Components
Main modules
Energy SOAR Base
Energy SOAR Base handles incident response management. It registers, tracks, and coordinates security incidents based on alerts from detection systems and other security tools. The module manages cases, incident artefacts, and analytical tasks performed by the SOC team. Integration with other platform components happens through the API, enabling automatic creation and update of incidents and enrichment of analytical data.
Energy SOAR Automation
Energy SOAR Automation handles automatic analysis and enrichment of incident-related data. It analyses artefacts such as IP addresses, domains, email addresses, file hashes, and URLs using external intelligence sources and analytical tools. Analyses run through a set of analyzers that query threat intelligence systems, malware sandboxes, and other security services. Results are passed to Energy SOAR Base and used in the incident handling process.
Energy SOAR Workflow
Energy SOAR Workflow handles process automation and orchestration between components of the security environment. It enables defining and running automated workflows (playbooks) that implement incident response scenarios. The module integrates with other systems through APIs and connectors, enabling automatic alert processing, analysis triggering, and response actions across platform components.
Supporting data stores
Apache Cassandra
Used by: Energy SOAR Base
Cassandra is the primary operational data store for the platform. It stores the structure and state of business objects — cases, alerts, observables, tasks, and their relationships — providing high availability, horizontal scalability, and fault tolerance. Binary attachments are not stored in Cassandra; they go to the object storage layer.
Elasticsearch
Used by: Energy SOAR Base and Energy SOAR Automation
For Energy SOAR Base, Elasticsearch provides the indexing and search layer. It is not the primary data store — that role belongs to Cassandra — but maintains search indices for full-text search, filtering, and aggregation in the UI. A lost index does not mean lost data; it can be rebuilt from Cassandra.
For Energy SOAR Automation, Elasticsearch serves simultaneously as the primary database, indexing layer, and search engine. It stores analyzer and responder results and analysis execution metadata.
Local storage
Used by: Energy SOAR Base
Energy SOAR Base stores binary file attachments on the local filesystem at
/opt/energysoar/files. Cassandra stores only file metadata; the file
contents go to the local storage directory. HDFS is supported as an
alternative storage provider.
Workflow database
Used by: Energy SOAR Workflow
The workflow module uses an embedded SQLite database in single-node deployments.
The database file is located at /var/lib/n8n/.n8n/database.sqlite. In
high-availability deployments, PostgreSQL is used instead.
nginx
nginx is the reverse proxy that fronts all web traffic. It terminates TLS and routes requests to the appropriate backend by path:
/base— Energy SOAR Base (port 9000)/automation— Energy SOAR Automation (port 9001)all other paths — Energy SOAR Workflow / n8n (port 5678)