Use Case

Automated Incident Response

Contain threats in seconds, not hours. Coordinate response actions across your security stack with Python playbooks.

Why automate incident response?

When a security incident is confirmed, speed matters. Every minute between detection and containment is a minute the attacker has to move laterally, exfiltrate data, or escalate privileges.

Manual incident response is slow because it involves multiple tools and multiple teams:

  • Isolate the compromised host (EDR console)
  • Block the attacker's IP (firewall console)
  • Disable the compromised account (Active Directory / IdP)
  • Preserve forensic evidence (endpoint collection tool)
  • Notify stakeholders (email, Slack, ticketing system)
  • Document everything (case management, compliance records)

An analyst doing this manually across 4-6 different consoles takes 30-60 minutes minimum. An automated playbook does it in under a minute.

Incident response with OpenSOAR

Automated containment

opensoar — incident containment
$
contain_threat.py 
@playbook(trigger="alert.severity_changed", condition={"severity": "critical"})
async def contain_threat(alert):
    # Immediate containment — parallel execution
    await asyncio.gather(
        isolate_host(alert.hostname),
        block_ip(alert.source_ip, duration="24h"),
        disable_user(alert.username, reason="Security incident"),
    )

    # Preserve evidence before remediation
    await collect_forensics(alert.hostname)

    # Notify IR team
    await create_incident(
        alert=alert,
        severity="critical",
        channel="#incident-response",
    )

Human-in-the-loop for high-impact actions

Not every response action should be fully automated. Disabling a VIP account or isolating a production server needs human approval. OpenSOAR supports approval gates:

approval_gate.py 
if alert.asset_criticality == "production":
    approved = await request_approval(
        action="isolate_host",
        target=alert.hostname,
        approvers=["@security-lead"],
        timeout_minutes=15,
    )
    if not approved:
        await escalate(alert, reason="Containment requires approval")
        return

Coordinated response across tools

Real incident response spans multiple tools. OpenSOAR orchestrates them all from a single playbook:

  • EDR: Isolate hosts, collect artifacts, run remote scans
  • Firewall: Block IPs, domains, update threat feeds
  • Identity: Disable accounts, force password resets, revoke sessions
  • Email: Search for and quarantine related phishing emails
  • Ticketing: Create incidents, update status, assign teams
  • Communication: Notify stakeholders via Slack, Teams, or email

IR playbook templates

OpenSOAR includes example playbooks for common incident types:

  • Malware containment — Isolate host, quarantine file, block C2, collect forensics
  • Phishing response — Extract IOCs, search mailboxes, quarantine emails, block sender
  • Compromised account — Disable account, revoke sessions, check for lateral movement
  • Data exfiltration — Block destination, preserve evidence, assess data scope
  • Ransomware — Network isolation, identify spread, preserve backups, notify leadership

Compliance and documentation

Every action OpenSOAR takes is logged with timestamps, inputs, outputs, and the analyst who approved it. This creates an automatic audit trail that satisfies compliance requirements for:

  • SOC 2 incident response documentation
  • GDPR breach notification timelines
  • HIPAA security incident procedures
  • PCI DSS incident response requirements

Build incident response playbooks in Python. Get started with OpenSOAR →

One command. No credit card.

Apache 2.0 licensed. Self-host on your infrastructure. No feature gates, no per-action billing, no vendor lock-in. Your playbooks are yours.

$curl -fsSL https://opensoar.app/install.sh | sh
GitHub