Types of Apps
There are different types of apps to address the various use cases.
NOTE: Once written, you can package your app for use with an App Host, which is a Kubernetes-based container deployment environment, or an integration server, which is the older Resilient Circuits framework environment. These environments are described in App Environment - App Host and App Environment - Integration Server.
Customization
Description: No code executable, just playbook components such as scripts, rules and workflows.
Use: Allows developers to write Python scripts along with associated rules and workflows that rely on data internal to the SOAR platform.
Tools needed: SOAR platform to create the components. SOAR SDK if you wish to package the components in an app format.
NOTE: If you are creating components for use with different SOAR platforms in your own environment, use the import and export feature in the SOAR platform instead.
Click here for details.
Function
Description: A function is an object that sends data to a remote function processor through a message destination. The function processor is the code executable that performs an activity then returns the results to the process that triggered it. This is the most common type of app.
Use: Allows developers to access incident data from function inputs, process that data then return the result to the SOAR platform. Examples include integrating with other security systems, back up of incident data for archival purposes and a myriad of cybersecurity use cases.
Tools needed: SOAR platform to create the components and SOAR SDK to write the function processor and package the components in an app format.
Click here for details.
Plugin
Description: A plugin is a type of app that communicates with the SOAR platform using the SOAR REST API but not necessarily using function or action processors. It allows you to create a tighter integration than is possible with a functions or custom actions. Typically, a plugin is embedded in a different security system, such a QRadar or BigFix.
Use: Used only when your app requires direct access to SOAR capabilities not accessible from the other types. You must be familiar with the SOAR API since the app interacts directly with the SOAR REST API. You can write your app in programming languages other than Python, such as Java, where the language must be able to make REST API calls and parse JSON data elements. If you use a Java-based language, typically you would use the ActiveMQ client library, which uses the OpenWire protocol. There are libraries that support STOMP and are available for most modern programming languages.
Tools needed: SOAR REST API Reference guide, which provides reference material for interacting with the REST API. SOAR Interactive REST API, which is a tool that provides developers interactive access to the IBM SOAR REST API. Otherwise, you provide your own programming environment.
Click here for details.
Other Types
Custom Action: A custom action is a snapshot of incident data automatically sent by a rule to external code through a message destination. The action processor is the code executable that performs an activity then optionally returns the results to the process that sent the data or to a custom field or data table through API calls.
Custom action apps are no longer in development. All existing custom action apps are still supported.
Custom Threat Service: A custom threat service is a service that sends artifacts from the SOAR platform to a cyber threat source of your choice for additional scanning. The threat source returns the results to the SOAR platform, which indicate any “hits” to the artifact.
Custom threat services are not supported in the App Host environment. Threat services are no longer in active development. All existing custom threat services are still supported in the integration server environment.
Web URL: A Web URL app provides pointers to specially-constructed SOAR URLs that guide users through the automatic creation of an incident and other activities.
Web URL apps are no longer in development. All existing web URL apps are still supported.