Daemons in Cloud SOAR: proactively enhancing SecOps

SOAR takes over where detection starts.

SOAR adds power and flexibility into conventional SecOps, and thanks to automated programs like Daemons, it allows playbooks to give a whole new dimension to workflows.

When it comes to Daemons, these processes are particularly important to the functionality of automation in SecOps. They operate without the direct supervision of users, and their work in the background is of vital importance in continuously optimizing workflow processes.

But how do Daemons work exactly? And what is their role in modern-day SecOps? Read on to find out.

Daemons in Cloud SOAR: Practical example

In layman’s terms, Daemons are scheduled processes that are launched to execute a particular action at a chosen schedule. Daemons are often launched with the goal of responding to network requests, system activity, and helping optimize SecOps workflows.

You can think of Daemons as activities that silently work in the background, ensuring that the task they’ve been assigned is continuously processed.

Cloud SOAR’s Open Integration Framework allows Daemons to be customized and adjusted according to the needs of the user. OIF Daemons have the same fundamental properties as other OIF components. And the key feature here is the “Open” format. This allows users to create Daemons of any nature that interact with the Cloud Data Layer or other external data structures or applications in complete autonomy.

Users are free to create a Daemon of any kind, but the practice shows that there are specific types of Daemons that are most commonly created, and the most common Daemons are the ones that are instructed to take care of the following:

• Analyzing the content of a mailbox and downloading emails that meet specific requirements

• Analyzing incoming Syslog messages and converting them into Cloud SOAR (Triage or Incident) objects

• Retrieving new Threat Feeds from external repositories such as MISP, TAXII, or other commercial products, analyzing the features and if necessary, converting them into Cloud SOAR objects

• Analyzing Databases external to Cloud SOAR, identifying the new tuples inserted, and activating appropriate actions

• Retrieving new alerts, offenses, and search results from SIEM

• Retrieving IoCs from Threat Intelligence

Moreover, Daemon offers other uses, separate from those involved in remote event processes and the related activation of one or more actions, such as:

• Analyzing the Cloud SOAR database, retrieving the list of incidents compatible with certain features, and applying actions. For example, analyzing all incidents opened in the last 24 hours that haven’t been taken care of by anyone by sending an email to the responsible team.

• Analyzing the incidents that occurred in the last 2 months and are now closed, calculating the average life-span of each incident, the average duration of each phase, the number of associated investigators, and producing a report of any format by saving the result on a remote file system or sending it by email.

Daemons can also be used to perform analysis of incidents that occur in real-time and verifying whether there were any cases of closing and reopening incidents.

Most notable Daemons features

Some of the most noteworthy features that Daemons offer include:

YAML definition structure

Each daemon, during its execution, can use input parameters and return output values, as defined within the YAML itself.

Definition of rules for each Daemon

Different rules apply to different time frames in which Daemons are launched. And the best thing is that Daemons are completely customizable and can be adjusted to align with your current needs.

Example of a Daemon OIF configuration

Mapping features

It is in fact possible to map characteristics of external events just reported by the Daemon with Cloud SOAR internal fields. This can be done through a simple GUI.

The rules and pointers used by the Daemon can be reset, and the statistics showing how a Daemon works can be monitored and signify whether the Daemon works properly:

Each Daemon can be disabled, started manually, and reconfigured in terms of scheduling by the user at any time:

Conclusion: Daemons an invaluable asset to modern-day SOCs

The fields of application of Daemons are virtually unlimited. And the great thing is that Daemons don’t necessarily have to be applied in security activities. They can also be used in IT incidents or simple daily monitoring processes, such as:

• Performing vulnerability assessment scans

• Production of reports and alarm generation for specific features

Bottom line is, the use of Daemons is gaining more and more importance in modern SecOps. Their ability to continuously work in the background as instructed to fill out the gaps is an invaluable asset to security professionals. And the work of Daemons just shows that the power of automation is already finding its place in SecOps, and its role is only going to be more emphasized in the future.