App developer for SOAR

The app developer writes apps for the SOAR Platform. The apps can access and return external data, interact or integrate with other security systems, or be a utility that runs a specific action.

The programming environment and tools vary depending on the type of app that you want to develop.

Review the following guidelines for creating apps:
  • Use the SOAR SDK to write apps based on functions. The apps are written in Python, and can be compiled in the container-based format or the extension format for use with earlier releases of the SOAR Platform.
  • Use Resilient® Circuits and the integration server to write apps based on custom actions. Unlike an app based on functions, custom actions populate a custom field or data table within the SOAR Platform, where a function returns the results to the component that started the function. Custom actions are a more technical complement to functions. They allow developers to build an application that combines integration activities in specific ways. Custom actions are used to provide a single prescriptive solution that might include extra capabilities but usually gives system administrators less flexibility.
  • Use REST API endpoints to write a custom threat service if you want to add a threat source not currently available from the SOAR Platform.
  • Write directly to the REST API to create a plug-in for a tighter integration than is possible with an app. You can write a plug-in in any language that allows TLS connections to a message broker by using the STOMP or ActiveMQ (OpenWire) protocol. The typical programming languages are Python and Java™. If you use a Java-based language, typically you would use the ActiveMQ client library, which uses the OpenWire protocol. Libraries that support STOMP are available for most modern programming languages. To use Java or any other language, you need to be familiar with the SOAR API.

More information on app development

There are various resources available with information and guidance about app development.

For the SOAR SDK, see the App Developer's Guide.

If you are using an integration server, refer to the Integration Server Guide.

To create a custom threat service, see the Custom Threat Service Guide (PDF).

In addition, the IBM SOAR Community web site provides details, a list of communities, and available documentation. The site is designed for developers to customize and share code, so it contains library modules, community-provided apps (and source code), example scripts, and developer documentation.