Logpoint SOAR (Security Orchestration, Automation, and Response) is seamless integration with Logpoint SIEM to improve the efficiency of threat detection and response. It minimizes the response time and manual intervention over threat alerts by implementing a standard workflow consisting of automated activities for incident response. The key functionality provided by Logpoint SOAR are:
Collection of security threat data and alerts from multiple sources.
Prioritization and execution of incident response according to a standard workflow.
Automation of incident response to rapidly investigate, contain, and remove cyber threats.
Logpoint SOAR Work Flow¶
Logpoint SOAR receives incidents generated by Logpoint SIEM in response to alerts from multiple sources. You can trigger Playbooks based on the incidents and create Cases for further investigation using automation through Playbooks. You can manually investigate an incident by following the case details and timeline. The playbook automatically executes the actions required to detect, investigate, and respond to the incidents. To facilitate the process of detection, investigation, and response, Logpoint SOAR also fetches normalized and raw logs from Logpoint SIEM.
Logpoint SOAR has been seamlessly integrated with Logpoint SIEM to minimize your additional effort for deployment and configuration. You can access Logpoint SIEM and Logpoint SOAR from a common authentication and interface. Similarly, user permission and authorization are common for Logpoint SIEM and Logpoint SOAR.
After the fresh installation, one seat is available to access SOAR in a single active session by default. However, you need to add the Logpoint SOAR license for multiple concurrent access.
Before adding a license, contact Logpoint Support and provide them with your Hardware Key. They will give you your specific SOAR license. You can find the Hardware Key at Settings >> System Settings >> Licenses.
To add a license:
Go to Settings >> System Settings >> Licenses from the navigation bar.
Click Upload License.
Select SOAR.
Browse to your License.
Accept the terms of the End User License Agreement.
Click Submit.
When a new Logpoint SIEM is released, SOAR is automatically upgraded. You don’t need to install those new versions of SOAR. When there are separate SOAR releases, those you need to install yourself.
To install:
Download the .pak file from the Help Center.
Go to Settings >> System Settings from the navigation bar and click Applications.
Click Import.
Browse to the downloaded .pak file.
Click Upload.
Note
SOAR upgrade fails in Logpoint where vCPU does not have AVX support.
Go to Logpoint SIEM and SOAR to learn about the version compatibility for SOAR with Logpoint SIEM.
For SOAR systems running a few hundred playbooks per day:
Available Memory |
10 GB |
Additional Disk Space |
25 GB |
CPUs |
2 |
For SOAR systems running around 1000 playbooks per day:
Available Memory |
16 GB |
Additional Disk Space |
100 GB |
CPUs |
5 |
Note
To extend the disk space, use the zpool or LVM commands provided in the Console Configuration section based on your filesystem.
You can access the components of Logpoint SOAR from the navigation bar.
A set of automated actions to follow a standard process that assists you in detecting, investigating, and responding to a security threat alert.
For more details, go to the Playbook guide and to see the pre-configured playbooks, go to the Pre-configured Playbook guides.
Cases enlist the details of the threat alert like Name, Status, Severity, Duration, Creation Date, and Active. It also provides an Investigation Timeline that provides detailed information over the chain of events associated with a threat alert.
For more details, go to the Cases guide.
You can configure the Vendors, Products, Actions, API Key, Licensing, My Products, Lists Management, System Health, Execution Tracking, and Import settings from the SOAR Settings.
For more details, go to the SOAR Settings guide and to see the guides for the pre-configured settings, go to the API Actions guides.
Important
SOAR is disabled by default. You can enable it by selecting the Enable SOAR in Logpoint checkbox from Settings >> System Settings >> System Settings >> General.
