Uncovering the Powers of IncMan SOAR’s Open Integration Framework

The speed at which security operations are processed and data is consumed is moving at a dazzling pace. This is why flexibility, customizability, and user-friendliness are deemed as core pillars of next-gen security solutions. And it is exactly what IncMan SOAR’s Open Integration Framework is all about.

Security professionals want to be able to customize, integrate, and control their operations with maximum freedom involved, which is why incorporating a SOAR platform that is based on an open-source principle is of the utmost importance. 

AWS Builder Community Hub

IncMan SOAR’s Open Integration Framework provides unlimited means of connecting with disparate tools and technologies, creating various integrations, and triggering different types of actions that align with your needs. Read on to find out more about the boundless possibilities of IncMan’s OIF philosophy. 

The importance of Open Integration Framework in Cyber Security

Open Integration Framework is a real game-changer in the way SOAR technologies operate.

The introduction of OIF in IncMan allowed users to connect disparate technologies and enjoy a more secure remediation workflow, ultimately allowing security teams to have more control over their security operations, choose the most optimal ways for establishing workflows, and improve their remediation processes.

OIF changes the way integrations are being used in IncMan SOAR. It allows you to develop connectors and operate with external technologies, ultimately helping you improve your cyber security posture while enjoying a more user-friendly experience.

IncMan SOAR’s Open Integration Framework is an open standard for defining integrations within the IncMan Platform. By adopting an open approach to security orchestration and automation, IncMan SOAR’s OIF unlocks unlimited possibilities of integration with new technologies and use cases. Thanks to the open integration philosophy adopted by IncMan SOAR, you can:

  • Easily connect and integrate disparate technologies
  • Customize integrations and adapt them to your environment
  • Boost the automation of repetitive tasks with full control

Furthermore, through the Community Portal, DFLabs provides an open and cooperative ecosystem, where you can find and share integrations and Playbooks for tackling specific bespoke use cases.

The key differentiators of IncMan’s Open Integration Framework

What makes IncMan’s OIF unique is its ability to define integrations in a text-based format that works at an action level, not as one monolithic file. This means that integrations in IncMan SOAR are structured in a modular way.

This allows you to autonomously organize and manage complex integrations by breaking them down into multiple standalone actions, thus providing easier maintenance of the code. You can add new actions and customize existing ones without the need to modify the code or worry about how that may impact its functionality.

Actions can be tested directly from the integration section while developing and troubleshooting without the need to create Playbooks or incidents. 

The benefits of IncMan’s Open Integration Framework

We’ve already established that IncMan’s OIF allows you to have an unprecedented level of visibility and control over your integrations. But other than providing you with new ways to develop integration, OIF offers plenty of other benefits as well, such as:

  • Faster integration development through a standard framework
  • You can easily extend existing and develop new integrations
  • Designed to minimize technical knowledge required
  • Use of built-in and third-party libraries
  • Integrations executed in Docker containers
  • Custom integrations can be easily shared between users
  • Increased openness and community involvement
  • Share knowledge and integrations with DFLabs’ IncMan SOAR Community Portal.

Ultimately, our innovative OIF makes it easier for organizations to customize and add new automated integrations within IncMan SOAR. This enables SOCs, CSIRTs, and MSSPs to add unique incident response capabilities without the need for complex coding.

OIF machine learning ARK (Automated Responder Knowledge)

IncMan’s Open Integration Framework machine learning engine, also known as ARK, applies machine learning to historical responses to threats and recommends relevant Playbooks and paths of action to help you respond more effectively to future threats. In short, ARK helps:

  • Assess new incidents based on unique and shared indicators and their relevance to historically recorded incidents
  • Construct a model of organizations threat landscape based on recorded historical incidents
  • Suggest appropriate actions and Playbooks by using its algorithm based on similar and related threats
  • Prioritize threats that have greater relevance by assigning them with higher urgency
  • Identify parent incidents and correlate incidents based on similar demographics 

The Automated Responder Knowledge learns from the experiences and actions of your security team and becomes smarter and more effective as time goes on.

Create integrations in a seamless manner

Adding new integrations in IncMan SOAR is a seamless process that doesn’t require complex coding. You have the possibility to extend the capability of integrations at any time, and organizations can easily modify the existing integrations with all the new functionalities that IncMan SOAR provides for maximized customizability.

The execution of each integration is performed in a unique Docker container and is easily configured from within the integration file, providing additional security and eliminating the risk of conflicting libraries.

With IncMan SOAR, there are virtually no limits to the integrations you can create:

  • Creating your own integrations: DFLabs’ team develops the connectors you need, but you can easily develop integrations and have access to the API code. Plus, once you’re done, you can share the integrations with us and we can test them for you. Then, when the integration is ready, we’ll publish it on our portal.
  • No significant coding experience required: IncMan’s OIF allows you to build or modify our own integrations from the ground up. This function is great for a team with developers, System Integrators and MSSPs. In any case, you can create and manage Playbooks with no significant coding experience required.
  • Multiple standard scripting languages: DFLabs allows both users and developers to define integrations in multiple supported standard scripting languages, such as Pearl, Python, Powershell, and Bash, all wrapped into Yaml configuration for optimal flexibility.

Furthermore, IncMan allows you to write your own custom scripts that appear as usable actions that can be manually invoked or used within the Playbooks. Usually, custom scripts are used for incident enrichment, specific investigation activities, custom data processing, or escalations. They can be manually executed by the operators as part of an ad hoc investigation step.

The scripts can run inside or outside the Docker container, depending on their functionality. The results of the scripts can be used by subsequent actions in Playbooks.

How does creating an integration actually work?

IncMan SOAR allows you to create integrations with different security tools thanks to its Open Integration Framework philosophy. The creation of the integration is enabled via the Docker containers.

By creating an integration definition container via the OIF, you can upload individual action files. Then, you can just code the action in the integration action file by using one of the supported scripting languages.

Lastly, the user is free to choose the Docker container they want their integration to be executed in, using different types of third-party libraries in the process.

IncMan’s OIF allows you to launch different types of actions

OIF allows users to create 7 different types of actions, Daemons, or triggers (Enrichment, Containment, Notification, Custom, Daemons, Triggers, and Scheduled actions). All these actions can be customized and adjusted according to the needs of the user.

And when it comes to adjusting security operations, the Open Integration Framework allows users to have total control and freedom over their processes by launching Daemons, Triggers, and Scheduled actions:

  • Daemons are defined as scheduled processes that are activated to execute particular actions. Daemons silently work in the background without disrupting the original workflow of the task. You can create Daemons of any nature that interact with the IncMan Data Layer in complete autonomy.
  • IncMan Triggers allow developers to monitor specific manual events performed by the operators and automatically take actions whenever the event is performed. Events that can execute triggers refer to the most common actions analysts perform, such as creating and updating incidents, interacting with tasks or IoCs, and triaging events.
  • Scheduled actions enable you to implement new use cases by defining steps in a Playbook that can be executed multiple times until a specific condition is met or the scheduling time expires.

When integrations are created via the OIF in IncMan SOAR they include the action type “Daemon.” They can be run as a Daemon or a scheduled service, automatically creating incidents based on the results of a predefined query.


The extremely flexible nature of IncMan SOAR’s Open Integration Framework is the key pillar upon which the next-gen IncMan solution is going to be shaped. Flexibility and customizability in the way users develop integrations and modify their operations is a crucial element that allows security professionals to mold their workflows the way they deem most beneficial. 

This is why SOAR solutions, such as IncMan, which have adopted the open philosophy, are considered as pioneers in the industry, paving the way for the next-gen SOAR solution.

L’articolo Uncovering the Powers of IncMan SOAR’s Open Integration Framework proviene da DFLabs.

*** This is a Security Bloggers Network syndicated blog from Our Blog – DFLabs authored by DFLabs. Read the original post at: