I wanted to know if there is a possibility where in Ansible can be integrated with the elastic SIEM app to take some automated actions against security events so that we can build a custom SOAR functionality rather than depending on third party apps for achieving SOAR.
If there is a possibility please do briefly explain or give some referrence documentation for my perusal.
Hi @imran - how are you planning to use Ansible for SOAR? Do you have some kind of automation/orchestration framework for that?
In general, the Elastic SIEM is using data already in Elasticsearch, so the way to do it would be to query Elasticsearch and then trigger Ansible based on the response.
Sorry for the delay in response. We were thinking of designing the solution in a way, where the watcher will invoke ansible playbooks from the actions section...
We were also thinking about using theHive for getting the watcher create security incidents into theHive and then maybe use theHive to invoke automation scripts.
Do let me know if you have any info or a use case regarding this...
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.