5 SOAR Playbooks Every MSP Should Have
Ready-to-implement SOAR playbook templates for ransomware, phishing, compromised accounts, malware, and data exfiltration incidents.
Security Orchestration, Automation, and Response (SOAR) playbooks turn your incident response from ad-hoc scrambling into repeatable, automated procedures. Here are the five playbooks every MSP and MSSP should have ready to go.
1. Ransomware Detection Response
Trigger: EDR detects encryption activity or ransomware indicators.
Automated Actions:
- Immediately isolate the affected endpoint from the network
- Kill suspicious processes identified by EDR
- Capture forensic snapshot (running processes, network connections, memory)
- Check for lateral movement indicators on adjacent endpoints
- Create a Sev1 incident ticket with all collected evidence
- Page on-call team via escalation policy
- Check backup status for the affected endpoint and linked servers
Human Actions: Assess scope of encryption, determine if data was exfiltrated, decide on recovery approach, coordinate client communication.
2. Phishing Email Reported
Trigger: User reports a suspicious email or email security flags a phishing attempt.
Automated Actions:
- Extract and analyze URLs and attachments from the reported email
- Search email logs for the same sender/subject across all mailboxes
- Quarantine matching emails across the organization
- Check if any user clicked the URL (web filter logs)
- If clicked: scan the user's endpoint for indicators of compromise
- Block sender domain in email security
- Create ticket with full analysis details
3. Compromised Account
Trigger: Impossible travel alert, MFA bypass detected, or anomalous login patterns from SIEM/UEBA.
Automated Actions:
- Disable the compromised account immediately
- Revoke all active sessions and tokens
- Check for mailbox rules changes (common in BEC attacks)
- Audit recent account activity (file access, email sends, permission changes)
- Check for new MFA devices or app passwords added
- Create incident ticket with timeline of suspicious activity
- Notify the affected user via secondary channel
4. Malware Detected on Endpoint
Trigger: EDR detects malware execution or file quarantine.
Automated Actions:
- Quarantine the malicious file
- Kill associated processes
- Collect triage package (running processes, network connections, startup items, recent file changes)
- Scan for the same hash/indicators across all managed endpoints
- Check if the malware is known (threat intel lookup)
- Map to MITRE ATT&CK techniques
- Create ticket with severity based on malware classification
5. Data Exfiltration Alert
Trigger: SIEM detects unusual data transfer volume, connection to known exfiltration destinations, or DLP policy violation.
Automated Actions:
- Capture network flow data for the source endpoint
- Identify destination IPs/domains and classify (known good, suspicious, malicious)
- Check for running processes making the connections
- If malicious: isolate the endpoint
- Audit recent file access on the source endpoint
- Check for cloud storage sync (unauthorized Dropbox, Google Drive, etc.)
- Create Sev1 incident if data volume exceeds threshold
Each of these playbooks should be tested regularly through tabletop exercises. The worst time to discover your playbook has a gap is during an actual incident.