One of the most common reasons that SOAR users leave their existing solution and work with D3 is because of integration maintenance. In other SOAR tools, the out-of-box integrations leave the user with a lot of issues to resolve, either through playbook automations or by improving the integration code themselves.

D3 is different in that we employ the largest number of integration developers in the industry. All integration research, development, and maintenance sits squarely on our shoulders and we do not expect or require our customers to do any coding.

In this article, I will go over a few examples of how our integrations are built to eliminate time customers need to spend maintaining or developing integrations.

Scenario 1: Multiple API Calls Needed to Complete One Action

APIs can often be fragmented, requiring multiple calls to different endpoints to accomplish a single task. This can complicate the automation process, leading to more intricate playbooks and increased room for error. Smart SOAR addresses this challenge by embedding multi-step API workflows directly into a single integration command, thereby abstracting the complexity away from the end-user.

For example, IBM QRadar requires querying three different endpoints in order to ingest new security alerts. First the integration requires a header and payload posted to the /api/ariel/searches endpoint:

The response from this initial call provides a search ID, which then becomes the input for the second API call. This second call is a GET request to /api/ariel/searches/{searchid}, aiming to check the status of the previously initiated search.

If the status confirms that the search is complete, a third GET request is made to /api/ariel/searches/{searchid}/results to finally retrieve and ingest the list of security events that match the original search criteria.

Most SOAR platforms provide integration commands that only query one endpoint. The responsibility lies on the user to transform the data or use the return appropriately to complete the entire action they’re looking to perform. Here, as you can see, all of that work is done for you out of the box.

Scenario 2: Pre-Written Queries to GraphQL APIs

GraphQL APIs are advantageous because they allow for precise data retrieval, letting you specify exactly what you need. However, they often require specialized knowledge of query syntax and structure. The D3 Smart SOAR solution mitigates this problem by providing pre-written queries for popular services like Monday.com.

These pre-written queries are designed to be flexible and robust. They are developed through an iterative process, incorporating customer feedback and real-world use cases. This ensures that the queries are not just technically accurate, but also aligned with the actual needs and workflows of our users.

For instance, the query to add an update to an existing item on Monday.com is tailored to ensure all relevant fields are captured. Users only need to input variables like item_ID and update_Body, making it effortless to integrate this action into any playbook.

The monday.com integration comes with nine out-of-the box commands, each with a pre-written query to eliminate guesswork and API research required for our customers to incorporate these commands into their automated playbooks.

Scenario 3: Handling SSH Requirements

SSH (Secure Shell) is often the go-to method for secure, remote interactions with network devices. While HTTP/HTTPS-based APIs are increasingly common, many legacy systems and even some modern network devices still require SSH for administration and data retrieval. Smart SOAR recognizes this and provides seamless SSH integration, specifically for devices like Cisco Adaptive Security Appliances.

In a typical use case, the user specifies whether they want to use SSH or HTTP in the server URL when setting up the integration. The Smart SOAR platform then utilizes the Paramiko library to manage the SSH connection. This involves not just the initiation and termination of the SSH session, but also efficient handling of SSH keys, timeouts, and even rate-limiting, where applicable.

Conclusion

By addressing the complexities of integration development and maintenance in a user-transparent manner, Smart SOAR simplifies the process of integrating with a wide array of technologies, allowing users to focus on the big time-saver: automated incident response. The examples in this blog show how the D3 integration team designs complete integrations for our customers without offloading any of the work to them. Other examples such as error-handling and looping are also common, and we will cover them in future blogs.

For examples of how popular integrations are used in automated playbooks, check out this article:

The post How Smart SOAR Integrations are Built appeared first on D3 Security.

*** This is a Security Bloggers Network syndicated blog from D3 Security authored by Pierre Noujeim. Read the original post at: https://d3security.com/blog/how-smart-soar-integrations-are-built/