SprwLabs
The SOAR RFP
/sprw-labs-attempt-2/pexels-sora-shimazaki-5668869-b2e20.jpg){kind=spacer}
Have you been looking at SOAR? Did you create an RFP? Did every vendor say respond yes to every question? For a consumer, this is the most difficult step of purchasing a SOAR tool. Since you can write arbitrary code, any task may be accomplished via the SOAR tool. As a result, the answer to every question is “Yes.” The problem is should do certain tasks within the SOAR.
We’ll highlight some of our favorite differentiating questions below. Having completed and read way too many RFPs, more is less. Focus on your intended use cases and how SOAR can apply to them as opposed to what SOAR is capable of.
Disclaimer: We work with all major SOAR technologies. There is no clear cut choice. Every SOAR has their strengths and weaknesses.
Configuration
- Are you able to view raw integration code your platform without downloading the integration?
- What versions of Python do you support?
- Do you support PowerShell?
- Are you able to install all integrations without having to leave the console?
- Are integrations able to be executed from the command line?
- How do you pass files to integrations? Can you store files within a case?
Debugging
- Question: Are you able to capture the raw HTTP request / response from an integration?
- Rationale: When debugging an integration, nearly every SOAR manipulates the request with Python. Certain APIs are more particular in how they handle the data. The difference of a space may get a 500 or less precise error message. As a result, having the ability to see the specific request and response can be crucial to debugging.
- Question: Are you able to view the raw code in the platform without downloading the integration?
- Rationale: While being able to download the integration is helpful, it’s also a pain.
- Are you there any limitations to packages which can be installed?
- Do you support offline pip packages
Scalability
- How are integrations being run? Are they deployed into a docker container or a virtual environment?
- How are python packages managed? Globally or within each integration?
- How do you remotely run actions into an on-premises environment?
- What are the requirements for the agent and how many actions can it support?
Case Management
- What triggers a case to be created?
- How are logins managed? Does each portion of your product require an individual login or user account? Do you license by user accounts for the different parts of the product?
- How do you deduplicate cases?
- How do you group cases?
- How do you support custom fields?
- Do you have any built in framework mappings?
- How do you support visualizing data within a case?
Capacity:
These should be applicable to what you expect in your environment
- a. Are you capable of (Client Specified) number of alerts ingested a day with 8 integration actions per alert?
- b. What is the number of concurrent actions you can support?
- c. How do you queue pending integration actions?
Notice certain questions missing such as “How many playbooks do you have” or “how many integrations”. That’s intention. We don’t think those are criteria for evaluating a SOAR. At the end of the day, an integration is roughly 20 lines of Python code. If you don’t have the ability to
Interested in the full RFP?
Reach out to us at sales@sprwlabs.com