Skip to main content

Cyware Threat Intelligence eXchange

Cortex XSOAR

Connector Category: Security Orchestration Automation Response

About Integration

Cortex XSOAR is a comprehensive security orchestration, automation, and response (SOAR) platform that unifies case management, automation, real-time collaboration, and threat intel management to serve security teams across the incident lifecycle.

You can integrate CTIX and Cortex XSOAR in the following ways:

  • Configure the CTIX application as an enrichment tool inside Cortex XSOAR. This helps the security teams using Cortex SOAR to do a lookup for any indicator using CTIX.

  • Trigger playbooks in the Cortex XSOAR application from the CTIX application. This integration enables your security operations teams to trigger playbooks defined on the Cortex XSOAR that can create multi-step workflows for incident management of your resources.

The Cortex XSOAR internal application in Intel Exchange supports the following actions:

  • Trigger Playbook V3

  • Trigger Playbook

Perform the following to integrate Cortex XSOAR with CTIX:

  1. Generate CTIX OpenAPI Credentials 

  2. Configure Cortex XSOAR App in CTIX 

  3. Enable Trigger Playbooks 

  4. Create a Rule in CTIX to Trigger Playbooks in Cortex XSOAR 

  5. Configure CTIX App in Cortex XSOAR 

  6. Use CTIX Enrichment in Cortex XSOAR 

Generate CTIX OpenAPI Credentials

To gain Rest API access to CTIX endpoints, you must generate API credentials for your API user from the CTIX application.

Before you Start 

Ensure that you have View CTIX Integrators, Create CTIX Integrators, and Update CTIX Integrators permissions.

Steps 

  1. Sign in to the CTIX application and from Administration select Integrations Management.

  2. On the left-hand side panel, select CTIX Integrators under THIRD PARTY DEVELOPERS.

  3. Click Add New to generate API credentials.

  4. Enter a name and a description.

  5. Specify an expiration date for your API credentials. After the specified date, the generated credentials expire and you will have to regenerate the credentials.

  6. You cannot modify the associated user.

  7. Click Generate.

  8. Copy the Access ID, Secret Key, and the Endpoint URL. You can also download a CSV file with these details.

    Note

    Once you close this page, you cannot see these details again.

Configure Cortex XSOAR App in CTIX

Before you Start 

  • Ensure that you have the URL, username, and API key of your Cortex XSOAR account.

  • Ensure that you have View Tool Integrations and Update Tool Integrations permissions.

Steps 

Use the following steps to configure the app in the CTIX application and get started:

  1. Navigate to Administration, open Integration Management, and select Internal Applications under Tool Integrations.

  2. Select Security Orchestration Automation Response.

  3. Search CORTEX-XSOAR and click on the app.

  4. Click Add Instance.

  5. Enter a unique account name to identify the instance, such as Prod_CORTEX-XSOAR.

  6. Enter the base URL to directly connect to the application's server, such as https://sitename.com/directoryname/.

  7. Enter the access ID to authenticate the user.

  8. Select Verify SSL to verify and secure the connection between the CTIX and CORTEX-XSOAR servers.

    If you disable this option, CTIX may configure an instance for an expired SSL certificate. This may not establish the connection properly and CTIX will not be able to notify you in case of a broken or improper connection. It is recommended to select this option.

  9. Click Save.

Enable Trigger Playbooks

After configuring the application on CTIX, enable the action to trigger playbooks in Cortex XSOAR.

Steps 

  1. Navigate to Administration, open Integration Management, and select Internal Applications under Tool Integrations.

  2. Select Security Orchestration Automation Response.

  3. Select CORTEX-XSOAR.

  4. Click the ellipsis on the top right corner and click Manage.

  5. Click Manage Action(s) and select an action.

  6. Enable the toggle to trigger the playbooks.

  7. Click Save.

Create a Rule in CTIX to Trigger Playbooks in Cortex XSOAR

Create a rule in the CTIX application to trigger the playbooks in Cortex XSOAR.

Before you Start 

Ensure that you have View Rules, Create Rules, and Update Rules permissions.

Steps 

  1. Navigate to Main Menu and select Rules under Actions.

  2. Click New Rule.

  3. Enter a rule name and a description.

  4. To easily identify and categorize components in CTIX, select Tags.

  5. Click Submit.

  6. Set the following optional Basic Details for a rule:

    • Allow all Conditions: Applies all available conditions on the selected threat data object. When selected, the system notifies that the previously selected conditions will be removed, and the Conditions under Components on the left side of the screen are removed.

    • Run Rule after Enrichment: Runs the rule only after data enrichment and confidence score evaluation are completed.

    • Triggers on Manual Update: Triggers the rule to run for any manual update made to the existing threat data object by an analyst. It will not execute the rule for any new threat data objects coming into the application. This option removes the previously selected sources and collections and prompts you to confirm to allow all sources and collections for the trigger to update the threat data object.

    • Exclude False Positive: Excludes the identified false positives to filter the data. By default, this option is selected and no false positives are included. This option ignores any conditions configured in the rule to remove false-positive threat data objects.

    • Exclude Indicators Allowed: Excludes the identified allowed indicators to filter the data. By default, this option is selected and no allowed indicators are included. This option ignores any conditions configured in the rule to remove the allowed threat data objects.

  7. Define the sources and collections, and conditions for the rule. Refer to Automation Rules for more information.

  8. In Actions, choose the following:

    1. Actions: Trigger Playbook

    2. Application: CORTEX-XSOAR

    3. Account: Select an XSOAR account.

    4. Event: Select the event to identify the playbooks from CORTEX-XSOAR to trigger.

      Note

      To trigger the playbooks of the selected event, ensure that you have configured the event to run playbooks automatically.

    5. Threat Data Objects: Select the threat data objects for which you want to trigger the playbook.

  9. Click Save.

Configure CTIX App in Cortex XSOAR

Configure the CTIX application in the Cortex XSOAR application to see CTIX enrichment for the threat intel data on the SOAR platform.

Steps 

  1. Sign in to Cortex XSOAR with administrator credentials.

  2. Click Settings on the bottom left corner and select Servers and Services.

  3. Search for the CTIX app and click Add Instance.

  4. Enter the Access ID, Secret Key, and Endpoint URL fetched from the CTIX application.

  5. Click Save and Exit.

Use CTIX Enrichment in Cortex XSOAR

After you configure the CTIX application, view the enriched data fetched from CTIX for indicators present in Cortex XSOAR. You can view CTIX enriched data for IP, domain, URL, and file.

  1. Execute the following commands in Cortex XSOAR CLI at the bottom of the screen as part of automation or in a playbook:

    The command fetches the basic details of the indicator from CTIX into the Cortex XSOAR application.

    Add enhanced = True to the command syntax to also fetch intel enriched by any enrichment tools in CTIX in addition to the basic detail of the indicator.

Indicator

Command Syntax

Example

IP

!ip ip="<<IP Address>>" enhanced=True 

!ip ip="8.8.8.8" enhanced=True 

Domain

!domain domain="<<Domain Name>>" enhanced=True 

!domain domain="google.com" enhanced=True 

URL

!url url="<<URL>>" enhanced=True 

!url url="https://www.test.com/"enhanced=True 

File

!file file="4ebb2b00a11f9361cf3757e96f14ad4b"enhanced=True 

!file file="4ebb2b00a11f9361cf3757e96f14ad4b"enhanced=True