Integrations, Products, and Actions
SOAR works with external systems through integrations, products, and actions.
An integration connects SOAR to a firewall, email system, or ticketing system, for example.
A product is a specific service or tool within that integration, for example Microsoft 365 or Jira.
An action is a task that SOAR performs using a product, like creating a ticket, blocking an IP, or running a scan.
Integrations, products and actions automate security incident responses by building playbooks that use actions from different products, reducing manual work and helping coordinate tools for a faster response.
Playbooks in SOAR rely on data from SIEM, including logs, alerts, and correlations results, and external third-party vendors, including firewalls, intrusion detection systems (IDS), endpoint tools, and threat intelligence. This data serves as triggers and context for playbook execution, directing what actions to take, when, and why.
To correctly set up the integration and ensure API communication, it is crucial to understand these 3 key entities:
1) Vendor Products/Integration Template
Represents an integration or third-party service that provides API based actions for automation. For example, Logpoint SIEM, AWS CloudTrail, and FortiGate.
2) Product Instances/Installed Integrations
Is a specific configuration of a vendor product within SOAR. You can create multiple instances of the same product to support different environments or credentials. Each instance inherits the actions from the vendor product and is used in SOAR playbooks.
For example:
Cisco vendor products instances:
Cisco Email Security – Detects and blocks email-borne threats, for example, malware, spam and phishing.
Cisco Umbrella Investigate – Gives access to a live, up-to-date view of domains, IP addresses and malware file hashes.
Actions
It is an API request executed on a selected product instance. It is used in playbooks to automate workflows.
To use the vendor product or for the vendor product to provide the data necessary, you use product actions. Vendor products include preconfigured actions.
For Example:
Create New CSM Case – Creates a case in ServiceNow.
AgentX-Block-IP – Blocks an IP address using Logpoint AgentX.
How SOAR Handles Vendor Products and Actions
Playbooks in SOAR are organised using vendors, product instances, and actions. This structure helps you create and manage automated workflows across different systems.
SOAR includes pre-installed vendor products to simplify playbook setup.
Each vendor product contains pre-configured actions, representing specific API actions that SOAR performs on the vendor product or Logpoint.
A product instance must be configured or created to use a vendor product.
A product instance inherits actions from the vendor product. The actions must be tested.
Actions work as playbook action blocks to automate processes.
Validate Vendor Product
To correctly set up the integration you need to check or validate:
Vendor Product
Check if the vendor you need is already in SOAR. If not, you need to add it.
Check if the vendor products you need are already in SOAR. If not, you need to add it.
Are the base parameters of a vendor product correct?
Base parameters are the default or required parameter necessary for configuring a vendor product or action within a playbook. These parameters define mandatory settings or inputs that ensure SOAR interacts correctly with external products and services.
The parameters, like the API key, base URL and credentials, are determined by the vendor and the API or Endpoint you interact with.
Test the connection between the vendor and SOAR to ensure correct integration.
Check whether the vendor product parameters are set up correctly.
Check if a firewall or gateway security infrastructure is blocking SOAR.
Do you have the right product instance?
A vendor product can have multiple product instances with differently configurations for API keys, URLs, or user accounts. If the wrong instance is used, the action may fail or the results are incorrect.
Ensure the instance has the correct API key, access token or authentication details.
Run a test action to confirm that the instance is successfully communicating with the vendor.
Check the base parameters match the vendor's requirements.
Ensure the playbook is using the correct instance for the intended action.
Add User-Specific Parameters to Existing Product Instance
When integrating a vendor product in Logpoint SOAR, a product instance is created with essential base parameters like API URL and authentication details. Depending on the integration and use case, you must add parameters to customize the instance for your environment.
Configuring the existing product instance
In the navigation bar, click SOAR Settings.
Click Playbook Integrations.
Find the product instance in the list. To find it, you can:
Search for it using search at the top.
Filter the list according to the kind of integration.
If the integration isn’t already in SOAR, you will need to add it. Go to Adding a New Integration to learn how.
Click the ellipsis (…) and Configure Instance of the product instance.
Enter an Instance Name. You can use the default name.
In Parameters, enter the base parameter(s). Make sure the base parameters match what the vendor products' documentation provides.
Click Save.
Check and Validate Actions
After a product instance is configured in Logpoint SOAR, it is crucial to test the product’s actions to make sure the integration is working correctly. This helps prevent errors and ensures smooth automation in playbooks.
Depending on the specific action and its required parameters, you may need to provide a parameter while testing an action in SOAR.
If the action requires mandatory parameters you must provide values like URL, API key, Host, or other inputs, before clicking Run Test.
For example:
Create Ticket action in Zendesk requires a title, description, and priority.
Block IP action requires an IP address.
If the action has default or optional parameters:
Some actions may work without additional input if default values are set.
Get System Status action may not need user input and can run directly.
List All Incidents action may fetch data without requiring parameters.
Testing product actions
Go to SOAR Settings from the navigation bar and click Playbook Integrations.
Click Browse Integrations Templates.
Find your vendor product in the list. To find it, you can:
Search for it using search at the top.
Filter the list according to the kind of integration.
Click the ellipsis (…) and Edit Integration Template of the vendor product.
Click Actions.
Find the action name in the list and click it.
In Request Parameters, check the required parameters, whose value must be entered to test the action.
Click Test Action.
In Action Parameters, enter the parameter(s) value. Make sure the information is from the vendor products' documentation.
Click Run Test.
If the test works, the action is ready. If the test fails, you may need to change the parameters.
Add a New Integration
Before you add a new Integration, you need to:
Find the products' API documentation online.
If you can’t find it after performing an online search, you may need to contact the vendor.
Find the base URL.
Determine the authentication method: None, API Key, Username or Password.
Does the integration require an access token? If so, make sure you have it or contact the admin or vendor support.
Identify the actions to perform, then check the vendor's API documentation to determine the required methods like:
GET: Retrieve information from the vendor.
POST: Create new records or trigger actions.
PUT: Update existing records.
DELETE: Remove records or deactivate entities.
You add a new integration in SOAR by:
Add the vendor.
Add their product/integration template.
Add actions to the product/integration template.
Configure a new product instance, based on the vendor’s product.
Delete a Vendor Product
Delete a vendor product that is no longer used or has been replaced. An unused or misconfigured vendor product may pose security risks. Having multiple versions of the same vendor product with different settings can cause conflicts in playbooks.
Click ellipsis (…) of the vendor and then click Delete.
Click Delete to confirm removal.
Add a New Product
After the vendor is added to SOAR, you can add which products (integrations) to use and base your product instances on them. Each product performs different actions.
A product has different versions based on whether the vendor has released newer versions. If you know that the out-of-the-box product version in SOAR isn’t the newest because your vendor has released a newer version, you can add a new product version to use in SOAR. Versions matter because:
Ensure compatibility with SOAR.
Helps track updates and manage version-specific configurations.
Prevents issues when the vendor changes or upgrades their API.
Check the vendor's API documentation to check for the latest version. If the integration requires a specific version like v2 vs. v3, you need to specify it.
Go to SOAR Settings from the navigation bar and click Browse Integrations Templates.
Click + Create New Integration.
In General, enter a Name.
It specifies the title of the integration being added. It must be clear and descriptive to help you identify the integration in SOAR.
Enter a vendor name and specific functionality if necessary.
Example: VT API is too vague. VirusTotal Integration is good.
Select the company that provides the integration from the Vendor drop-down. It helps SOAR categorize and manage integrations from various vendors.
Enter the specific version of the integration or API being used in Version.
Select a Type from the drop-down. It is the category of the product based on its functionality within SOAR, helps organize integrations based on their use case and makes it easier to find and manage similar types of products.
Write a Description and remember to:
Keep it concise but informative.
Mention key functions of the integration.
In Parameters, add base parameters the product instances will start with.
Click Save when you are done.
Add a New Action
There are three action types:
REST: For API based integrations. Use when the action interacts with a REST API. It uses HTTP methods GET, POST, PUT and DELETE.
Example: Get File Reputation (VirusTotal) - GET request.
LDAP: For directory service operations. Use when the action interacts with an LDAP directory service. It supports operations like search, add, modify and delete.
Example: Get User Details (Active Directory) - Searches for user information.
FORM DATA: For submitting data in web forms. It is used in REST APIs that require form-encoded inputs.
You need to activate the action. Activation types are:
INVESTIGATE – Gathers information for analysis.
INGEST – Collects and processes data.
CORRECT – Fixes or remediates an issue.
CONTAIN – Limits the impact of a security threat.
GENERIC – A flexible type used for custom actions.
How to add:
Go to SOAR Settings from the navigation bar and click Playbook Integrations.
Click Browse Integrations Templates.
Find your product instance in the list. You can scroll through the list, use Search, or filter the list to find the right one.
Click the ellipsis (…) and Edit Integration Template of the product.
Click Actions and + Add Action.
Enter the Name of an action. It should be clear, concise, and descriptive of the action's purpose.
Example: AgentX-Block-IP; Barracuda-get-ip-blocklist.
Enter the Description of what the action does.
Select the Type from the drop-down.
Select the Activation Type from the drop-down.
Click + Add Row to add Request Parameters.
Enter the parameter’s Name and Description.
Click Required if relevant.
Enter the Default Value.
Add Response Parameters
When you test a new action, SOAR sends a request to the vendor and receives a response. You can then extract key data points from this response and define them as response parameters. These parameters are essential for using API responses dynamically within playbooks.
These parameters can be used as inputs in subsequent playbook actions, enabling automation based on real-time data.
How to add:
Click Response Parameters.
Click + Add Row.
Enter a Name.
Enter a Description.
Select a Type from the drop-down.
Select Required if needed.
Click Save.
Delete Response Parameters
You delete a response parameter if it is no longer needed, contains outdated or incorrect values, or causes conflicts in playbook execution. Removing unnecessary parameters helps simplify configurations, improve performance, and reduce the risk of errors.
Click Delete from actions of the response parameters.
Click Delete.
New Product Instance
You do not create a new product instance by configuring the existing product instance.
You need to create a new product instance in the following circumstances:
Different environments
Multiple accounts or tenants
Distinct configurations or settings
Role-based access
Create a New Product Instance
Go to SOAR Settings from the navigation bar and click Playbook Integrations.
Click Browse Integrations Templates.
Find the product instance in the list. You can scroll through the list, use Search, or filter the list to find the right one.
Click the ellipsis (…) and then Configure New Instance of the product instance.
Enter an Instance Name.
Enter the Parameter(s). Each product instance requires specific parameters, which depend on the vendor and integration type.
Select Active.
Click Add.
Export a Product Instance
You can export a product instance to use in another SOAR instance.
In Playbook Integrations, find the product instance in the list.
Click the ellipsis (…) and Export of the product instance.
The product instance is generated as a
.zipfile. Go to your downloads folder to find it.
Last updated
Was this helpful?