Skip to main content

Arcanna.ai and Siemplify

Introduction

Arcanna.ai is a decision intelligence platform that uses NLP, deep learning and user feedback that can be integrated with Siemplify SOAR Platform to assist in decision making, learn from daily incident resolutions and to incorporate knowledge to scale team’s capacity and to lead to a true autonomous SOC.

The Arcanna.ai integration is available in the Siemplify Marketplace and can be easily installed and configured directly from Siemplify. This enables the users to request a decision from Arcanna.ai at any point in a given playbook as well as to automatically close the feedback-loop by providing feedback to Arcanna.ai when a case is closed.

Prerequisites

  • Arcanna.ai - Arcanna.ai can be deployed in the cloud (AWS), or on-premise. For setup, you can follow this user guide. For flexibility reasons, Arcanna.ai is exporting the AI processed alerts to an internal Elasticsearch/Opensearch data warehouse, that needs be installed at the same time with Arcanna.ai. You can use an Elasticsearch/Opensearch instance you already have, or a new one dedicated just for Arcanna.ai backend.

  • Siemplify - Community edition available for free here

  • Log/Alert Source (i.e, Detection System, SIEM, etc..)

Siemplify - How to connect

Generate an Arcanna.ai API Key

  • First, you need to generate an Arcanna.ai API Key. This can be done by going to the drop down menu below your username, on the top right corner and hitting Api keys.

    api-key

  • Then hit the "Add new User Key" button

    api-key-add-new

  • Enter a name for your API key, and hit "Add new User Key". Once done, you will be asked to copy your key, as it will not be displayed again after this point.

    api-key-copy

Create the integration

  • Go to the integrations tab

    Arcanna-To-Integrations

  • Hit the "Add new integration" button

    Arcanna-Add-Integration

  • Fill in all the fields similarly to bellow, using your own API Key and Title, then hit "Create Integration"

    Arcanna-Define-Integration

Install and configure the Arcanna.ai integration in Siemplify

Currently Arcanna.ai is not in the Marketplace, thus in order to install it you need to download and import the Arcanna.Ai integration package.

  • First, download the integration package from here.

  • Secondly, you need to go to the ide tab.

    go-to-ide

  • Hit the options button, and select import package

    import-package

  • Finally, select the previously downloaded archive containing Arcanna.Ai package and that should be it.

Soon, the integration will be available via the Marketplace, where the steps to install the Arcanna.Ai integration will be the following:

  • Go to the Siemplify Marketplace

    simeplify-marketplace

  • Search for Arcanna.ai, and hit the install button

    siemplify-install-from-market

Once it is installed:

  • Configure the integration using the Arcanna.ai instance URL on port 9666 and the API Key you previously generated, then hit "Save". If everything went well, you will receive a message indicating that the "Instance configured succesfully".

    Siemplify-Configure-Arcanna

  • Now you need to test the integration, proceed to hit the test button. If everything went well, you will receive a checkmark next to the "Test" button.

    Siemplify-Integration-Test-Success

  • You can now check the integration, add additional instances or modify the configuration from the "Integrations tab"

    siemplify-check-integrations

Create an AI job

  • Now that the integration is enabled and functional, we can go back to Arcanna and create our first AI job. To do that, go to AI Jobs tab.

    create-job

  • In the Job Data tab, fill in any name you would like for the job and select the Decision Intelligence category and hit next.

    job-data

  • For the input, please select the previously defined Siemplify Integration and hit next.

    input

  • For processor select "Generic model" and hit next.

    processor

  • The Output will be Elastic Internal (this acts as the database where Arcanna stores the processed data)

    output

  • The Automations step allows you to define an automation, such as enriching some fields with VirusTotal or creating a ticket in a different Incident Response platform.

    • For this use case, this step is not mandatory, due to the fact that Siemplify and Arcanna.ai communicate between each other within a closed feedback-loop.

    • Next you can press Create and start job or Create job (paused) and you are all set.

      automations

  • At this point, Arcanna.ai will be able to receive incidents that have been called through a Siemplify playbook, be it automatically or manually by an analyst.

Using Arcanna.ai with Siemplify playbooks

Now that everything is set up, you will be able to use different interactions with the Arcanna.Ai API within any given playbook as well as test each component independently via the IDE.

From playbook

options-from-playbook

From IDE

options-from-ide

The currently available interactions with Arcanna.Ai (API calls) are as follows:

  1. Ping - Used to check the connection with Arcanna.Ai

  2. Get Jobs - Retrieves Arcanna.AI available jobs and saves the results

  3. Send Case to Arcanna - Sends the Siemplify case to Arcanna

    • parameters:
      • job_id: Reference for the job id
        • static: Set a predefined AI job to handle a specific playbook (i.e. 1234)
        • dynamic: reference the job previously mentioned
          • example: [Send Case to Arcanna for Inference.JsonResult| "job_id"])
      • username: Arcanna User

  4. Await Arcanna Inference - Waits for the AI Model decision

    • parameters:
      • period (time in seconds)

  5. Get Arcanna Case Response - Retrieves the decision of the AI Model

    • parameters:

      • job_id: Reference for the job id

        • static: Set a predefined AI job to handle a specific playbook (i.e. 1234)
        • dynamic: reference the job previously mentioned
          • example: [Send Case to Arcanna for Inference.JsonResult| "job_id"])

      • event_id: Reference the event(case) that the playbook is currently handling:

        • example: [Send Case to Arcanna for Inference.JsonResult| "event_id"]

  6. Send Analyst Feedback to Arcanna - Sends the analyst feedback to Arcanna.Ai once a decision was reached and verified. This final interactions represents the feedback loop closure.

    • parameters:
      • event_id: Reference the event(case) that the playbook is currently handling:
        • example: [Send Case to Arcanna for Inference.JsonResult| "event_id"]
      • arcanna_feedback: drop_alert OR escalate_alert
      • username: Arcanna User
      • comments
      • job_id: Reference for the job id
        • static: Set a predefined AI job to handle a specific playbook (i.e. 1234)
        • dynamic: reference the job previously mentioned
          • example: [Send Case to Arcanna for Inference.JsonResult| "job_id"])