Integrations Aren't Just for Developers

Introduction

Security Orchestration, Automation and Response (SOAR) platforms gain a lot of strength from the technologies they have in place to enable integrations and the quality of those integrations. As a SOAR vendor, building integrations internally results in high-quality solutions for our customers but it’s not the only way to make those integrations happen. With ThreatConnect, we’ve been enabling Developer Partners and others to integrate with our Platform using the same technologies that our internal teams use. We see that it’s extremely important to offer tools in this area because it allows creativity to meet our technical capabilities to produce something truly unique in value. One part of that toolset that we provide comes in the form of the ThreatConnect Developer Community – a site that we’ve assembled with a generous amount of information about our Platform and best-practices when approaching an integration.

What is the Developer Community?

The ThreatConnect Developer Community is geared towards anyone looking to develop integrations with ThreatConnect. The collection of information that we’ve assembled on this site provides direction and detail to ensure that integrations are built with appropriate values in mind. In addition to capturing lessons-learned from past integration projects, the guidance this site provides takes some of our internal practices and frames them appropriately for someone outside of our organization. While a lot of the content on the Developer Community site is written with Developer Partners in mind, it by no means is an exclusive resource. The information we’ve made available is highly applicable to any of the technical resources making use of the ThreatConnect Platform.

Good ideas don’t just come from the expected places nor does the willingness to see those ideas come to fruition. This site looks to put the right tools into the hands of those capable to improve output quality regardless of the origin. In the next section, we’ll discuss some of the information we share on the Developer Community in additional detail and help you understand the broad applicability.

Integration Descriptions

One of the most useful things that we’ve put together for the Developer Community site is a set of technical descriptions for different integration approaches with ThreatConnect. These documents not only contain links to the necessary documentation that you would need to complete the integration, they also highlight lessons-learned in completing those integrations with parties outside of ThreatConnect. For this reason, you’ll often see guidance statements that may limit the intended use of some Platform features to simplify architecture and allow integrations to remain easy to manage. While there are several integration types defined, here are some specific examples we offer in our documentation that are straight-forward for someone to achieve:

On Demand Enrichment:

This integration type describes the approach to create an enrichment that is used in ThreatConnect Playbooks (on-demand). Typically, a Playbooks App is written in Python 3 and then becomes available for use in Playbooks. Within the Platform, we offer the AppBuilder and make it easy for developers to build, package, and deploy the integration all from a single place. In addition to providing a basic IDE environment that supports versioning, AppBuilder also contains controls for editing app meta data. This, along with our guidance, makes it easy to ensure that your Playbook app is useful beyond just the author. Writing a Playbook App is also a very straight-forward task meaning that anyone with nominal Python 3 experience and some motivation can make it happen.

Low-Volume Alerts Processing:

This integration type describes consuming alerts from an outside source as a trigger for a processing Playbook within ThreatConnect. Typically, an external service would fire a webhook at a Playbook to provide events. This integration type goes beyond just defining that relationship and also crafts this into a way to process those events for memorialization in the Platform and also action. The source for these events is really up to the creativity of the author of the integration and any system capable of firing webhooks could be integrated this way. This sort of integration may be a completely code-free path depending on the incoming data structure provided. The Playbooks feature takes care of a lot of the heaving lifting such as providing the incoming webhook and providing parsers for payload data.

Reference Documents

Beyond just providing the initial guidance for a particular integration type, the Developer Community contains reference documentation. These documents are not only applicable to integration work but may also just provide general understanding around some of the decisions made within the Platform. There are a number of documents available but we’ve summarized a few of the useful items here:

Threat Intelligence Data Mapping

Mapping Threat Intelligence data into any Platform can be a somewhat tricky subject. TI Platforms have lots of places to store data making it extremely important to understand when and how to use these facilities. In order to do this, we’ve assembled a document that looks to get you well into the process of understanding how to map data so that it is useful. See the Threat Intelligence Data Mapping document here. In addition to explaining the data mapping process and high-level criteria, we also discuss what really makes a data source “premium” within our Platform by discussing the strength of relationships. This document really becomes powerful when you plan to insert any data into the Platform whether it’s you actually writing a Threat Intelligence Feed integration or simply adding Indicators via a Playbook.

Playbook Output Variable Names

If you’ve ever used a Playbook within our Platform, there’s no doubt you’ve probably noticed the consistency in the output names of the various apps. This isn’t by accident; this is quite intentional. In order to avoid having a lot of inconsistency between different apps, we follow a standard set of output names that we’ve documented. These standard names allow users to quickly identify characteristics about the data they see while in the Playbooks editor and without necessarily having to jump deep into documentation. As a user, this document could be a helpful look at data that you might otherwise overlook in the sea of outputs that some apps produce. As an integrations author, this document is a vital reference to making your outputs easily accessible to others.

Wrap-Up

Although a majority of integration development is completed by ThreatConnect and Developer Partner teams, it’s important to us to put the right tools in the hands of those with ideas. The Developer Community site has the resources necessary for you to translate ideas into a tactical plan for how to accomplish them. We hope that the guidance that we’ve assembled based on experience helps you set a trajectory for success easily. As we continue to develop documentation on this front, we know that it will no doubt open additional doors for greater contributions.

About the Author
John Hall

John Hall is the Director of Technology Partnerships at ThreatConnect.  He comes from a varied technology background, including 13 years in retail technologies and 2 years in the SDWAN space. John enjoys working to solve big problems with technology using a thoughtful and detailed approach. Currently residing in the Atlanta, GA area, John enjoys spending time with his wife & kids, operating professional audio and video systems, and volunteering with various non-profit organizations.