Integrations and Enrichment

A SOAR platform is only as capable as the tools it can talk to. Integrations (connectors) are the adapters that let a playbook query and command external systems via their APIs.

The visual playbook gets the attention, but the unglamorous integration layer, authentication, rate limits, data parsing, is where most of the engineering effort and most of the breakage lives.

Integrations flow in two directions:

• Inbound (ingestion) — events come into SOAR from SIEM, EDR, email gateway, cloud audit logs. These trigger playbooks.
• Outbound (action) — SOAR commands tools: block an IP on the firewall, disable a user in the identity provider, isolate a host in the EDR.

A complete integration usually needs both: receive the event, then act back on the same ecosystem.