SOAR — security alert va incidentlarni enrichment, workflow, case management va avtomatik response orqali boshqaradigan platforma va yondashuv. To‘liq nomi Security Orchestration, Automation and Response.
SOAR turli security vositalarini API va connectorlar orqali birlashtirib, analyst bajaradigan takroriy qadamlarni playbook shaklida avtomatlashtiradi.
Orchestration
Orchestration bir nechta tizimdagi amallarni yagona workflow’da boshqaradi.
Masalan:
SIEM alerti
→ identity ma’lumoti
→ endpoint tekshiruvi
→ threat intelligence
→ ticket
→ userni vaqtincha bloklash
Har toolning alohida API’si SOAR connector orqali chaqiriladi.
Automation
Takroriy vazifalar avtomatik bajariladi:
- IP reputation tekshirish;
- domain enrichment;
- hash qidirish;
- user va asset ma’lumotini olish;
- duplicate alertni birlashtirish;
- ticket ochish;
- notification;
- evidence yig‘ish.
Automation analyst vaqtini murakkab qarorlarga qoldiradi.
Response
SOAR faqat ma’lumot yig‘maydi, ruxsat berilgan hollarda response ham bajaradi:
- endpoint isolation;
- account disable;
- token revoke;
- IP blok;
- email quarantine;
- URL block;
- password reset;
- cloud key disable.
Destructive yoki yuqori ta’sirli action approval talab qilishi mumkin.
Playbook
Playbook incident turi uchun qadamlar, shartlar va qarorlarni ifodalaydi.
- email metadata olish;
- URL va attachmentni tekshirish;
- recipientlarni topish;
- zararli bo‘lsa quarantine;
- user sessionini tekshirish;
- ticket va notification;
- closure evidence.
Playbook code kabi versionlanadi va test qilinadi.
Trigger
Workflow quyidagilar bilan boshlanishi mumkin:
Trigger source ishonchli va authenticated bo‘lishi kerak.
Enrichment
Raw indicator qo‘shimcha context bilan boyitiladi:
- WHOIS;
- DNS;
- sandbox;
- reputation;
- asset inventory;
- user role;
- geolocation;
- vulnerability;
- previous incident;
- business criticality.
Enrichment final qarorni avtomatik ravishda to‘g‘ri qilmaydi; source quality baholanadi.
Case management
Incident uchun yagona case yaratiladi.
Unda:
- alertlar;
- timeline;
- evidence;
- task;
- analyst note;
- decision;
- approval;
- affected asset;
- closure reason
saqlanadi.
Bu bir nechta jamoa orasidagi ishni muvofiqlashtiradi.
Human-in-the-loop
Barcha response avtomatik bo‘lishi shart emas.
Masalan, CEO accountini disable qilish yoki production serverni isolate qilishdan oldin analyst tasdig‘i kerak bo‘lishi mumkin.
Playbook qaror nuqtasida approval so‘raydi.
Confidence
Automatic response faqat signal ishonchi yetarli bo‘lsa bajariladi.
Masalan:
- bitta past ishonchli reputation source — faqat enrichment;
- EDR malware + C2 + file hash — isolation;
- ambiguous login — user verification.
Confidence threshold va evidence policy bilan belgilanadi.
Idempotency
Playbook qayta ishga tushishi mumkin.
Actionlar duplicate zarar yaratmasligi kerak.
Masalan, ayni IPni qayta bloklash xavfsiz bo‘lishi mumkin, ammo userga bir necha marta password reset yuborish noqulay.
Case va action ID orqali deduplication qilinadi.
Error handling
Connector unavailable yoki API xato bo‘lsa workflow:
qiladi.
Xatoni “success” deb yashirish incidentni yarim holatda qoldiradi.
Credential
SOAR ko‘p security toolga privileged accessga ega bo‘lishi mumkin.
Connector credentiallari:
bilan boshqariladi.
SOAR compromise katta blast radiusga ega bo‘lishi mumkin.
Approval va separation of duties
Playbookni yozgan inson uni productionga yakka o‘zi deploy qilmasligi mumkin.
Review va test:
- action scope;
- permission;
- rollback;
- failure;
- data exposure;
- legal ta’sir
ni tekshiradi.
High-risk response ikki bosqichli approval oladi.
Testing
Playbook simulated alert va test tenantda sinovdan o‘tadi.
Tekshiriladi:
- branchlar;
- timeout;
- connector error;
- duplicate trigger;
- approval;
- rollback;
- partial data;
- rate limit.
Productiondagi live containment faqat tasdiqlangan scope’da bajariladi.
Metrics
SOAR samaradorligi:
- mean time to acknowledge;
- mean time to respond;
- analyst vaqt tejalishi;
- automated action soni;
- playbook failure;
- false containment;
- manual handoff;
- case backlog
orqali o‘lchanishi mumkin.
Ko‘p automation doim yaxshi natija degani emas.
SIEM bilan bog‘lanish
SIEM detection va alert beradi.
SOAR alertni enrichment va response workflow’ga aylantiradi.
SIEM rule sifati yomon bo‘lsa SOAR noto‘g‘ri alertlarni tezroq avtomatlashtirishi mumkin.
Shuning uchun detection tuning va response guardrail birga ishlaydi.
Connector governance
Har connector qaysi API scope va actionlarga ega ekanini inventory qiladi. Yangi version yoki vendor API o‘zgarishi playbookni buzishi mumkin. Connector update test environmentda tekshiriladi va minimal privilege qayta ko‘rib chiqiladi.
Rollback
Automated response xato bo‘lsa qanday ortga qaytish ma’lum bo‘ladi. Masalan, bloklangan userni re-enable, IP rule’ni olib tashlash yoki quarantined emailni qaytarish. Har action qaytariladigan emas; secret revoke qilingach yangi secret chiqarish kerak.
Playbook ownership
Har playbookning business va technical owneri, review sanasi va maqsadi mavjud. Eski incident patterni uchun yozilgan workflow yillar davomida nazoratsiz qolmaydi. Qoidalar, API va organization jarayoni o‘zgarganda playbook yangilanadi.
Automation boundary
SOAR analyst qarorini qo‘llab-quvvatlashi kerak, yashirin ravishda barcha authority’ni egallamasligi kerak. Yuqori ta’sirli operationlarda clear evidence, approval va audit guardrail sifatida ishlaydi.
Manual task
API orqali avtomatlashtirib bo‘lmaydigan qadam playbook ichida analyst uchun aniq manual task sifatida yaratiladi. Unda kerakli evidence, deadline va yakuniy natijani kiritish maydoni bo‘ladi. Workflow inson qadamini kutib, keyin davom etadi.
Bog‘liq tushunchalar
Security Orchestration Automation and Response, Playbook, SIEM, Incident response, Case management, Automation, Enrichment, SOC, EDR, Human-in-the-loop