Logpoint SOAR (Security Orchestration, Automation, and Response) is seamless integration with Logpoint SIEM to improve the efficiency of threat detection and response. It minimizes the response time and manual intervention over threat alerts by implementing a standard workflow consisting of automated activities for incident response. The key functionality provided by Logpoint SOAR are:
Collection of security threat data and alerts from multiple sources.
Prioritization and execution of incident response according to a standard workflow.
Automation of incident response to rapidly investigate, contain, and remove cyber threats.
Logpoint SOAR Work Flow¶
Logpoint SOAR receives incidents generated by Logpoint SIEM in response to alerts from multiple sources. You can trigger Playbooks based on the incidents and create Cases for further investigation using automation through Playbooks. You can manually investigate an incident by following the case details and timeline. The playbook automatically executes the actions required to detect, investigate, and respond to the incidents. To facilitate the process of detection, investigation, and response, Logpoint SOAR also fetches normalized and raw logs from Logpoint SIEM.
Logpoint SOAR has been seamlessly integrated with Logpoint SIEM to minimize your additional effort for deployment and configuration. You can access Logpoint SIEM and Logpoint SOAR from a common authentication and interface. Similarly, user permission and authorization are common for Logpoint SIEM and Logpoint SOAR.
SOAR is disabled by default. You must enable it to use SOAR Automation or SOAR Automation and Case management.
For Director
Log in to the Director Console as an admin user.
From the navigation bar, go to Configuration >> System.
Select a Logpoint to enable SOAR.
Scroll down to the bottom of the form and select Enable SOAR.
Click NEXT >> FINISH >> OK.
Next, enable SOAR in Logpoint.
For Logpoint
Go to Settings >> System Settings from the navigation bar and click System Settings.
Enabling SOAR¶
In General, select Enable SOAR in Logpoint.
Click Save.
Enabling SOAR¶
If you have enabled SOAR but have yet to buy a license, we recommend you book a demo session to learn more about SOAR.
Go to Playbook or Case from the navigation bar.
Booking Demo from Playbook¶
Booking Demo from Case¶
Click Contact Logpoint Support To Enable Automation to book a demo.
You will be directed to the Logpoint portal.
Click Book a demo and enter your details.
Click Book a demo!.
SOAR licensing refers to the agreement and pricing model Logpoint uses to provide access to its SOAR platform. Licensing manages how SOAR can be used, how many users or systems can access it, the duration of the license, and the cost.
After you install Logpoint’s latest version, you get one SOAR entity license valid for 30 days. By default, this gives you an active session for a single user. You must purchase additional licenses if you need more entities for concurrent access.
If you are an existing license holder, your SOAR license remains unchanged after the patch upgrade to Logpoint’s latest version.
Important
When the SOAR license expires, playbook execution stops. The execution resumes once a valid license is uploaded.
There are two types of SOAR licenses:
Automation gives you access to automated threat investigation, containment and removal. It includes out-of-the-box playbooks in addition to the ability to create your own, custom playbooks.
Automation + Case Management gives you a complete SOAR functionality.
Before adding a license, contact Logpoint Support and provide them with your Hardware Key. You will receive a single license file for SOAR and SIEM. You can find the Hardware Key at Settings >> System Settings >> Licenses.
To add a license:
Go to Settings >> System Settings from the navigation bar and click Licenses.
Adding SOAR License¶
Click + Upload License.
Select SIEM / SOAR.
New SOAR License¶
Browse to your License.
Accept the terms of the End User License Agreement.
Click Submit.
When a new Logpoint SIEM is released, SOAR is automatically upgraded. You don’t need to install those new versions of SOAR. When there are separate SOAR releases, those you need to install yourself. SOAR upgrade fails in Logpoint where vCPU does not have AVX support.
To install:
Download the .pak file from the Help Center.
Go to Settings >> System Settings from the navigation bar and click Applications.
Click Import.
Browse to the downloaded .pak file.
Click Upload.
Go to Logpoint SIEM and SOAR to learn about the version compatibility for SOAR with Logpoint SIEM.
For SOAR systems running a playbook:
Additional Memory |
10 GB |
Additional Disk Space |
25 GB |
CPUs |
2 |
For SOAR systems running around multiple playbooks:
Additional Memory |
16 GB |
Additional Disk Space |
100 GB |
CPUs |
5 |
We recommend running only one playbook at a time. To extend the disk space, use the zpool or LVM commands provided in the Console Configuration section based on your filesystem.
You can access the components of Logpoint SOAR from the navigation bar.
A set of automated actions to follow a standard process that assists you in detecting, investigating, and responding to a security threat alert.
For more details, go to the Playbook guide and to see the pre-configured playbooks, go to the Pre-configured Playbook guides.
Cases enlist the details of the threat alert like Name, Status, Severity, Duration, Creation Date, and Active. It also provides an Investigation Timeline that provides detailed information over the chain of events associated with a threat alert.
For more details, go to the Cases guide.
You can configure the Vendors, Products, Actions, API Key, Licensing, My Products, Lists Management, System Health, Execution Tracking, and Import settings from the SOAR Settings.
For more details, go to the SOAR Settings guide and to see the guides for the pre-configured settings, go to the API Actions guides.