Integration capabilities The Integration Capabilities framework provides a consistent architecture to support interoperability with third-party integrations. This abstracted interface and data model insulates integrations from changes to the core application and ensures a consistent experience for similar types of integrations. Each integration capability persists in the Integration Capability table (sn_sec_cmn_integration_capability). Integration capability workflows cannot be executed alone, and require the launch of an implementation workflow. Any plugin that provides an implementation of the capability adds its implementation to the child table: Integration Capability Implementation (sn_sec_cmn_integration_capability_implementation). For more information see, Tables installed with Security Support Common. The implementation specifies the workflow to be executed, the related integration (plugin id), and the capability it implements. These workflows are executed in parallel using the parallel workflow launcher. Note: If no implementations are available, capability actions are not displayed in product menus. The base system includes the following capabilities: Block Request blocks communication with an observable associated with a security incident. Get Network Statistics retrieves a list of active network connections from a host or endpoint. Get Running Processes retrieves a list of running processes on a configuration item (CI) from a host or endpoint. Isolate Host or Endpoint restricts system connections to other devices. Publish to Watchlist adds observables associated with a security incident to a watchlist. Sightings Search determines the presence of malicious observables in your environment.Note: When activating the Sighting Search capability, the MID Server must be started or, if already running, restarted. This action allows all files to sync. Security Operations Integration - Block Request capabilityThe Block Action capability blocks observables associated with a security incident on a firewall, web proxy, or other control point using implementation workflows. This capability is used during incident response investigations to contain an identified threat.Security Operations Integration - Get Network Statistics capabilityThe Get Network Statistics capability retrieves a list of active network connections from a host or endpoint. It can be used for incident enrichment during investigations. This capability is triggered automatically when a configuration item is added to a security incident. Security Operations Integration - Get Running Processes capabilityGet Running Processes capability retrieves a list of running processes on a configuration item (CI) from a host or endpoint. This capability is used for incident enrichment during investigations.Security Operations Integration - Isolate Host capability Isolate Host capability restricts system connections to other devices. Isolate host is executed against a configuration item (CI). Security Operations Integration - Publish to Watchlist capabilityThe Publish to Watchlist capability adds observables and indicators associated with a security incident to a third-party watchlist that monitors for security events and generates alerts. This capability is used as part of incident response during investigations.Security Operations Integration - Sightings Search capabilitySightings Search capability accepts a set of observables, finds any integrations that support a Sightings Search, then executes these searches.