top of page
brencronin

SOAR Notes

Updated: Nov 10





Automation Overview


  • Identify and prioritize processes for automation:

    • Begin with standard, repetitive tasks that can be easily automated, ensuring they have well-defined rules and clear goals.


  • Select the right RPA tools for your organization:

    • Approachability (ease of use)

    • Security

    • Scalability

    • Integration capabilities.

  • Collaborate with all stakeholders: This includes IT teams, business analysts, and end-users. Proactive collaboration helps understand each department's needs and ensures successful implementation.

  • Develop a comprehensive testing plan before deployment: Test scenarios should cover edge cases or errors that may occur during execution.

  • Provide continuous training to team members: Training on new technologies is essential for maintaining efficiency in their roles post-automation.


Identify and prioritize processes for automation:



Select the right RPA tools for your organization:


Approachability


Automation must be 'approachable'. It has the potential to be part of the solution to any problem, but it will never reach its full potential if it remains a capability accessible only to the most highly skilled security professionals.




with the option for a ‘human in the loop’ automation for learning and approvals.



APIs





Common SOARs


Microsoft sentinel

Swimlane

Torq


Microsoft sentinel


Main components:


Schedule analytics rules

Near real time analytics rules (run every minute)

Fusion detection

Microsoft security incident creation

Anomlaies











Swimlane Overview


In various domains, there exists a concept known as the System of Record for specific business functions. With the increasing digital use, there is a growing specialization. A System of Record is an information storage system that integrates human and machine intelligence into a central console, providing specific actionable intelligence for any business use case related to that domain.



vendor agnostic

Automated IR or human in the loop – The system must also provide dynamic case management that combines automation, orchestration, and analyst activities.

Single ‘Pane of Glass’ – While overlapping security tools may be unavoidable,



Use Case; the Triggers, Inputs, Actions, and the Outputs.









SIEM Triage


[image flow chart]


Elastic






Swimlane Architecture as related to Gui


  • Applications

  • Orchestration Components

  • Using Swimlane (Workspaces, Dashboards, Reports)


Applications


In Swimlane Turbine, an Application is a user-defined template for collecting, storing, and organizing data. Applications are populated as Records (e.g., 'Application Records') . Earlier versions of Swimlane needed to populate all data into an application record to take automated actions against it. Upgrades to Swimlane (e.g., Turbine) allow the decision processing of data 'in real time at injest' as well can via data stored in application records.

A Turbine Application, with all the added Fields, serves as a container for the data generated by your injest Playbooks. It is the Playbooks that actually implement the required data processing, so they need properly configured Inputs and will provide the necessary Outputs. Additionally, playbooks can be called from application records themselves either automatically or manually.


[image of playbook call from application]



Application Records


Records are the data from your Applications. They are made up of the various Fields which have been customized and configured within an Application by a developer or administrator in the Turbine Application Builder. A listing of Records in Turbine is referred to as a Report, and the Default Report contains ALL the Records associated with an Application.



[images]


Other components of a Case Management Record include: • A configurable Analyst Checklist, to provide guidance on how to process the issue; • Case classifiers, to indicate the current Status, the assessed Severity and Determination, and the Type of case; • Also, a variety of remediation tools are provided, to allow an analyst to effectively neutralize a confirmed threat.


[images]


Other important Points about Applications


Widgets



Reciprocal references


???is this what happens with IOPC records????


You can also create references that use, or rely on data from other Reference Fields, known as Reciprocal References. To do this you must first add the Reference Fields in the two Applications, then set one of them to maintain the Reciprocal Reference.


Correlation Fields


The Correlation layout object allows you to select fields on which to perform correlation. The Correlation function performs two tasks: • It compares the configured Correlation Key fields across the Records within the application, looking for similar entries; • And it automatically creates Correlation Fields in all of the Records that match. Note: You can only add the one Correlation Field into the Application layout, although it can be configured to perform correlations on as many of the included Fields as is required.


When adding a Correlation Field, you have the option to customize the Matching Preferences, specifically: • The Matching Timeframe (in Days), meaning how far back in time the matching should occur; • The Matching Threshold (in a percentage), which is the degree of similarity between values that determines if there is a match; • And the Minimum number of matching values, which is the number of values required for there to be a match across all the included correlation fields. Note: These values are pre-configured based on recommended best practices.


Applications Calling Playbooks


Playbook may: • Return its Outputs to the same Record in the calling Application; • Return them to a new Record in the calling Application; • Return them to an existing or new Record in some other Application entirely; • Or even pass them to some other Playbook!



Orchestration components


Playbooks; • Webhooks; • Assets; • Connectors; • Playbook Runs; • And Events.




Integrations/Connectors


And prebuilt, standard security integrations – Swimlane provides prebuilt integrations for common security tools with no additional cost for new integrations to any commercial tool. With the ability to add, modify, and extend the implemented integrations from a comprehensive and integrated Marketplace.


Connectors are how Turbine connects to 3rd party tools and they effectively replace what was called a Plugin in the previous platform SW versions. Turbine Connectors allow for orchestrators to install a package of defined capabilities (read API calls) from a 3rd party service or platform, for use as Actions in your Turbine Playbooks. The Actions allow for a simple input/output configuration to interact with the APIs for the 3rd party service or platform without the need to create any code.


Adding connector to your environment (like loading MIB or api calls0


It adds any included Asset Definitions to the library, to make them available for use in your Playbooks; b. It also adds the included Action types (API calls) to the library, so that they are also available for use in your Playbooks.


then you just need to config your particular API creds 9tokens, keys)


use connector in playbooks with inputs and outputs


[image]


Assets


Assets are the implentation of connectors, and hence can be called in playbooks. Assets are reusable, structured, and product-specific objects containing variables that can be configured for and applied as Inputs to Actions in your Playbooks. Assets can be defined from a specific Connector or created as a generic custom Asset that can be applied to any Action input. Assets are mostly used for providing authentication parameters for the 3rd party systems they relate to (usernames, passwords, tokens, API keys, etc.), but they may also contain other commonly used parameters (e.g., server host names, file paths, client IDs, or flags and switches).



Playbook Runs


Good for troubleshooting


Events


?????



Engine and Agents


A Turbine Engine is the pod in the Kubernetes cluster that actualizes and manages all Turbine orchestration features and functions. Without a Turbine Engine all Turbine functionality is disabled!


Agents


Turbine Agents are the entities that actually perform the orchestration Actions from the Playbooks, then send the results back to the Turbine Engine. Agents do not act autonomously, they cannot take any action on their own, all they can do is to wait for jobs to be assigned to them by the Turbine Engine. There are three types:


Pool (engine0 Agent (1-to-1)

remote Agent

Webhook Agent


[diagram]


Using Swimlane (Workspaces, Dashboards, Reports)


Workspaces are customizable areas within the Turbine platform where you can organize and access the Turbine tools and features that you use on a regular basis. Workspaces can include Applications, Dashboards, Records, Reports, and Charts.





Every Application that you add must be associated with a Workspace


An Application generates a Report containing individual Records








Dashboards


Dashboards are a visual display of Records, Reports, and Charts associated with the Applications in the Workspace.








Other dashboard options







Reports


Custom report building - import csv (typcial to feed data into other reports)









filtering case reports, sharing case rpritrs


Save Report – To save the configuration to the Default Report (e.g., the columns configuration); • Save Report As – To save the configuration to a custom Report; • Details and Schedules – To view details for the Report or set up a schedule to send it to a Turbine user; • Schedule – Create a one-time or recurring schedule for the Report; • Email – Email the Report to a Turbine user; • Download – To download the Report; • And Download CSV – To download the Report in .CSV format.




SecOps Activities




playbooks to actions






Playbook runs from cases.





??/correlated cases?









Native Turbine Actions


There are several native Trubine action. native to the Turbine platform, meaning that it is immediately accessible for use in your Playbooks, without the need to install and maintain a separate Connector. When adding an Action to a Playbook, you will find the Turbine native Actions listed first in the list of available Actions. Turbine native Actions are updated when the underlying Turbine platform is updated.


HTTP request

Transform Data


Turbine Actions - HTTP request


  • Construct and send an HTTP or HTTPS request to any destination and configure it as necessary to elicit the desired response;

  • This Action can be used to request (or post) data to Web-based services for which no custom Turbine Connector exists;

  • Or to configure a custom request in a way that is not supported by an existing Connector;

  • This Action can also be configured to access a service that is protected behind a Proxy that requires authentication.


[[image]]


Configuration options available include:

  • The HTTP Method;

  • The Authentication option and credentials to be used to access the destination service;

  • You may add Parameters, in the form of Key / Value pairs to be embedded in the URL;

  • There are auto-generated Headers, and you may replace these or add additional custom Headers;

  • You can include request Body data in a variety of standard formats;

  • Also, Settings are available to allow Proxy authentication and manage SSL verification;

  • You have the usual Repeat and Retry configuration options;

  • Plus, options for Promoting the Action Outputs.


[image]]


URL request builder ???HTTP methods????


GET – To retrieve data from the called endpoint; • POST – To create, or update data; • PUT – To create or replace data; • PATCH – To apply partial updates to an existing resource; • DELETE – To delete the existing data; • OPTIONS – To request information about the actions available for interacting with the target resource; • HEAD – Almost identical to GET, but without retrieving the response body; • TRACE – To perform a message loopback test on the path to the target resource.


There is a Parameters tab that allows you to include multiple query or path parameters simply by adding a list of Key / Value pairs.



aurthentication


No Auth which is the default setting; o API Key; o Bearer Token; o Basic Auth; o Or OAuth 2.0 (with the Client and Password Credentials options).



body


You may include Body data in any request that you configure, in any of the supported formats, which are: o JSON, to add any JSON structured data that you might require; o X WWW Form URL Encoded to send form data in a single block in the HTTP message body (added using Key/ Value pairs); o Attachment to add an attachment from a Playbook Property or using an Expression; o Or Form Data again added as Key / Value pairs.




Turbine Action - Transform Data


JSON Blobs???

The Transform Data Action allows you to extract the data you need and modify the format, structure, or values to be used within, and passed between your Turbine Playbooks and Applications.


  • Basic Mode

  • Advanced Mode (JSONata)


A common operation when building security automations is to receive alerts or retrieve data from either internally deployed or 3rd party systems, e.g., TI lookups for the IOCs received on an email or SIEM alert. These operations can return an overabundance of data, which may (or may not) contain the specific specks of vital information that you require in order to proceed with your automation. What is needed is a means to programmatically extract the useful specks of data from the ‘blob’ that you receive, although ideally this should not require you to know an advanced coding or query language. At the same time, the method for extracting data should be flexible enough and powerful enough to build advanced queries when necessary. Those key specks of data may (or may not) be formatted appropriately for your subsequent automation processes, so a method is also required to transform the received data so that it may actually be used in any subsequent processing tasks within your automation Playbook. What is needed to complete these operations is a powerful, low-code extraction and transformation tool that can home in on the specific data you need and present it to the next operation in a format that it will actually be able to use.


improvements


single Playbook Action you can: • Extract multiple variables, objects or properties from a data block; • Reformat each of them as required, then; • Write each of them out to separate outputs ready to be passed into your other Actions, Playbooks or Applications.

This results in a good order of magnitude improvement in Playbook processing speed and throughput, due to the efficiencies of a native Action that is able to aggregate the data extraction and transformation load.


transformdata added in blocks???





Examples of 'basic Mode' Transformations available.


These options give you a great deal of flexibility to apply transformations to: • Manipulate Arrays; • Apply Regex expressions; • Extract and manipulate alpha-numeric characters; • Manipulate Date & Time properties.



Transform Data - Advanced Mode JSONata


f







h


Open Source SOAR



Automations - agenthub








Comments


Post: Blog2_Post
bottom of page