Security orchestration, automation, and response (SOAR) is a good practice of security operations that enables the integration, automation, and collaboration of people, processes, and technologies to respond to security incidents effectively. Which of the following is not true?
A. Security operations entail ongoing day-to-day execution of security activities to enforce the security policy.
B. Orchestration requires SOPs, playbooks, work instructions, and other process documents.
C. Playbooks provide procedures that can be executed manually or automatically.
D. A SOAR platform responds to security events through runbooks and requires no human intervention.

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is D. A SOAR platform responds to security events through runbooks and requires no human intervention.

Some may treat runbooks as automated playbooks. However, the term playbook and runbook are often used interchangeably. Even though tasks can be automated by runbooks, they still may need human intervention.

In a computer system or network, a runbook is a compilation of routine procedures and operations that the system administrator or operator carries out. System administrators in IT departments and NOCs use runbooks as a reference.

Runbooks can be in either electronic or in physical book form. Typically, a runbook contains procedures to begin, stop, supervise, and debug the system. It may also describe procedures for handling special requests and contingencies. An effective runbook allows other operators, with prerequisite expertise, to effectively manage and troubleshoot a system.

Through runbook automation, these processes can be carried out using software tools in a predetermined manner.

Source: Wikipedia

SOAR as Good Practice

Wentz defines SOAR as follows:

Security orchestration, automation, and response (SOAR) is a good practice of security operations that enables the integration, automation, and collaboration of people, processes, and technologies to respond to security incidents effectively.

SOAR as Technologies

Most people treat SOAR as technologies for security operations centers (SOCs) to automate their detection and response to events. They also tend to treat orchestration as the implementation of SIEM for the integration of devices, collection and analysis of logs, and automation of response. However, automation is enabled by the “orchestration” of people, processes, and technologies. Playbooks or runbooks are nothing without people and processes. Gartner holds this traditional view as their glossary shows:

SOAR refers to technologies that enable organizations to collect inputs monitored by the security operations team.

• For example, alerts from the SIEM system and other security technologies — where incident analysis and triage can be performed by leveraging a combination of human and machine power — help define, prioritize and drive standardized incident response activities.
• SOAR tools allow an organization to define incident analysis and response procedures in a digital workflow format.

Source: Gartner Glossary

Reference

• What is SOAR?
• Security Orchestration, Automation and Response (SOAR)
• Splunk Phantom
• D3 SOAR: Security Orchestration and Automated Incident Response with MITRE ATT&CK
• Improving incident response with the NIST Cybersecurity Framework and security automation and orchestration (SAO)
• The top five pitfalls to avoid when implementing SOAR
• The Difference Between Playbooks and Runbooks in Incident Response
• SOAR Versus SIEM: The Fundamental Differences

安全協調、自動化和回應（SOAR）是安全操維運的一種優良實務作法，它讓人員，流程和技術能夠整合、自動化和協作，以有效回應安全事故。 以下哪一項是不正確的？
A. 安全維運需要執行日常的安全活動以落實安全策略。
B. 協調(Orchestration)需要SOP，劇本(playbook)，工作說明和其他流程文檔。
C. 劇本(playbook)可以提供人工作業或自動執行的程序。
D. SOAR平台通過自動化腳本(runbook)而完全不需要人工干預。