Pricing Login
Interactive demos

Click through interactive platform demos now.

Live demo, real expert

Schedule a platform demo with a Sumo Logic expert.

Start free trial
Back to blog results

September 12, 2021 By Davor Karafiloski

Uncovering the power of Cloud SOAR’s Open Integration Framework

The speed at which security operations are processed and data is consumed is moving at a dazzling pace. This is why flexibility, customizability, and user-friendliness are deemed as core pillars of next-gen security solutions. And it is exactly what Cloud SOAR’s Open Integration Framework is all about.

Security professionals want to be able to customize, integrate, and control their operations with maximum freedom involved, which is why incorporating a SOAR platform that is based on an open-source principle is of the utmost importance.

Cloud SOAR’s Open Integration Framework provides unlimited means of connecting with disparate tools and technologies, creating various integrations, and triggering different types of actions that align with your needs. Read on to find out more about the boundless possibilities of Cloud SOAR’s OIF philosophy.

The importance of Open Integration Framework in cybersecurity

Open Integration Framework is a real game-changer in the way SOAR technologies operate.

The introduction of OIF in Cloud SOAR allowed users to connect disparate technologies and enjoy a more secure remediation workflow, ultimately allowing security teams to have more control over their security operations, choose the most optimal ways for establishing workflows, and improve their remediation processes.

OIF changes the way integrations are being used in Cloud SOAR. It allows you to develop connectors and operate with external technologies, ultimately helping you improve your cybersecurity posture while enjoying a more user-friendly experience.

Cloud SOAR’s Open Integration Framework is an open standard for defining integrations within the Cloud SOAR Platform. By adopting an open approach to security orchestration and automation, Cloud SOAR’s OIF unlocks unlimited possibilities of integration with new technologies and use cases. Thanks to the open integration philosophy adopted by Cloud SOAR, you can:

  • Easily connect and integrate disparate technologies

  • Customize integrations and adapt them to your environment

  • Boost the automation of repetitive tasks with full control

Furthermore, Sumo Logic provides an open and cooperative ecosystem, where you can find and share integrations and playbooks for tackling specific bespoke use cases.

The key differentiators of Cloud SOAR’s Open Integration Framework

What makes Cloud SOAR’s OIF unique is its ability to define integrations in a text-based format that works at an action level, not as one monolithic file. This means that integrations in Cloud SOAR are structured in a modular way.

This allows you to autonomously organize and manage complex integrations by breaking them down into multiple standalone actions, thus providing easier maintenance of the code. You can add new actions and customize existing ones without the need to modify the code or worry about how that may impact its functionality.

Actions can be tested directly from the integration section while developing and troubleshooting without the need to create playbooks or incidents.

The benefits of Cloud SOAR’s Open Integration Framework

We’ve already established that Cloud SOAR’s OIF allows you to have an unprecedented level of visibility and control over your integrations. But other than providing you with new ways to develop integration, OIF offers plenty of other benefits as well, such as:

  • Faster integration development through a standard framework

  • You can easily extend existing and develop new integrations

  • Designed to minimize technical knowledge required

  • Use of built-in and third-party libraries

  • Integrations executed in Docker containers

  • Custom integrations can be easily shared between users

  • Increased openness and community involvement

Ultimately, our innovative OIF makes it easier for organizations to customize and add new automated integrations within Cloud SOAR. This enables SOCs, CSIRTs, and MSSPs to add unique incident response capabilities without the need for complex coding.

OIF machine learning ARK (Automated Responder Knowledge)

Cloud SOAR’s Open Integration Framework machine learning engine, also known as ARK, applies machine learning to historical responses to threats and recommends relevant playbooks and paths of action to help you respond more effectively to future threats. In short, ARK helps:

  • Assess new incidents based on unique and shared indicators and their relevance to historically recorded incidents

  • Construct a model of organizations threat landscape based on recorded historical incidents

  • Suggest appropriate actions and playbooks by using its algorithm based on similar and related threats

  • Prioritize threats that have greater relevance by assigning them with higher urgency

  • Identify parent incidents and correlate incidents based on similar demographics

The Automated Responder Knowledge learns from the experiences and actions of your security team and becomes smarter and more effective as time goes on.

Create integrations in a seamless manner

Adding new integrations in Cloud SOAR is a seamless process that doesn’t require complex coding. You have the possibility to extend the capability of integrations at any time, and organizations can easily modify the existing integrations with all the new functionalities that Cloud SOAR provides for maximized customizability.

The execution of each integration is performed in a unique Docker container and is easily configured from within the integration file, providing additional security and eliminating the risk of conflicting libraries.

With Cloud SOAR, there are virtually no limits to the integrations you can create:

  • Creating your own integrations: Sumo Logic's team develops the connectors you need, but you can easily develop integrations and have access to the API code. Plus, once you’re done, you can share the integrations with us and we can test them for you. Then, when the integration is ready, we’ll publish it on our portal.

  • No significant coding experience required: Cloud SOAR’s OIF allows you to build or modify your own integrations from the ground up. This function is great for a team with developers, System Integrators and MSSPs. In any case, you can create and manage playbooks with no significant coding experience required.

  • Multiple standard scripting languages: Sumo Logic allows both users and developers to define integrations in multiple supported standard scripting languages, such as Pearl, Python, Powershell, and Bash, all wrapped into Yaml configuration for optimal flexibility.

Furthermore, Cloud SOAR allows you to write your own custom scripts that appear as usable actions that can be manually invoked or used within the playbooks. Usually, custom scripts are used for incident enrichment, specific investigation activities, custom data processing, or escalations. They can be manually executed by the operators as part of an ad hoc investigation step.

The scripts can run inside or outside the Docker container, depending on their functionality. The results of the scripts can be used by subsequent actions in playbooks.

How does creating an integration actually work?

Cloud SOAR allows you to create integrations with different security tools thanks to its Open Integration Framework philosophy. The creation of the integration is enabled via the Docker containers.

By creating an integration definition container via the OIF, you can upload individual action files. Then, you can just code the action in the integration action file by using one of the supported scripting languages.

Lastly, the user is free to choose the Docker container they want their integration to be executed in, using different types of third-party libraries in the process.

Cloud SOAR’s OIF allows you to launch different types of actions

OIF allows users to create 7 different types of actions, including Enrichment, Containment, Notification, Custom, Daemons, Triggers, and Scheduled actions. All these actions can be customized and adjusted according to the needs of the user.

And when it comes to adjusting security operations, the Open Integration Framework allows users to have total control and enhance their processes by launching Daemons, Triggers, and Scheduled actions:

  • Daemons are defined as scheduled processes that are activated to execute particular actions. Daemons silently work in the background without disrupting the original workflow of the task. You can create Daemons of any nature that interact with the ICloud SOAR Data Layer in complete autonomy.

  • Cloud SOAR Triggers allow developers to monitor specific manual events performed by the operators and automatically take actions whenever the event is performed. Events that can execute triggers refer to the most common actions analysts perform, such as creating and updating incidents, interacting with tasks or IoCs, and triaging events.

  • Scheduled actions enable you to implement new use cases by defining steps in a playbook that can be executed multiple times until a specific condition is met or the scheduling time expires.

When integrations are created via the OIF in Cloud SOAR they include the action type “Daemon.” They can be run as a Daemon or a scheduled service, automatically creating incidents based on the results of a predefined query.


The extremely flexible nature of Cloud SOAR’s Open Integration Framework is the key pillar upon which the next-gen Cloud SOAR solution is going to be shaped. Flexibility and customizability in the way users develop integrations and modify their operations is a crucial element that allows security professionals to mold their workflows the way they deem most beneficial.

This is why SOAR solutions, such as Cloud SOAR, which have adopted the open philosophy, are considered pioneers in the industry, paving the way for the next-gen SOAR solution.

Complete visibility for DevSecOps

Reduce downtime and move from reactive to proactive monitoring.

Sumo Logic cloud-native SaaS analytics

Build, run, and secure modern applications and cloud infrastructures.

Start free trial
Davor Karafiloski

Davor Karafiloski

SEO and Content Marketing Specialist

More posts by Davor Karafiloski.

People who read this also enjoyed