Cortex XSOAR
Connector Category: Security Orchestration Automation Response
About Integration
Cortex XSOAR is a comprehensive security orchestration, automation, and response (SOAR) platform that unifies case management, automation, real-time collaboration, and threat intel management to serve security teams across the incident lifecycle.
You can integrate Intel Exchange and Cortex XSOAR in the following ways:
Configure the Intel Exchange application as an enrichment tool inside Cortex XSOAR. This helps the security teams using Cortex SOAR to do a lookup for any indicator using Intel Exchange.
Trigger playbooks in the Cortex XSOAR application from the Intel Exchange application. This integration enables your security operations teams to trigger playbooks defined on the Cortex XSOAR that can create multi-step workflows for incident management of your resources.
The Cortex XSOAR internal application in Intel Exchange supports the following actions:
Trigger Playbook V3
Trigger Playbook
Perform the following to integrate Cortex XSOAR with Intel Exchange:
Generate API Key in Cortex XSOAR
To enable Intel Exchange to access Cortex XSOAR, you must create an API key in your Cortex XSOAR app. This allows you to generate the credentials required to authenticate API requests and run rules.
Before you Start
Ensure your user is assigned to the Administrator or Analyst role to create an API key.
Steps
To create an API in Cortex XSOAR, follow these steps:
Log in to the Cortex XSOAR console.
In the left pane, go to Settings > Integrations > API Keys.
To generate a new API key, click Get Your Key and enter a name for the API key.
Click Generate. Copy and store the API key value securely. You will not be able to view it again after you close the notification pop-up.
Generate Intel Exchange OpenAPI Credentials
To gain Rest API access to Intel Exchange endpoints, you must generate API credentials for your API user from the Intel Exchange.
Before you Start
Ensure that you have View CTIX Integrators, Create CTIX Integrators, and Update CTIX Integrators permissions.
Steps
Sign in to the Intel Exchange and from Administration select Integrations Management.
On the left-hand side panel, select CTIX Integrators under THIRD PARTY DEVELOPERS.
Click Add New to generate API credentials.
Enter a name and a description.
Specify an expiration date for your API credentials. After the specified date, the generated credentials expire, and you will have to regenerate the credentials.
You cannot modify the associated user.
Click Generate.
Copy the Access ID, Secret Key, and the Endpoint URL. You can also download a CSV file with these details.
Note
After you close this page, you cannot see these details again.
Configure Cortex XSOAR App in Intel Exchange
Before you Start
Ensure that you have the URL, username, and API key of your Cortex XSOAR account.
Ensure that you have View Tool Integrations and Update Tool Integrations permissions.
Steps
Use the following steps to configure the app in the Intel Exchange and get started:
Go to Administration, open Integration Management, and select Internal Applications under Tool Integrations.
Select Security Orchestration Automation Response.
Search CORTEX-XSOAR and click on the app.
Click Add Instance.
Enter a unique account name to identify the instance, such as Prod_CORTEX-XSOAR.
Enter the base URL to directly connect to the application's server, such as
https://sitename.com/directoryname/.Enter the access ID to authenticate the user.
Select Verify SSL to verify and secure the connection between the Intel Exchange and CORTEX-XSOAR servers.
If you disable this option, Intel Exchange may configure an instance for an expired SSL certificate. This may not establish the connection properly, and Intel Exchange will not be able to notify you in case of a broken or improper connection. It is recommended to select this option.
Click Save.
Enable Trigger Playbooks
After configuring the application on Intel Exchange, enable the action to trigger playbooks in Cortex XSOAR.
Steps
Go to Administration, open Integration Management, and select Internal Applications under Tool Integrations.
Select Security Orchestration Automation Response.
Select CORTEX-XSOAR.
Click the ellipsis in the upper-right corner and click Manage.
Click Manage Action(s) and select an action.
Enable the toggle to trigger the playbooks.
Click Save.
Create a Rule in Intel Exchange to Trigger Playbooks in Cortex XSOAR
Create a rule in the Intel Exchange to trigger the playbooks in Cortex XSOAR.
Before you Start
Ensure that you have View Rules, Create Rules, and Update Rules permissions.
Steps
Go to Main Menu and select Rules under Actions.
Click New Rule.
Enter a rule name and a description.
To easily identify and categorize components in Intel Exchange, select Tags.
Click Submit.
Set the following optional Basic Details for a rule:
Allow all Conditions: Applies all available conditions on the selected threat data object. When selected, the system notifies that the previously selected conditions will be removed, and the Conditions under Components on the left side of the screen are removed.
Run Rule after Enrichment: Runs the rule only after data enrichment and confidence score evaluation are completed.
Triggers on Manual Update: Triggers the rule to run for any manual update made to the existing threat data object by an analyst. It will not execute the rule for any new threat data objects coming into the application. This option removes the previously selected sources and collections and prompts you to confirm to allow all sources and collections for the trigger to update the threat data object.
Exclude False Positive: Excludes the identified false positives to filter the data. By default, this option is selected, and no false positives are included. This option ignores any conditions configured in the rule to remove false-positive threat data objects.
Exclude Indicators Allowed: Excludes the identified allowed indicators to filter the data. By default, this option is selected, and no allowed indicators are included. This option ignores any conditions configured in the rule to remove the allowed threat data objects.
Define the sources and collections, and conditions for the rule. For more information on rules, see Automation Rules.
In Actions, choose the following:
Actions: Trigger Playbook
Application: CORTEX-XSOAR
Account: Select an XSOAR account.
Event: Select the event to identify the playbooks from CORTEX-XSOAR to trigger.
Note
To trigger the playbooks of the selected event, ensure that you have configured the event to run playbooks automatically.
Threat Data Objects: Select the threat data objects for which you want to trigger the playbook.
Click Save.
Configure Intel Exchange in Cortex XSOAR
Configure the applicationIntel Exchange in the Cortex XSOAR application to see Intel Exchange enrichment for the threat intel data on the SOAR platform.
Steps
Sign in to Cortex XSOAR with administrator credentials.
Click Settings on the bottom left corner and select Servers and Services.
Search for the CTIX app and click Add Instance.
Enter the Access ID, Secret Key, and Endpoint URL fetched from the Intel Exchange application.
Click Save and Exit.
Use Intel Exchange Enrichment in Cortex XSOAR
After you configure the Intel Exchange, view the enriched data fetched from Intel Exchange for indicators present in Cortex XSOAR. You can view Intel Exchange enriched data for IP, domain, URL, and file.
Execute the following commands in Cortex XSOAR CLI at the bottom of the screen as part of automation or in a playbook:
The command fetches the basic details of the indicator from Intel Exchange into the Cortex XSOAR application.
Add enhanced = True to the command syntax to also fetch intel enriched by any enrichment tools in Intel Exchange in addition to the basic details of the indicator.
Indicator | Command Syntax | Example |
|---|---|---|
IP |
|
|
Domain |
|
|
URL |
|
|
File |
|
|