Swimlane
Connector Category: Security Orchestration Automation Response
About Integration
Swimlane is a security orchestration, automation, and response (SOAR) tool that automates time-intensive, manual processes, and operational workflows and delivers consolidated analytics, real-time dashboards, and reporting from across your security infrastructure.
The Swimlane internal application in Intel Exchange supports the following actions:
Action Name | Description |
|---|---|
Add Swimlane App Record | This action creates a record in the Swimlane app using the data retrieved from Intel Exchange. |
Configure Swimlane in Intel Exchange
Configure the Swimlane internal application in Intel Exchange to establish seamless connectivity with the Swimlane platform.
Before you Start
You must have the View Tool Integrations and Update Tool Integrations permissions in Intel Exchange.
You must have the base URL, client ID, client secret key, and tenant ID of the Swimlane platform.
Note
Ensure that the API credentials include read and write permission to all indicators on the Microsoft Defender for Endpoint platform. For more information, see Submit or Update Indicator API and Batch Delete Indicators.
Steps
To configure a Swimlane internal application instance in Intel Exchange, follow these steps:
Go to Administration > Integration Management, and select Internal Applications under Tool Integrations.
Select Endpoint Detection Response, and then select the Swimlane application.
Click Add Instance and enter the following details:
Instance Name: Enter a unique instance name. For example, Swimlane Prod.
Base URL: Enter the base URL of your Swimlane platform.
Token: Enter the token to authenticate the application and bypass two-step authentication. You require the Personal API token from Swimlane for this option.
Verify SSL: Enable this option to verify the SSL certificate and secure the connection between the Intel Exchange and Swimlane servers. By default, Verify SSL is enabled.
Note
We recommend you to enable the Verify SSL option. If you choose to disable this option, Intel Exchange may configure an instance for an expired SSL certificate. This may lead to improper connection and you may not receive a notification when the connectivity breaks.
4. Click Save.
The Swimlane instance is configured and you can view the list of actions available for the integration. You can configure multiple instances of this integration by clicking Manage > Add More.
Enable App Actions
Enable the action of the Swimlane internal application to submit indicators to the Swimlane platform.
Steps
To enable the Submit or Update Indicator action, follow these steps:
Go to Administration > Integration Management and select Internal Applications under Tool Integrations.
Select Endpoint Detection Response, and then select the Swimlane application.
On the upper-right corner, click the vertical ellipsis and click Manage.
Click Manage Actions and select the Submit or Update Indicator action.
Turn on the toggle to enable the action and click Save.
The action is enabled and you can use the action in rules to upload indicators to the Swimlane platform.
Create a Rule to Upload Indicators
Create a rule on Intel Exchange to define the sources of indicators and submit it to the Swimlane platform for further action.
Before you Start
Ensure that the Submit or Update Indicator action of the Microsoft Defender for Endpoint internal application is enabled.
Steps
To create a rule to submit indicators to the Microsoft Defender for Endpoint platform, follow these steps:
Go to Main Menu > Actions > Rules.
Click New Rule.
Enter a rule name within 100 characters and click Submit.
In Source, select the sources and collections from which you want to retrieve IOCs.
In Condition, enter the following details:
Intent Type: Select the intent type as Indicator to retrieve a list of IOCs.
Rule Type: Select a rule type to apply specific conditions.
Select Object for Actioning: Select this option to perform the action of a rule on the selected object. This option ensures that the action is performed only on the selected object when you define multiple conditions with multiple objects.
In Actions, enter the following details:
Actions: Select the Submit or Update Indicator action.
Application: Select the Microsoft Defender for Endpoint application.
Account: Select an instance you have configured for the Microsoft Defender for Endpoint internal application.
Title: Enter a title for the indicator submission.
Description: Enter a description for the indicator submission.
Action to be Taken: Select the action to be performed on the indicators by the Microsoft Defender for Endpoint platform.
Set the global conditions from Additional Actions. For more information, see Additional Actions for Rules.
Click Save.
When you run the rule, indicators will be retrieved based on the configured sources and conditions. The retrieved indicators will be submitted to the Swimlane platform for actioning.