SOAR A4 Methodology

Ryan McAlister

The A4 method (Apps, Assets, Actions, and Artifacts) provides a structured framework for developing automated response capabilities within SOAR, helping you build effective, scalable, and efficient incident response workflows.

1. Apps

Purpose: Apps enable connectivity to external systems, defining the logic for executing actions within those systems.

Usage:

Identify which tools and platforms need to be integrated (e.g., firewalls, endpoint protection, SIEM).
Install or develop SOAR apps that correspond to these systems.
Ensure the apps contain the necessary actions for your response workflows.

2. Assets

Purpose: Assets are configured instances of apps with specific connection details, enabling them to securely connect to systems.

Usage:

For each app, set up assets by providing the required connection details, such as API keys, IP addresses, or URLs.
Test the asset connections to confirm they’re able to perform actions as intended.
Label and document each asset with a clear name and purpose, such as “Palo Alto Firewall - Production” or “CrowdStrike EDR - Incident Response.”

3. Actions

Purpose: Actions are the tasks SOAR can execute on assets, which are defined within the apps.

Usage:

Review the list of available actions for each asset to understand what tasks can be automated.
Choose actions that align with your incident response use cases, such as blocking IPs or retrieving event logs.
Map actions to incident response playbooks based on the needs of specific workflows.

4. Artifacts

Purpose: Artifacts are data objects related to security incidents, providing context and enabling data enrichment in response workflows.

Usage:

Use artifacts to pass data between actions within a playbook, such as passing an IP address for enrichment.
Ensure common artifact types (e.g., IP, URL, email address) are consistently formatted to streamline automation.
Collect artifacts from various sources within the SOAR platform to build a full picture.

A4 Methodology Example

Category	Example	Description	Additional Details
Apps	Proofpoint TAP	An email security integration app that allows interaction with Proofpoint’s Threat Protection API for detecting and responding to phishing attacks.	Available actions: Fetch Threat Logs, Block Sender, Isolate User.
Apps	SentinelOne	An endpoint protection and response app that allows managing SentinelOne’s threat intelligence and response capabilities.	Available actions: Quarantine Device, Retrieve Threat Details, Terminate Process.
Apps	VirusTotal	Threat intelligence platform integration for performing file and URL reputation checks.	Available actions: Enrich File Hash, Enrich URL, Scan File.
Assets	Proofpoint TAP - Production	A configured instance of the Proofpoint TAP app with production environment API credentials.	Base URL: https://api.proofpoint.com
Assets	SentinelOne - Dev	A development instance of the SentinelOne app for testing workflows securely.	Details stored securely; no sensitive information in table.
Assets	VirusTotal Public	A public asset for VirusTotal with limited API access for URL and file scanning.	API Key stored securely within asset configuration.
Actions	Block Sender	Blocks the specified sender in Proofpoint TAP, preventing further emails from the sender.	Required parameters: Sender Email Address
Actions	Quarantine Device	Isolates an endpoint from the network via SentinelOne, allowing further investigation.	Required parameters: Device ID
Actions	Enrich File Hash	Checks a file hash against VirusTotal’s database to retrieve reputation and threat intelligence.	Required parameters: File Hash
Artifacts	IP Address	An IP address associated with a suspicious event or incident.	Common Sources: Firewall Logs, Threat Intelligence Feeds
Artifacts	File Hash	A hash representing a potentially malicious file that needs analysis.	Common Sources: EDR Logs, Sandbox Analysis
Artifacts	URL	A URL flagged as suspicious that requires threat intelligence enrichment.	Common Sources: Web Proxy Logs, Email Gateways