The ArcSight SOAR App is a bidirectional integration is designed to import cases from ArcSight SOAR as events with related indicators, and export enriched indicator data to ArcSight SOAR.

The app is installed on your instance of ArcSight SOAR, and includes several actions and an enrichment.

The provided actions include:

• Creating an Event in ThreatQ from a case in SOAR
• Adding an indicator from SOAR to a ThreatQ event
• Adding tags to an event
• Creating an attribute for an event to mark it as a false or true positive
• Marking an indicator for enrichment in ThreatQ
• Updating an indicator’s status in ThreatQ.
• Enrichment will search ThreatQ for a specific indicator and provide enriched data to SOAR.