Integration capabilities

The Integration Capabilities framework provides a consistent architecture to support interoperability with third-party integrations. This abstracted interface and data model insulates integrations from changes to the core application and ensures a consistent experience for similar types of integrations.

Each integration capability persists in the Integration Capability table (sn_sec_cmn_integration_capability). Integration capability workflows cannot be executed alone, and require the launch of an implementation workflow. Any plugin that provides an implementation of the capability adds its implementation to the child table: Integration Capability Implementation (sn_sec_cmn_integration_capability_implementation). For more information see, Tables installed with Security Support Common.

The implementation specifies the workflow to be executed, the related integration (plugin id), and the capability it implements. These workflows are executed in parallel using the parallel workflow launcher.
Note: If no implementations are available, capability actions are not displayed in product menus.
The base system includes the following capabilities:
  • Block Request blocks communication with an observable associated with a security incident.
  • Get Network Statistics retrieves a list of active network connections from a host or endpoint.
  • Get Running Processes retrieves a list of running processes on a configuration item (CI) from a host or endpoint.
  • Isolate Host or Endpoint restricts system connections to other devices.
  • Publish to Watchlist adds observables associated with a security incident to a watchlist.
  • Sightings Search determines the presence of malicious observables in your environment.
    Note: When activating the Sighting Search capability, the MID Server must be started or, if already running, restarted. This action allows all files to sync.