A critical recipe for success when deploying a SOAR solution, is having a good foundation of Security Business Goals,Processes, Team Roles and Measures of Success.
I have been working with many companies, and without these components, its like shooting in the dark, hoping to hit the right target.
One of the most popular SOAR use cases at the moment is Phishing. It has high ROI appeal, but many SOC teams don’t have a clear and consistent way to detect, let alone respond to this business threat. They might have some high level vision of how they think they handle it, but few details to what constitutes bad. Just saying you think its bad is not sufficient. Does A Virus Total Score make it bad, perhaps combined with a Sandbox, or some other threat intel.
As I say nowadays, we “Verify and then, maybe Trust”. Remember we are only as good as our last response to the last event.