Use cases

When a significant event occurs, applications connect to Orchestration & Automation to escalate incidents from SIEMs, ticketing systems, and other sources, and include artifacts such as IP addresses, file hashes, URLs, user names and machine names.

The App Exchange contains two such apps, IBM Resilient QRadar integration and Resilient Integration for Splunk.

Automatic threat intelligence lookups, playbooks or workflows and menu-driven actions deliver valuable context, reduce time to identify scope and impact, enabling a rapid, decisive response. Trigger sandbox evaluation and build playbooks to act on the results. Search logs and endpoints and make decisions based on the data. Include Configuration Management Database (CMDB) and directory information to help analysts make accurate assessment of severity and impact. Pivot on these critical data elements to dynamically adjust the way your team responds.

Based on trigger conditions, or based on manual actions, Orchestration & Automation can send notifications or initiate external activities to contain and adjust your security posture as a part of your response playbook. The Ansible for Resilient app is an example of this type of app.

By integrating beyond the SOC, users can coordinate a fast and effective incident resolution from Orchestration & Automation. Integrate bi-directionally with ticketing and service management, smart notifications, communication platforms and other business applications.