SOAR (Security Orchestration, Automation, and Response) platforms act as centralized hubs for managing security alerts and orchestrating incident response activities. They gather alerts from various sources such as endpoint and network security systems, as well as email systems, which collect logs, apply detection rules, and identify potential security incidents. SOAR platforms consolidate these alerts to enable response teams to coordinate their efforts through a unified interface.
A common concern of newcomers regarding SOAR technology revolves around the process by which alerts are transferred from their sources to the SOAR system. Typically, alerts are sent from a source to a SOAR platform by initiating a request to retrieve the alerts from the source systems or by the source systems proactively sending alerts to the SOAR platform using a webhook.
Scheduling Pull Requests
In SOAR systems, data collection commonly involves setting up a schedule to request data from the original repositories based on specific needs.
The SOAR solution reaches out to the data sources at established intervals seeking any new or modified alerts by dispatching GET or POST requests via APIs provided by these endpoints. These requests typically fetch only fresh or altered data since the last retrieval.
Upon receiving a response from the data source in JSON format, the SOAR system assimilates and converts pertinent details into standardized format crucial for processing various data types effectively.
Using Webhooks
When using webhooks, sources of data actively send alerts directly to the SOAR platform resulting in straightforward one-way transfer of data enhancing reliability of alert ingestion process. Once an alert is created at its source it activates webhook forwarding alert to be processed and cataloged as an event within Smart SOAR Solution capable of transforming commands into externally accessible API enabling automatic transmission when an alert is produced facilitating immediacy with which urgent action can be taken.
BloxOne Threat Defense offers full webhook capability, including offering a robust API for running pull requests. In the Cloud Services Portal, go to Notifications > Service Integrations to add a webhook service integration. For information see Configuring Webhook Services and Default Webhook Template and Supported Keys.
Summary
To summarize methods of scheduled pull requests and direct pushes facilitate effective transfer of diverse alert sources' information in order for organizations’ unique requirements regarding technical aspects implementing either method will enhance capacity for aggregating security alerts offering cohesive environment managing incident responses.