Monitoring and Escalation

When a significant event occurs, applications connect to the SOAR platform using the REST API to escalate incidents from email, SIEMs, ticketing systems, and other sources, and include artifacts such as IP addresses, file hashes, URLs, usernames and machine names.

The App Exchange contains two such apps, QRadar integration and Splunk Add-on.

Identification and Enrichment

Automatic threat intelligence lookups, workflows and menu-driven actions deliver valuable context, reduce time to identify scope and impact, enabling a rapid, decisive response. Trigger sandbox evaluation and build rules to act on the results. Search logs and endpoints and make decisions based on the data. Include Configuration Management Database (CMDB) and directory information to help analysts make accurate assessment of severity and impact. Pivot on these critical data elements to dynamically adjust the way your team responds.

Click here for a list of threat intelligence apps.

Containment, Response and Recovery

Based on trigger conditions, or based on manual actions, the system can send notifications or initiate external activities to contain and adjust your security posture as a part of your response playbook. The Ansible for SOAR is an example of this type of app.

Communication and Coordination

By integrating beyond the SOC, users can coordinate a fast and effective incident resolution from the platform. Integrate bi-directionally with ticketing and service management, smart notifications, communication platforms and other business applications. Email is a good simple example of the communication and coordination aspect. See the description of the Outbound Email for SOAR.