Apps created in or for the SOAR system gives access to a library of functions and created using the OpenAPI or pure Python modules.
These apps are seen as the building blocks of the workflows. Each App can contain multiple actions, which can take multiple variables. These are made to interact with each other by using the published variables generated by each App.
Each App can perform more than one task based on predefined actions. The actions available for each App are defined by the developer of the app and are reusable and modifiable by the user of the App.
Actions defined in a workflow should be done as a one to one representation of the function that it is required to perform. The app can be chained with the exact same app should additional functions be required.
An example of this would be processing items from Web api’s that require a “GET”, “POST” and/or various other http related items.
Some of the actions available to the HTTP App can be seen in the screenshot below.
If one were to use the example of retrieving information from an HTTP source, submit it to another API and Post the information back to the original, the workflow would look something like this.
The first step is to perform a “GET” from the source. MiSP can then be queried with one or more of the variables obtained by the “GET” request. Once it completes, the flow can be split into two, “POST” the results back to the original source as well as create an alert in TheHive for further incident response activities.
Each app can handle multiple arguments. Arguments compatible with each app is listed when the app is selected.
Arguments listed with the orange radio button are required, whereas the items with the yellow radio button are optional.
Creating an OpenAPI app:
To create an an OpenApi based app the following steps need to be performed:
Click “Create from OpenAPI”
Paste the URL for the OpenAPI that will be accessed. This will highlight the validate button which can be pressed to validate the URL
Specify the OpenAPI text that must be submitted and Click “Validate Data” when the button is highlighted.
Click the “Submit” button.
Creating and app from scratch:
Click “Create from scratch”
Click the box in the top left corner to upload a logo for the App being built.
Specify the following items:
Name of the App
Description of the App
API Base URL
Authentication mechanism (No authentication, API Key, Bearer Auth or Basic Auth”
Once these items have been added, one or more actions may be added for the application to perform. The following fields are required:
Name of action
Description of action
Request Type (GET, HEAD, DELETE, CONNECT, POST, PUT and PATCH)
Add any required Headers
Once these have been added Click the “Submit” button.
Any Apps that have been created can be removed by Clicking the trashcan icon below the app logo
Triggers are used to run workflow execution automatically. They are connected to a node or action in the workflow, usually the starting node. Triggers usually take an execution argument will be used to execute the workflow in question. The triggers currently supported by the SIEMonster platform are the following:
Webhook: Handle real-time HTTP requests from anywhere
Schedule: Runs your workflow on a schedule
Rest API: Essentially a trigger from either:
Any third-party software
Adding a trigger:
To add a trigger, simply drag it from the left column and connect it to the starting or relevant node. Update the settings by clicking on the trigger and updating the relevant settings and click “Start”
For more in-depth examples, please click the “Docs” shortcut within the SOAR interface. This contains a large variety of examples and suggestions for configuration of all aspects of the Apps, workflows, triggers and other items as well as the proper use of each.