Response Management

The Response Management feature provides a new, centralized user interface (UI) to configure third-party automated response connections and manage playbook access per tenant. In addition to the new centralized UI configurations, administrators have the flexibility to manage separate connections for each tenant, while enabling per tenant customization when desired.

To get started, navigate to Menu > Administration > Settings, then click on Securonix SOAR Settings from the left pane. The Playbook Management screen displays, providing a single UI to manage integration configurations and playbooks.

From the Manage Playbook Access setting, administrators can delegate and configure playbook connections per tenant, or to all tenants as a global playbook update. Manage Playbook Access has two settings: ON and OFF.

Manage Playbook Access: ON

When Manage Playbook Access is set to YES (or enabled), administrators have the flexibility to manage multiple tenants, while isolating playbooks per tenant. Once Manage Playbook Access is enabled, you must add a playbook for the tenant by clicking Add/Remove Playbook in the Tenant column.

Note: To ensure your playbooks are visible on the Security Command Center, Incident Management, and Policy and Threat Model screens, you must configure/add playbooks for each tenant when Manage Playbook Access is enabled.

Next, select one or multiple playbooks for the tenant, then click Save.

Now, you will specify which instance you want to connect to by clicking Connect in the Connection Status column. For this example, the Active Directory instance is used.

Once you click Connect, provide the following details:

  1. Connection Name: A unique name for the connection.
  2. Connection Type for: You can configure the following connections from the SNYPR UI:

    • Active Directory
    • Nessus
    • Cherwell
    • Passive Total
    • CrowdStrike
    • Phantom
    • Cylance
    • Service Now
    • Demisto
    • SpamHaus
    • IBM Resilient
    • Streamsets
    • Okta
    • Virus Total

    Limitation:   Administrators can only configure one instance of a connector per tenant.

  3. Select Tenant: The following options are available:

    • Specific Tenant: The configuration details you add for the instance is unique to the tenant. When a specific tenant is selected, the configuration details for the connection are added and used for this playbook only, and for this specific tenant.

      As seen in the following image, the Active Directory instance connects and includes tenant specific configurations that tenant testabc1. This tenant specific configuration is used when running the Active Directory playbook on violations for tenant testabc1.

    • All Tenants: You are only required to add the configuration details once. Each tenant inherits the configuration details from the initial instance you configure.

      As seen in the following image, the CEF instance includes configuration details for the playbook that are globally available for all tenants:

      This specific configuration will be used when running this playbook on violations for all tenants.

Manage Playbook Access: OFF

By default, Manage Playbook Access is set to NO (or disabled), allowing administrators to configure playbooks for all tenants as one global playbook update. You will configure the details for an instance using a similar process to the one mentioned in the Manage Playbook Access: ON section. However, there are slight UI differences when Manage Playbook Access is disabled.

Note: There is no access control when Manage Playbook Access is set to OFF. All playbooks are made available and visible for all tenants on the Security Command Center, Incident Management, and Policy and Threat Model screens.

To specify which instance you want to connect to, click Connect in the Connection Status column.

Next, provide a Connection Name and Connection Details, then click Save.

Note: The configurations added are used for all tenants when running playbooks on violations.

When the configuration details are saved, all the playbooks within the instance will be used and available for all the tenants you support.

Search and Filter Options

To find a newly created or existing playbook connection, there are helpful search and filter options available at the top of the Playbook Management UI. You can search response actions by playbook name, vendor, and connection status, or use the Reset icon to clear your filter options.

You can also go back and update an existing instance by clicking the information icon (i) in the Connection Status column.