Integrations

We offer a range of fully realised integrations out-of-the-box. From vulnerability scanners to GRC tools, SOCAutomation is able to integrate seamlessly with your existing infrastructure. Find more information on some of our integrations below.

  • More Info

    IBM QRadar Integration

    IBM QRadar is the Gartner leading SIEM solution and enables organisations to monitor sophisticated cyber attacks in real-time. When combined with SOCAutomation, QRadar becomes an automated Security Operation Centre, making SOC operations delivery a reality. SOCAutomation utilises QRadar’s API’s covering offenses, asset data, vulnerability data and X-Force threat intelligence feeds. QRadar offenses typically give: Severity, IP address(es) of targeted device, short description (e.g. excessive firewall denies) and offense category.

    Context we add includes:

    • Mapping Offenses to Assignees: e.g. level 1 analyst for offense type X, level 2 for offense type Y etc.
    • Stakeholder Mapping: Who needs to be included ‘in the loop’, e.g. SOC Manager
    • Security Context: Add offense-specific knowledgebase content – e.g. links to details about a given type of malware
    • Business Context: Add business-specific knowledgebase content – e.g. links to regulatory company policy on dealing with malware, DLP, phishing etc.
    • IP Address -> Username Mapping: Shows who has been logged on to a machine leading up to a breach (uses Lexicon for this)
    • Automated Process Initiation: e.g. kicks off a set of processes to gather more information, attempt remediation, virtual patching, ticket generation, etc.
    • Normalised Security Process: Automatically generates the relevant Run-Book for a given offense type (e.g. malware, DDoS, etc.) which allows multiple teams/analysts to know and follow consistent security procedures
    • Audit Tracking: Tracks incident process for evidential trail
    • Automatic Notifications: Email notifications automatically sent to assignees/stakeholders
  • More Info

    Splunk Integration

    Splunk Enterprise Security (ES) provides instant detection of internal and external attacks and simplified threat management for Security Operations Centre (SOC) and Incident Response (IR) teams. Splunk ES streamlines security operations, providing insight into machine data generated from technologies such as network, endpoint, access, malware, vulnerability and identity information.

    SOCAutomation is able to take in all alerts generated by Splunk and create best practise Run-Books, giving your team all the information they need to respond to incidents. SOCAutomation is also able to communicate back to Splunk and close incidents that have been completed.

  • More Info

    HP ArcSight Integration

    ArcSight is a leading SIEM solution that enables organisations to monitor sophisticated cyber attacks in real-time. When combined with SOCAutomation, ArcSight becomes an automated Security Operation Centre, making SOC operations delivery a reality. SOCAutomation utilises ArcSight’s API’s covering incidents, asset data, vulnerability data and threat intelligence feeds. ArcSight incidents typically give: Severity, IP address(es) of targeted device, short description (e.g. excessive firewall denies) and incident category.

    Context we add includes:

    • Mapping Incidents to Assignees: e.g. level 1 analyst for incident type X, level 2 for incident type Y etc.
    • Stakeholder Mapping: Who needs to be included ‘in the loop’, e.g. SOC Manager
    • Security Context: Add incident-specific knowledgebase content – e.g. links to details about a given type of malware
    • Business Context: Add business-specific knowledgebase content – e.g. links to regulatory company policy on dealing with malware, DLP, phishing etc.
    • IP Address -> Username Mapping: Shows who has been logged on to a machine leading up to a breach (uses Lexicon for this)
    • Automated Process Initiation: e.g. kicks off a set of processes to gather more information, attempt remediation, virtual patching, ticket generation, etc.
    • Normalised Security Process: Automatically generates the relevant Run-Book for a given incident type (e.g. malware, DDoS, etc.) which allows multiple teams/analysts to know and follow consistent security procedures
    • Audit Tracking: Tracks incident process for evidential trail
    • Automatic Notifications: Email notifications automatically sent to assignees/stakeholders
  • More Info

    Trend TippingPoint Integration

    Trend Micro TippingPoint offers a wide range of network security solutions with real-time network protection, visibility, and centralised management and analytics that are easy to use, configure, and install. SOCAutomation utilises TippingPoint’s API’s covering IOC, digital vaccine, virtual patch, threat intelligence, vulnerability, policy, configuration and data automation.

    SOCAutomation orchestrates the TippingPoint malware detection framework IPS and TippingPoint Advanced Threat Protection (ATP) working together to;

    • Analyse suspected new malware in over 100 network protocols
    • Once malware is detected, it’s spread is qualified using TippingPoint ATP Endpoint Sensor
    • TippingPoint then remediates by quarantining the affected devices or creating a reputation filter to block any rogue communication

    Risk Reduction and Patch Management Window Lengthening

    For vulnerability management, SOCAutomation collates all vulnerability & patch information then reports which security gaps can be automatically fixed using TippingPoint’s Virtual Patching capability. Patch Tuesday now becomes – Patch when we are ready!

  • More Info

    Carbon Black Integration

    SOCAutomation can use the deep forensic and incident response capabilities of Carbon Black to fully orchestrate incident response and ensure the business is fully aligned.

    Realtime Vulnerability Protection

    SOCAutomation can orchestrate vulnerability management platforms with Carbon Black whereby unpatched new vulnerabilities can be identified in the estate and monitored for their occurrence, and if exploited, their triggers are automatically killed until a patch does become available.

    SOCAutomation uses 2 of the 3 primary Carbon Black API’s:

    • Carbon Black Client API (CBCAPI) – The CBCAPI is a collection of documentation, example scripts, and a helper library to allow for querying the back-end data store, and getting and setting configuration. This is the same API that the Carbon Black web console uses to interface with the Carbon Black server.
    • Carbon Black Server API (CBSAPI) – The CBSAPI is a collection of documentation, example scripts, and a helper library to help subscribe to Carbon Black server notifications, parse and understand the contents of those notifications, and demonstrate common business logic uses of those notifications.