Integrating SOAR with Other Components
Select .
You can configure SOAR to integrate with other platforms and components to receive alerts. This procedure ensures streamlining the alert inflow and powers automation. The Integrations tab allows you to create, manage and configure security integrations and platforms. The Integrations page lists integrations configured previously along with their action and rollback queue sizes, and their availability statuses.
Searching an Integration
You can search a specific integration, through the Search option. Click the 
button next to search, to view search results based on ID, Name, Type, Address, Availability, Last Modified By, Modification Date, Action Queue Size, Rollback Queue Size and Actions filters.
Creating an Integration
Click the Create Integration button to create an integration. In the Integration Editor window, specify the details for following fields:
- Name
- Name of the integration.
- Type
- Type of the integration.
- IP Address
- IP address of the integration.
- Configuration
- Depending on the integration type, you might select and enter various configuration commands on the black window. See the below Changing Integration Configuration section for details.
- Credential
- Credentials to be used to connect this integration. Credentials are defined in menu.
- Trust Invalid SSL Certificates
- Determines whether SOAR connects to an integration and ignores warnings for untrusted SSL certificates.
- Require Approval Form
- Identifies the users that need to approve action items before executing it for integrations.
- Notify
- Identifies the users that will be notified of actions done.
- Tags
- Used to group integrations. This allows creating actions on a number of integrations having the same tag. You might want to create an action for all integrations that have a specified tag such as “block offender IP address on all firewalls that are used to manage WiFi networks”.
You might prefer to specify some more parameters for some specific integrations. Select the Show Additional Parameters checkbox located at the very bottom of the Integration Editor to the additional configuration.
- Maintenance
- Maintenance is supported by all integrations to which SOAR connects using the SSH protocol. It is essentially a generic SSH integration action script. It is best used in conjunction with Check Point Firewall integration for activating or installing a previously saved but not activated firewall policy. You can select a maintenance frequency or type your own cron job (for a scheduled maintenance) by selecting the Custom Cron Value option in the combobox.
- Host Key
- SSH public key of the remote integration. It is only used for integrations connected with SSH. If an SSH key is provided, then it will be validated using the specified key. This check is required to prevent man-in-the-middle attacks.
- Batch Size
- SOAR can send multiple action queue items to the integrations in a single connection. This field specifies the maximum number of action queue items that will be sent in each execution. For example, if you provided Batch Size as 10 and there are 25 action queue items waiting for that integration, then SOAR will send these items in 3 separate execution (10 + 10 + 5). Its default value is 1. This is a feature to avoid causing excessive system load on remote integrations when executing actions. A bigger batch size might create overhead on the integration thus failing all entries. So, you need to be careful when increasing this value.
- Max Postpone
- Specifies the maximum number of action retries. If an action cannot be executed for any reason, such as connection failures, authentication problems or another SOAR internal problem, it will automatically be retried later. There are a number of global configuration parameters to configure how and when it will retry, but, after a number of retries specified in this field, SOAR will give up and mark the action as failed. Default value is 6 (in hours).
- Connection Limit
- Specifies the maximum number of concurrent connections for the integration. Default value is 5.
- Max Action Retry
- Specifies the maximum action retry count for the integration. Default value is 5
- Max Rollback Retry
- Specifies the maximum rollback retry count for the integration. Default value is 5.
Editing and Deleting an Integration
You can edit an existing integration by clicking the Edit button under the Actions column. When you click the Edit button, Integration Editor window is displayed. Specify the values in editor window as per your requirement and click Save to modify.
You can delete an existing integration by clicking the Delete button under the Actions column.
For detailed information see the related Integration Guides.
Testing Integration
Click Test to verify the integration configuration.
When you click the Test button, it triggers the availability check for integration and if anything fails, a detailed error message is displayed. For example, in the case of a Check Point Firewall integration, SOAR needs a credential to work with the integration. If a credential is not available, an error message is displayed.
If the administrator of the remote integration accidentally deletes the credential that SOAR uses, SOAR will no longer be able to create actions on the integration. In this case, the integration is shown as offline (and an internal alert is created) and the error message is logged into the error log.
You can click Test button to see the error message.
A successful test marks the integration as online.
Flushing Queues
To flush the ques, select Flush Queue button under the Actions column of the integrations list. Following is the basic flow in SOAR:
1. Alert is received.
2. Matched playbooks run.
3. Action and rollback queue objects are created (waiting for execution in the queue).
4. Actions/rollbacks in the action/rollback queues are executed and saved.
When you click the Flush Queue button, SOAR starts executing actions/rollbacks without waiting for the execution scheduler (which consumes action/rollback queue objects).