SOAR system administrator

The system administrator configures and maintains the administrative sections of the SOAR organization, such as users and user roles. If you are using the MSSP add-on deployment, the system administrator manages the child organizations from the configuration organization.

The SOAR organization and authentication choices are configured during the initial setup, whether a cloud or on-premises configuration, or standard or MSSP add-on deployment. It cannot be changed from the SOAR Platform user interface.

When logged in to a SOAR organization, the administrative features are available from the Administrator Settings menu next to your username.

The following sections describe the administrative responsibilities.

SOAR authentication methods

Administrators create user accounts directly in the SOAR Platform by entering a user’s email address and sending them an invitation to join. Users then log in by entering a URL in their browsers.

Additionally, your SOAR Platform might be configured for LDAP or SAML authentication, but not both. Furthermore, your platform might be configured for two factor authentication, which can be used with either LDAP or SAML. The SOAR Platform administrator can enable or disable LDAP or two factor authentication, but cannot configure it.

Enabling LDAP authentication allows LDAP users to authenticate with their LDAP credentials.

If you enable two factor authentication, select an authentication domain (if there is more than one). Then, determine the cookie lifetime, which sets an expiration in days for when a user needs to reauthenticate by using the two-factor authentication.

Refer to New user and roles for information about creating user accounts.

Refer to Settings for information about LDAP and two factor authentication settings.

Manage users and roles

The SOAR administrator manages user access and related functions.

You can access a number of user-related features.
  • Configure local user accounts. You can choose to configure local accounts along with LDAP.
  • Create and manage workspaces. A workspace is a container or partition for grouping different categories incidents, which can aid in managing incidents more efficiently across multiple teams and also within teams. For example, you might want to have a workspace for all incidents that involve Personal Information loss.
  • Create and manage roles. A role is a set of permissions. If you are using workspaces, you can grant a user a Global Role. The role is a set of permissions that apply across the SOAR organization, and a workspace role, which is a set of permissions for specific workspaces only.
  • Configure notifications. A notification can be an email or system notification that is sent to users when a specific condition occurs for a specific object. You determine the condition, such as object creation or deletion, or a change in value to a field. An object can be an incident, note, milestone, task, attachment, or artifact.
More detailed information is available in the following sections:

Configure inbound email connections

The SOAR administrator can configure the SOAR organization to receive emails from one or more mail servers, such as a phishing threat service.

The SOAR playbook designer can then write rules and scripts to automatically create incidents based on email messages.

For more information about configuring incoming email connections, see Changed in 51.0.2.0 Configuring an inbound email connection.

Import and export settings

You can import and export settings, such as rules, workflows, scripts, fields, and incident layouts to a file.

The import and export settings feature is useful for backing up and copying settings from one SOAR organization to another. For example, you can export your settings from a test environment when it passes the acceptance criteria then import them into the production environment.

For more information about the import and export settings, see Migrating SOAR settings.

Manage legal definitions as timeframes

The Timeframes tab defines various legal terms as a specific length of time.

The terms can be used when you assign due dates to tasks in various incidents, although users can adjust the dates on a per-task basis. For example, the term, “as soon as possible,” might be defined to be 15 days. Typically, timeframes are legal definitions and should be changed only after you consult with legal counsel.

For more information about timeframes, see SOAR platform timeframes.

Add IP whitelists

The SOAR administrator can use the Network tab to define an approved list of IP addresses that are allowed to connect to the SOAR Platform for your organization.

If you specify one or more IP address ranges, connections are possible only from those locations. If you do not specify an IP address range, then users can connect from any IP address.

For more information about configuring IP whitelists, see Approved IP addresses and network.

Enable or disable threat sources

When artifacts are added to incidents, the SOAR Platform can search for those artifacts across integrated cyberthreat sources. If the artifacts are found in the cyberthreat sources, additional information is provided.

You can enable and disable threat sources for your company. Threat sources are not enabled by default.

For more information about configuring threat sources, see Enabling or disabling threat sources.

More information on SOAR Platform administration

Use the SOAR administrator guide for information about administering the SOAR Platform. If your organization uses the SOAR for MSSPs capabilities, refer to the SOAR for MSSPs guide.

Refer to the following sections for more information about configuring the SOAR Platform: