SOAR site planner

The SOAR Platform is available in different configurations with various options.

The following sections describe the choices so that you can choose the best configuration for your environment, and understand how to deploy the SOAR Platform in your environment.

SOAR Platform on-premises or cloud configuration

The SOAR Platform can be located in your own environment, known as an on-premises configuration, or from the IBM cloud, known as a SaaS configuration.

An advantage of the cloud configuration is that IBM Security is responsible for setup and maintenance.

An advantage of the on-premises configuration is that you have full control and do not need to have internet access available to use the SOAR Platform. If you have a secure “air-gap” environment, then you would need the on-premises version of the SOAR Platform.

On-premises system requirements

If you decide on an on-premises configuration, you can choose from three versions of the SOAR Platform package.

You can select one of the following versions of the SOAR Platform:
  • Virtual appliance. The SOAR appliance is provided as a VMware virtual application (vApp) in Open Virtualization format (.ova file). The VMware image is based on Red Hat® Enterprise Linux® (RHEL). The SOAR appliance runs on VMware vSphere Hypervisor (ESXi). The SOAR appliance requires that the host for the appliance is on a network that is accessible by SSH (for administration access) and by web browser for user access.
  • SOAR software. You install the software on your own RHEL system. You need to properly configure your system as described in the installation guide. It includes installing all required packages, such as wget, Extra Packages for Enterprise Linux (EPEL), pip Python installer program, setuptools Python module, PostgreSQL and more.
  • SOAR FIPS-compliant software. Similar to the SOAR software; however, you install it on your own RHEL system that is configured in FIPS 140-2 compliant mode.

SOAR Platform ports

If your SOAR Platform is behind a firewall, such as in a cloud configuration, configure the firewall to allow access to ports.

If the SOAR Platform is behind a firewall, configure the firewall to allow access to the following ports:
  • 443. Required to connect to SOAR data that is using the REST API.
  • 65000. Required only if you need to support Java™-based apps. It is typically used by Java-based custom actions that communicate with the platform by using ActiveMQ OpenWire.
  • 65001. Required only if you need to support Python-based apps that are used by SOAR functions and Python-based custom actions, which communicate with the platform by using the STOMP messaging protocol.
  • 9000. Required only if you need to support custom threat feeds, which are not applicable for a SOAR Platform in a cloud configuration.

Types of authentication to the SOAR Platform

You can configure the SOAR Platform to use LDAP, SAML, or two-factor authentication.

You can use either SAML authentication or LDAP authentication, but not both. Two-factor authentication is a second layer authentication and you can use it with LDAP or SAML.

You can use the following authentication methods.

Local

You can create user accounts on the SOAR Platform, where users log in over HTTPS with their web browsers.

The SOAR Platform also supports API key accounts, which are used to enable external scripts or apps to authenticate to the SOAR Platform. These accounts do not have access to the user interface and cannot be members of an incident or group.

LDAP

To configure the SOAR Platform to use LDAP authentication, you must have an Active Directory Server. The SOAR Platform supports Active Directory only.

SAML

SAML authentication allows users to use their organization’s login credentials to authenticate to the SOAR Platform. The SAML specification identifies two different types of endpoints that are relevant to the SOAR Platform:
  • Identity Providers
  • Service Providers

The SOAR Platform serves as a SAML Service Provider. An authentication and identification system that you provide (such as Microsoft Active Directory Federation Services) serves as the Identity Provider.

Two-factor authentication

Two-factor authentication provides unambiguous identification of users by using a combination of two different components.

The SOAR Platform uses Duo Security, a third-party vendor, as its two-factor authentication provider. When you enable two-factor authentication, users can log in with their email address and password but are also presented with a challenge to verify their identity. The challenge is an extra second layer of security that is provided by Duo Security. The challenge appears anytime a user, who was not previously authenticated with two-factor, tries to access an organization.

Other configuration settings

On-premises site managers can complete additional configuration such as audit logging and ciphers.

For an on-premises configuration, you also configure the following features.
  • Audit logs

    You can configure the SOAR Platform to log audit messages for user logins and logouts and for administrative actions that are taken from the user interface.

  • Optional Linux packages

    For the virtual appliance configuration only, you can install optional Linux packages on your system, such as rsync, Linux screen, and Net-SNMP.

  • Ciphers

    A cipher suite is a collection of cryptographic algorithms that are used to create secure (TLS) internet connections, and to encrypt and verify data that is sent over these connections. By default, the SOAR Platform uses the most secure ciphers. You can modify the list of ciphers and specify the cryptographic protocols to use.

  • KeyVault

    The KeyVault feature combines all relevant application “secrets” into a single Java keystore.

SOAR Platform disaster recovery

The SOAR Platform Disaster Recovery (DR) system provides the capability to re-establish an operational SOAR system within a defined time and data loss targets.

The DR system consists of two SOAR systems, each of which is running the same version of the SOAR Platform. It is not a high availability (HA) system.

The DR system is a separately licensed product. For more information, see your IBM Security representative for additional information.

App Host and integration server

If you are using apps in your IBM Security QRadar SOAR Platform deployment, you need a system to host them. The type of system that you use to host the apps depends on whether the app is a container-based app or an extension-based app.
App Host

An App Host is a Kubernetes-based container deployment environment that hosts container-based apps.

A single system can host multiple App Hosts, where each App Host is paired to a single SOAR organization.

You cannot install the App Host and resilient-circuits on the same system. The App Host must be installed on a dedicated system.

Integration server
Use the integration server to create or download extension-based apps and then deploy them to the SOAR Platform.

Regardless of which type of hosting system that you use, for security and performance reasons,IBM recommends that you use a dedicated system to host the apps.

More information on site planning

There is a separate installation guide for each of the SOAR Platform deployment options.

Depending on your deployment type, refer to one of the following installation guides.
  • Virtual Appliance Installation Guide
  • Software installation Guide
  • FIPS Compliant Software installation Guide

The installation guides are available in Site manager (on-premises only). The FIPS Compliant Software installation Guide is available on request from IBM Security Support.

If you are using the disaster recovery feature, refer to the Disaster Recovery Guide, also available in Site manager (on-premises only).

If you are using the integration server, refer to the Integration Server Guide, available in SOAR Apps and App Host.