Integrating with the IBM Security QRadar® SOAR Platform can significantly enhance your customers ability to respond swiftly and effectively to cyber threats. By developing an app for the SOAR Platform, you can leverage its capabilities to streamline and automate security operations. This blog post aims to give a high-level overview of the process of creating such integrations.
Understanding the Basics
Before diving into development, it's crucial to understand what an app on the SOAR Platform entails. An app is essentially a set of customizations, code, and executables that execute a specific end-to-end function within the platform. These customizations can include functions, tasks, notes, artifacts, and scripts, all designed to enhance the SOAR Platform's capabilities.
Setting Up the Development Environment
To get started, you'll need to install the SOAR SDK on a system separate from your SOAR Platform's host. This environment should meet specific requirements, such as having a container tool (Docker or Podman), sufficient disk space and RAM, and a Python-enabled IDE. The system should also allow access to the SOAR Platform, preferably within a test environment.
See requirements for IBM QRadar Soar v50 here
- https://www.ibm.com/docs/en/sqsp/50?topic=guide-development-environment
The SOAR SDK and REST API
The SOAR SDK simplifies app development by providing templates and managing connections to the SOAR Platform's APIs and messaging systems. It allows developers to focus on writing the behavior logic of the app, leaving the integration complexities to the SDK. Additionally, the SOAR Platform has a full-featured REST API that facilitates almost all interactions with the platform through JSON-formatted data.
See SOAR SDK documentation
– https://www.ibm.com/docs/en/sqsp/50?topic=introduction-sdk
See SOAR REST API documentation
- https://www.ibm.com/docs/en/sqsp/50?topic=introduction-rest-api
Creating Playbooks and Playbook Components
Playbooks are the collection of tools, conditions, business logic, workflows, and tasks used to orchestrate a response to security incidents and threats. Before coding your app, it's important to create playbooks and playbook components on the SOAR Platform. These components form the backbone of your app, dictating how it interacts with the platform and what functionalities it brings to the table. This step is about planning and structuring your app's role within the broader context of a security playbook.
The Development Process
With the SDK set up and playbook components defined, you can start developing your app. This process involves generating boilerplate code using the SDK, customizing this code to fulfill your app's specific functions, and then thoroughly testing the app within the SOAR Platform. Look at the Coding Considerations link below to walk through recommendations for creating your functions.
See steps on SOAR Development Overview
- https://www.ibm.com/docs/en/sqsp/50?topic=introduction-development-overview
See four basic use case examples for SOAR
- https://www.ibm.com/docs/en/sqsp/50?topic=introduction-use-cases
See SOAR GitHub repo for community app code to use as an example
– https://github.com/ibmresilient/resilient-community-apps
Testing and Documentation
It’s good to test your functions individually on the SOAR platform as they are created. This can be helpful to verify permissions and connectivity. After development, it's imperative to test your app extensively to identify and fix any potential issues.
Once your app is complete, you can package it, create the container image, and test the app as a whole. The SOAR SDK includes utilities for generating documentation, which is vital for end-users to understand how to install and use your app. Finally, once your app is polished and ready, you can package it for distribution and publish it, making it available for use within the SOAR Platform.
See Packaging your SOAR Application
- https://www.ibm.com/docs/en/sqsp/50?topic=guide-packaging-your-app
See Testing your SOAR Application
- https://www.ibm.com/docs/en/sqsp/50?topic=guide-testing-app
See Validating your SOAR Application
- https://www.ibm.com/docs/en/sqsp/50?topic=guide-validating-your-app
Publishing to AppExchange
Apps published on the IBM Security App Exchange portal go through a quality review process. To submit an app you must create an IBMiD and login to the App Exchange. Once you have logged in you can contact the Technical Alliance Program (TAP) team to request access.
Tip: Make sure you complete your IBM ID profile location/address details correctly as our software download site checks against the denied party list and empty and incorrect addresses can trigger US export reviews.
Conclusion
By following the steps outlined in this guide, developers can create effective and efficient apps that enhance their organization's security posture and response capabilities. The TAP team is ready to help you by providing access to resources and assistance as you are developing your integration. Check out our program guide below and reach out to us to get started.
Reference links:
SOAR SDK
Development Environment Requirements
Playbook Designer
Coding Considerations
Technology Alliance Program Guide