Knogin
[Developers]

SOARCA Playbook Orchestration

When a ransomware indicator triggers at 02:00, no analyst should need to manually walk through a containment checklist under pressure in the middle of the night. SOARCA-style playbook orchestration runs the structured re

Back to All Modules
Category: ModulesLast Updated: Mar 25, 2026
modules

Overview#

When a ransomware indicator triggers at 02:00, no analyst should need to manually walk through a containment checklist under pressure in the middle of the night. SOARCA-style playbook orchestration runs the structured response steps automatically: isolating the affected host, pulling threat intelligence, notifying the incident lead, and creating the case record. The analyst monitors progress and intervenes at decision points that require human judgement, rather than executing routine steps manually.

SOARCA Playbook Orchestration provides an operational view of automated response playbooks aligned to the CACAO security orchestration standard. The module gives teams visibility of execution volume, running playbooks, completion rates, failed runs, and recent execution activity so that response automation is governed with the same discipline as manual incident handling.

Open Standards#

  • OASIS CACAO v2.0 (Collaborative Automated Course of Action Operations): Playbooks are validated, parsed, stored, and exported in strict CACAO v2.0 JSON format, enforcing required fields (type, spec_version, id, name, workflow) and all CACAO step types defined in the specification.
  • OpenC2 v1.1 (OASIS): Action steps within CACAO playbooks can carry OpenC2 commands that are dispatched directly to actuator endpoints using the application/openc2+json;version=1.1 content type and the standard action/target/actuator message structure.
  • SOARCA REST API (TNO open-source CACAO executor): Playbooks are submitted to and polled from a remote SOARCA instance over its published REST interface (/api/v1/playbook/execute, /api/v1/execution/{id}), enabling interoperability with any compliant SOARCA deployment.
  • GraphQL: All execution queries and mutations (soarcaExecutions, soarcaStats, submitSoarcaPlaybook, refreshSoarcaExecution) are exposed through a typed GraphQL schema, allowing structured programmatic access to orchestration state.
  • OAuth 2.0 Bearer Token (RFC 6750): Both the SOARCA orchestrator endpoint and the middleware API accept Bearer tokens for authentication, following the standard HTTP Authorization: Bearer header scheme.
  • JSON (RFC 8259): CACAO playbooks are exchanged, stored, and exported as JSON documents; the serialisation layer validates and round-trips playbook content as well-formed JSON throughout the import/export lifecycle.
  • ISO 8601: All execution timestamps (submitted_at, completed_at, created, modified) are serialised in ISO 8601 format, ensuring consistent time representation across playbook records and audit events.

Last Reviewed: 2026-03-25 Last Updated: 2026-04-14

Key Features#

  • Execution Inventory: Tracks total playbook execution volume across the environment, giving security leads a baseline for comparing automation activity across time periods.
  • Running Playbook Visibility: Shows how many automations are currently in progress so operators can spot overload conditions or stalled runs quickly.
  • Completion and Failure Monitoring: Summarises completed and failed playbook runs so teams can judge automation reliability and prioritise fixes to failing playbooks.
  • Recent Playbook Awareness: Surfaces the latest executed playbook for fast situational awareness, particularly useful at shift changeover.
  • Automation Governance Support: Gives security teams a concise operational view of automated response posture without requiring access to underlying orchestration infrastructure.

Use Cases#

  • Automated Incident Response: Security teams monitor active playbook runs and confirm that response automation is progressing correctly after a trigger event.
  • CACAO Playbook Operations: Analysts supervise structured playbook execution for repeatable triage, containment, or remediation steps aligned to the CACAO standard.
  • Automation Reliability Review: Engineering and operations teams track failed playbooks and identify where automation needs tuning or exception handling improvement.
  • Shift Handover: Operators review recent and running automation before handing responsibility to the next shift, ensuring nothing active is missed during the transition.

Integration#

  • Playbook execution and orchestration services
  • CACAO-aligned response workflows
  • Security operations and cyber-response workbenches
  • Response analytics and operational audit trails

Ready to Build?

Get started with our APIs or contact our integration team for support.