SOAR / Incident Response
Integration setup guides for SOAR and incident response platforms.
Connect your SOAR and incident response tools to Zaun for automated workflows, case management, and threat orchestration.
Cyware
Category: CTIX / Threat Intelligence & Orchestration | Auth: API Key
Required Credentials
| Field | Description |
|---|---|
| Access ID | From CTIX settings |
| Secret Key | Paired with Access ID |
| CTIX Endpoint URL | Your instance URL |
Capabilities
| Module | Description |
|---|---|
| CTIX | Query threat data using Cyware Query Language (CQL), retrieve IOCs by type |
| Orchestrate | List, view, and create security events with time and source filters |
| CSAP | List and view alerts from Cyware Situational Awareness Platform |
Setup Steps
- Settings > General Settings > API Credentials.
- Click Generate Open API Credentials. Copy Access ID and Secret Key.
- Paste Access ID, Secret Key, and endpoint URL into Zaun.
DFIR-IRIS
Category: Incident Response Platform | Auth: API Key
Required Credentials
| Field | Description |
|---|---|
| IRIS Server URL | Your IRIS instance base URL |
| API Key | Bearer token from user profile |
Auth: Authorization: Bearer <key>
Capabilities
| Feature | Description |
|---|---|
| Case Management | Full case lifecycle: create, update, search, manage notes and timeline events |
| IOC Tracking | Add, update, and search indicators of compromise |
| Assets & Evidence | Manage case assets, evidence items, and file datastore |
| Tasks | Create and assign investigation tasks within cases |
Zaun connects to 160+ DFIR-IRIS API endpoints for comprehensive case management.
Setup Steps
- Create a dedicated service account in DFIR-IRIS.
- Log in > My Settings > API Key > generate and copy the key.
- Paste with the server URL into Zaun.
Expel Workbench
Category: MDR & Security Operations | Auth: API Key
Required Credentials
| Field | Description |
|---|---|
| API Key | From a Service Account (no expiration, no MFA needed) |
Auth: Authorization: Bearer <key>. Uses JSON:API format with filtering, includes, and pagination.
Capabilities
| Feature | Description |
|---|---|
| Alerts | List, view, and track alert history timelines |
| Investigations | Search, view, update status and ownership of investigations |
| Findings & Threats | Access security findings, threat actors, and linked evidence |
| Event Search | Search raw security events across connected devices |
Setup Steps
- In Workbench > Organization Settings > Service Accounts.
- Create a service account, assign
analystrole (read-only is sufficient for monitoring). - Generate an API key. Copy and paste into Zaun.
Swimlane
Category: Security Orchestration & Automation | Auth: PAT
Required Credentials
| Field | Description |
|---|---|
| Swimlane URL | Your Turbine instance URL |
| Personal Access Token | PAT from Swimlane Turbine |
For Turbine deployments, tokens are created via POST /auth/token/create. Classic Swimlane uses POST /api/user/login.
Capabilities
| Feature | Description |
|---|---|
| App Discovery | Enumerate applications and their field mappings |
| Records | Create, read, update records by tracking ID or record ID |
| Comments | Add and update comments on records |
| Search | Keyword-based search across records |
Setup Steps
- Create a service account in Swimlane Turbine with appropriate app-level permissions.
- Generate a Personal Access Token (PAT) for the service account.
- Paste URL and PAT into Zaun.