Function App

SOAR functions send data to external function processors when triggered by playbooks, rules and workflows. This external code can then perform integration work, for example:

1. Performing a lookup (e.g., for information about a user or machine in an asset database), returning the data values found.
2. Searching SIEM logs (e.g., for an IP address, a URL or a server name), returning a list of events.
3. Sending a file attachment to a sandbox for analysis, producing a report and a collection of observables.
4. Open a ticket in an ITSM system with a type, name and description, returning the ticket-ID.
5. Trigger any other sort of external action, then returning results for use in playbooks, workflows, tasks and other decisions.

Functions provide the administrator with a flexible toolbox they can use to build playbooks that coordinate multiple activities.

 A SOAR playbook can include steps that include functions. A function sends input parameters to the function processor using a message destination, receives the results and uses the result to update the SOAR incident, to decide the direction of subsequent workflow steps, or in a variety of other ways.

For example, the LDAP Utilities function package contains multiple functions. Each function has its example rules and workflows that are installed to the SOAR platform, and their respective function processors that run in the App Host or integration server. Together, they initiate LDAP tasks from the SOAR platform to an external LDAP server and use the returned results to update incidents, artifacts, data tables and so on.

Procedure

A function app contains one or more functions, their message destinations, workflows that trigger the functions, rules that trigger the workflows, any scripts to process the data, and any custom fields or data tables to display the resulting data.

Like the customization app, first determine which components you need as described in Customization App. Afterwards, perform the following:

1. Create the components in your SOAR platform.
2. Export them then take the resulting resz file to your development environment.
3. Use the SOAR SDK codegen to write the function processor.
4. Use the SOAR SDK to package them.

For code examples, see Community applications and examples.

See the App Developer’s Guide for the complete procedure to create the app. If using the SOAR platform, see the Playbook Designer Guide to create playbook components.

You can find both guides on IBM Documentation as described in the Reference topic.