SOAR / Incident Response
Integration setup guides for SOAR and incident response platforms.
Connect your SOAR and incident response tools to Zaun so Ember can drive automated workflows, case management, and response.
Cyware
Category: CTIX / Threat Intelligence & Orchestration | Auth: API Key
Required Credentials
| Field | Description |
|---|---|
| Access ID | From CTIX settings |
| Secret Key | Paired with Access ID |
| CTIX Endpoint URL | Your instance URL |
Capabilities
| Module | Description |
|---|---|
| CTIX | Query threat data using Cyware Query Language (CQL), retrieve IOCs by type |
| Orchestrate | List, view, and create security events with time and source filters |
| CSAP | List and view alerts from Cyware Situational Awareness Platform |
Setup Steps
- Settings > General Settings > API Credentials.
- Click Generate Open API Credentials. Copy Access ID and Secret Key.
- Paste Access ID, Secret Key, and endpoint URL into Zaun.
DFIR-IRIS
Category: Incident Response Platform | Auth: API Key
Required Credentials
| Field | Description |
|---|---|
| IRIS Server URL | Your IRIS instance base URL |
| API Key | Bearer token from user profile |
Auth: Authorization: Bearer <key>
Capabilities
| Feature | Description |
|---|---|
| Case Management | Full case lifecycle: create, update, search, manage notes and timeline events |
| IOC Tracking | Add, update, and search indicators of compromise |
| Assets & Evidence | Manage case assets, evidence items, and file datastore |
| Tasks | Create and assign investigation tasks within cases |
Zaun connects to 160+ DFIR-IRIS API endpoints for comprehensive case management.
Setup Steps
- Create a dedicated service account in DFIR-IRIS.
- Log in > My Settings > API Key > generate and copy the key.
- Paste with the server URL into Zaun.
Expel Workbench
Category: Security Operations | Auth: API Key
Required Credentials
| Field | Description |
|---|---|
| API Key | From a Service Account (no expiration, no MFA needed) |
Auth: Authorization: Bearer <key>. Uses JSON:API format with filtering, includes, and pagination.
Capabilities
| Feature | Description |
|---|---|
| Alerts | List, view, and track alert history timelines |
| Investigations | Search, view, update status and ownership of investigations |
| Findings & Threats | Access security findings, threat actors, and linked evidence |
| Event Search | Search raw security events across connected devices |
Setup Steps
- In Workbench > Organization Settings > Service Accounts.
- Create a service account, assign
analystrole (read-only is sufficient for monitoring). - Generate an API key. Copy and paste into Zaun.
Swimlane
Category: Security Orchestration & Automation | Auth: PAT
Required Credentials
| Field | Description |
|---|---|
| Swimlane URL | Your Turbine instance URL |
| Personal Access Token | PAT from Swimlane Turbine |
For Turbine deployments, tokens are created via POST /auth/token/create. Classic Swimlane uses POST /api/user/login.
Capabilities
| Feature | Description |
|---|---|
| App Discovery | Enumerate applications and their field mappings |
| Records | Create, read, update records by tracking ID or record ID |
| Comments | Add and update comments on records |
| Search | Keyword-based search across records |
Setup Steps
- Create a service account in Swimlane Turbine with appropriate app-level permissions.
- Generate a Personal Access Token (PAT) for the service account.
- Paste URL and PAT into Zaun.