SOAR (Security Orchestration, Automation and Response) Implementation at iQIYI: Architecture, Scenarios, and Roadmap

SOAR (Security Orchestration, Automation and Response) was first introduced by Gartner in 2015. It aims to improve security operations by automating detection, analysis, and response.

Security teams often face a shortage of personnel and increasing complexity of threats, leading to high MTTD (Mean Time to Detect) and low detection rates. SOAR addresses these challenges by shifting interaction from humans to security tools, reducing MTTR (Mean Time to Respond) and increasing operational productivity.

iQIYI’s SOAR system integrates several core components: a workflow engine, a graphical orchestration module, security components and scripts, an IM bot, and a mini‑program. The overall architecture is illustrated below.

The workflow engine is built on StackStorm, a modular, horizontally scalable orchestration platform that provides a web UI, CLI, and REST API. StackStorm’s advantages include YAML‑based workflow definition, webhook and sensor support, Python integration, and conditional logic (fork/join) suitable for security workflows.

Key StackStorm workflow steps:

Sensor detects and triggers an event.

Rules Engine matches the event against policies and creates a task.

Worker executes the task, typically invoking external security services.

StackStorm records audit details of the task execution.

The result is fed back to the Rules Engine for further processing.

For graphical orchestration, iQIYI integrated the open‑source Walkoff front‑end, providing a drag‑and‑drop workflow editor.

Security components correspond to StackStorm actions, wrapped in Python to interface with existing security services. Security scripts correspond to StackStorm workflows, reusing components to improve development efficiency. Version control and rollback are handled via GitLab.

Two main deployment scenarios are covered:

High‑frequency scenario : Routine operational tasks with lower security level but high repetition, such as automatic verification of vulnerability tickets after a fix.

Low‑frequency scenario : High‑severity incidents requiring rapid, automated response, e.g., automatic investigation of service intrusions or high‑risk vulnerability alerts.

Metrics demonstrated a ~75% reduction in MTTR after SOAR adoption at iQIYI.

Current progress includes the implementation of 35 security components, 11 security scripts, and 17 service integrations, along with mobile mini‑programs and chat‑ops bots for on‑the‑go incident handling.

Future roadmap focuses on expanding component coverage, building a case and knowledge base for intelligent analysis, and refining metric accuracy to drive data‑based decisions.

References include articles on SOAR implementations, workflow engines, and related open‑source projects such as Walkoff.