Cortex XSOAR v8
Connector Category: Security Orchestration Automation Response
Notice
This integration is available in Intel Exchange v3.7.6.2 onwards and applied to Cortex XSOAR v8. For information regarding migration impact and required configuration for new installations, see Upgrade Notes and Data Mapping.
About Integration
Cortex XSOAR v8 is a security orchestration, automation, and response (SOAR) platform that helps security teams manage incidents and automate investigations and response workflows.
You can integrate Intel Exchange in Cortex XSOAR v8 in the following way:
Trigger playbooks in the Cortex XSOAR v8 application from the Intel Exchange. This integration enables security teams to automatically trigger playbooks defined in Cortex XSOAR v8 when specified rule conditions are met in Intel Exchange.
The Cortex XSOAR v8 internal application in Intel Exchange supports the following action:
Trigger Playbook v8
Configuration
You must configure the integration in Intel Exchange before you can trigger playbooks in Cortex XSOAR.
Before you Start
Ensure you have Administrator or Analyst access to the Intel Exchange and the Cortex XSOAR v8 platform.
Ensure you have View CTIX Integrators, Create CTIX Integrators, and Update CTIX Integrators permissions.
Ensure you have View Tool Integrations and Update Tool Integrations permissions.
Ensure that you have the API URL, API key, and API ID of your Cortex XSOAR v8 account.
Perform the following to integrate Cortex XSOAR v8 with Intel Exchange:
To enable Intel Exchange to access Cortex XSOAR v8, you must create an API key in your Cortex XSOAR v8 app. This allows you to generate the credentials required to authenticate API requests and run rules.
Steps
To create an API key in Cortex XSOAR v8, follow these steps:
Log in to your Cortex XSOAR v8 instance.
Go to Settings > Settings & Info.
Under the Integrations section, select API Keys.
Click + New Key.
In the Generate API Key dialogue, enter the following details:
Name: Enter a name for the API key. For example, Cortex_XSOAR_Integration.
Security Level: Select the appropriate security level. Standard is commonly used for API integrations.
Role: Select a role with permissions to manage incidents and playbooks. For example, Instance Administrator.
(Optional) Set an Expiration Date if required by your organization's security policy.
Click Generate.
Copy the generated API Key, API ID, and, API URL and store it securely. You will not be able to view it again after you close the notification pop-up.
For more information about API key permissions, security levels, and role-based access, see CORTEX XSOAR documentation.
After generating the API key, configure the Cortex XSOAR v8 application in Intel Exchange.
Steps
To configure Cortex XSOAR v8 as an internal application in Intel Exchange, follow these steps:
Go to Administration > Integration Management > Internal Applications.
Select Security Orchestration Automation Response.
Search CORTEX-XSOAR v8 and click on the app.
Click Add Instance.
Enter a unique account name to identify the instance, such as Prod_Cortex_XSOAR.
Enter the Base URL (API URL) to directly connect to the application's server, such as
https://{{base_url}}.crtx.in.paloaltonetworks.com/.Enter the API ID and API Key to authenticate the user.
Select Verify SSL to verify and secure the connection between the Intel Exchange and CORTEX-XSOAR v8 servers.
If you disable this option Intel Exchange, may configure an instance for an expired SSL certificate. This may not establish the connection properly and Intel Exchange will not be able to notify you in case of a broken or improper connection. It is recommended to select this option.
Click Save.
After configuring the application on Intel Exchange, enable the action to trigger playbooks in Cortex XSOAR v8.
Steps
Go to Administration > Integration Management > Internal Applications.
Select Security Orchestration Automation Response.
Select CORTEX-XSOAR v8.
Click the ellipsis in the upper-right corner and click Manage.
Click Manage Actions and select an action.
Enable the toggle to Trigger Playbook v8.
Click Save.
After you enable Trigger Playbook v8, create a rule in Intel Exchange to automatically trigger the Cortex XSOAR v8 playbook when threat data matches specific criteria. Rules enable you to operationalize threat intelligence by initiating response workflows based on defined conditions.
Steps
In Intel Exchange.
Go to Main Menu and select Rules under Actions.
Click New Rule.
Enter a title and key details about the rule as the rule description. To easily identify and categorize componenets in Intel Exchange, add tags.
Click Submit.
Set the following optional Basic Details for a rule:
Allow all Conditions: Applies all available conditions on the selected threat data object. When selected, the system notifies that the previously selected conditions will be removed, and the Conditions under Components on the left side of the screen are removed.
Run Rule after Enrichment: Runs the rule only after data enrichment and confidence score evaluation are completed.
Triggers on Manual Update: Triggers the rule to run for any manual update made to the existing threat data object by an analyst. It will not execute the rule for any new threat data objects coming into the application. This option removes the previously selected sources and collections and prompts you to confirm to allow all sources and collections for the trigger to update the threat data object.
Exclude False Positive: Excludes the identified false positives to filter the data. By default, this option is selected, and no false positives are included. This option ignores any conditions configured in the rule to remove false-positive threat data objects.
Exclude Indicators Allowed: Excludes the identified allowed indicators to filter the data. By default, this option is selected, and no allowed indicators are included. This option ignores any conditions configured in the rule to remove the allowed threat data objects.
Define the sources and collections, and conditions for the rule. For more information, see Automation Rules.
In Actions, select the following:
Actions: Trigger Playbook v8
Application: Cortex XSOAR v8
Account: Select an XSOAR account.
Event: Select the event to identify the playbooks from Cortex XSOAR v8 to trigger.
Click Save.
When you run the rule, objects are retrieved based on the configured sources and conditions. The retrieved indicators are submitted to the Cortex XSOAR v8 platform for action.
After Intel Exchange triggers a playbook in Cortex XSOAR v8, the generated data appears as incidents in the Cortex XSOAR platform.
Steps
To view the incidents, follow these steps:
Log in to your Cortex XSOAR instance.
In the left navigation menu, select Incidents.
The incidents triggered from Intel Exchange appear in this section. You can open an incident to view the associated intelligence and playbook execution details.
Upgrade Notes and Data Mapping
If you upgraded to Cortex XSOAR v8 from an earlier version, the existing incident fields are retained and continue to capture data from Intel Exchange. For new Cortex XSOAR v8 deployments, configure the required incident fields to capture incoming data. For more information, see Configure Incidents Fields in Cortex XSOAR.
In Cortex XSOAR platform, incident fields must be defined in advance to capture data received from external integrations such as Intel Exchange. If the required fields are not configured, the incoming data may not appear in the incident record.
Steps
To create custom incident fields, follow these steps:
Log in to your Cortex XSOAR instance.
Go to Settings > Settings & Info.
Under Object Setup, select Incidents.
Open the Incident Fields tab. Click + New Field.
Enter the required field details, such as the Field Type, Field name, and other configuration options based on your requirements.
Click Save.
Ensure that the field names you create are unique and align with the data that you want to capture from Intel Exchange.