Demisto Enterprise is designed keeping an enterprise scale in mind. It is built on cutting edge yet proven technologies like including Golang, Docker and React. These technologies enabled Demisto platform to be scalable, easy to manage and extend.

Enterprise Grade Architecture

Following are the core components of Demisto architecture:

Engine: Often in an enterprise multi-segment network scenario or SaaS deployment model, Demisto server may be not on the same network as the partner security product to be integrated. For these scenarios, the engine comes in very handy. Our engine is designed as a proxy that connects (outbound) to the Demisto main server using HTTPS and hence there is no need to open firewall ports to the engine. The engine, being in the same network, can connect to partner product directly.

Simplified Architecture and Multi-tenancy: Demisto is written in Golang using embedded BoltDB database and Bleve search. These components are shipped and installed with a single installer. At the same time, this architecture also enables very high scalability and multi-tenancy.

Modular UI and API: Demisto backend communicates with the web app using Rest API and hence any action that can be done from UI, can be done via Rest API. Our UI is implemented using ReactJS making it extremely fast loading and modular to give the best user experience.

Machine Learning Powered IR

All the playbook automation data, user generated forensics information and collaboration information is indexed in real time. The powerful indexing engine enables real-time query of the correlated information. In addition to the indexing, indicators like IP address, hashes of file, URL and other artifacts are correlated across incidents. These correlations are available to search and used for deeper investigations.

DBot learning engine applies learning algorithms like sequential pattern matching and more to generate – “Demisto Insights”. These insights include expert recommendations for best suited analysts for incident assignment and next set of commands to solve the incident.

Extensible Integration Framework

Demisto integrates with 100+ products out of the box already. In addition, Demisto Enterprise has been designed with a powerful SDK that enables building new integration easy and fast. There are no external tools or environments required to build new integrations. The new integrations can be built in Python or JavaScript. Demisto can integrate with partner products using any of the standard protocols and interfaces including Rest API, SOAP, SSH/CLI interface or even custom APIs. The SDK and sample code already has many examples of integrations using the above methods.

Once built, these integrations can be shared across within the customer environments or a larger community. Demisto takes pride in the fact that the majority of our integrations are open source and we encourage customers and partners to leverage them to build new integrations.

Security and Isolation

Demisto Enterprise has been designed by security experts to make sure all the sensitive data is handled with right level of security controls. Following are the key security considerations that have been implemented:

Complete isolation of each automation and integration – there is always a possibility an analyst makes an error in one of the automations. Demisto uses Docker to make sure all the automations and integrations are completely isolated during execution and inadvertent or malicious action does not harm the entire system.

Encrypted Credential Store – Demisto provides a credential store for passwords for each integration so that common credentials are stored in the system and each analyst does not need to get access to the credentials.

Encrypted Communication – All the communication with partner products and all sub-components within Demisto are encrypted.

Single Sign-on and Authentication – Demisto support SAML 2.0 and LDAP authentication to make sure only authorized users can access the Demisto server.