work was done after designing the workflows. I was wrong. Playbook design is 20% of the work - the remaining 80% is handling edge cases, failure modes, false positives, and ensuring automation does not cause more damage than the attack it is trying to contain.

The 5 production playbooks

I currently have 5 active SOAR playbooks in Presidio: automatic Wazuh alert triage (classify by severity, deduplicate, enrich with context), SSH brute force response (correlate events, check IP against MISP, automatic blocking with threshold), malware detection and containment (endpoint isolation via Velociraptor, DFIR-IRIS case creation), automatic IOC enrichment (lookup on MISP, VirusTotal, AbuseIPDB for each IOC), and notification and escalation (severity-based routing, configurable SLA timelines).

The most important lesson: guardrails

The SSH brute force automatic response playbook has a threshold: it blocks the IP only after N failed attempts from a non-whitelisted IP, and only if the IP is not on a known partner list. Without this logic, on the first day it would have blocked a legitimate vendor who had mistyped their password three times. Guardrails in automation are not optional - they are the difference between a useful SOAR and a SOAR that causes incidents.

Another lesson: monitoring the playbooks themselves. A playbook that fails silently is worse than having no playbook. Every automation has a failure notification channel, a configured timeout, and a manual fallback mechanism. If the playbook cannot block an IP automatically, it creates the case and notifies the team with all the information for manual action - it does not fail silently.

If you are implementing a SOAR, my advice is: start with a single simple playbook (alert triage is perfect), make it work reliably for a month, then expand. The most common mistake is trying to automate everything from day one. Automation must be incremental, tested, and always with a human plan B.