Cortex XSOAR
Connector Category: Security Orchestration Automation Response
About Integration
Cortex XSOAR is a comprehensive security orchestration, automation, and response (SOAR) platform that unifies case management, automation, real-time collaboration, and threat intel management to serve security teams across the incident lifecycle.
You can integrate CTIX and Cortex XSOAR in the following ways:
Configure the CTIX application as an enrichment tool inside Cortex XSOAR. This helps the security teams using Cortex SOAR to do a lookup for any indicator using CTIX.
Trigger playbooks in the Cortex XSOAR application from the CTIX application. This integration enables your security operations teams to trigger playbooks defined on the Cortex XSOAR that can create multi-step workflows for incident management of your resources.
The Cortex XSOAR internal application in Intel Exchange supports the following actions:
Trigger Playbook V3
Trigger Playbook
Perform the following to integrate Cortex XSOAR with CTIX:
Generate API Key in Cortex XSOAR
To enable Intel Exchange to access Cortex XSOAR, you must create an API key in your Cortex XSOAR app. This allows you to generate the credentials required to authenticate API requests and run rules.
Before you Start
Ensure your user is assigned to the Administrator or Analyst role to create an API key.
Steps
To create an API in Cortex XSOAR, follow these steps:
Log in to the Cortex XSOAR console.
In the left pane, go to Settings > Integrations > API Keys.
To generate a new API key, click Get Your Key and enter a name for the API key.
Click Generate. Copy and store the API key value securely. You will not be able to view it again after you close the notification pop-up.
Generate CTIX OpenAPI Credentials
To gain Rest API access to CTIX endpoints, you must generate API credentials for your API user from the CTIX application.
Before you Start
Ensure that you have View CTIX Integrators, Create CTIX Integrators, and Update CTIX Integrators permissions.
Steps
Sign in to the CTIX application and from Administration select Integrations Management.
On the left-hand side panel, select CTIX Integrators under THIRD PARTY DEVELOPERS.
Click Add New to generate API credentials.
Enter a name and a description.
Specify an expiration date for your API credentials. After the specified date, the generated credentials expire and you will have to regenerate the credentials.
You cannot modify the associated user.
Click Generate.
Copy the Access ID, Secret Key, and the Endpoint URL. You can also download a CSV file with these details.
Note
After you close this page, you cannot see these details again.
Configure Cortex XSOAR App in CTIX
Before you Start
Ensure that you have the URL, username, and API key of your Cortex XSOAR account.
Ensure that you have View Tool Integrations and Update Tool Integrations permissions.
Steps
Use the following steps to configure the app in the CTIX application and get started:
Navigate to Administration, open Integration Management, and select Internal Applications under Tool Integrations.
Select Security Orchestration Automation Response.
Search CORTEX-XSOAR and click on the app.
Click Add Instance.
Enter a unique account name to identify the instance, such as Prod_CORTEX-XSOAR.
Enter the base URL to directly connect to the application's server, such as
https://sitename.com/directoryname/.Enter the access ID to authenticate the user.
Select Verify SSL to verify and secure the connection between the CTIX and CORTEX-XSOAR servers.
If you disable this option, CTIX may configure an instance for an expired SSL certificate. This may not establish the connection properly and CTIX will not be able to notify you in case of a broken or improper connection. It is recommended to select this option.
Click Save.
Enable Trigger Playbooks
After configuring the application on CTIX, enable the action to trigger playbooks in Cortex XSOAR.
Steps
Navigate to Administration, open Integration Management, and select Internal Applications under Tool Integrations.
Select Security Orchestration Automation Response.
Select CORTEX-XSOAR.
Click the ellipsis in the upper-right corner and click Manage.
Click Manage Action(s) and select an action.
Enable the toggle to trigger the playbooks.
Click Save.
Create a Rule in CTIX to Trigger Playbooks in Cortex XSOAR
Create a rule in the CTIX application to trigger the playbooks in Cortex XSOAR.
Before you Start
Ensure that you have View Rules, Create Rules, and Update Rules permissions.
Steps
Navigate to Main Menu and select Rules under Actions.
Click New Rule.
Enter a rule name and a description.
To easily identify and categorize components in CTIX, select Tags.
Click Submit.
Set the following optional Basic Details for a rule:
Allow all Conditions: Applies all available conditions on the selected threat data object. When selected, the system notifies that the previously selected conditions will be removed, and the Conditions under Components on the left side of the screen are removed.
Run Rule after Enrichment: Runs the rule only after data enrichment and confidence score evaluation are completed.
Triggers on Manual Update: Triggers the rule to run for any manual update made to the existing threat data object by an analyst. It will not execute the rule for any new threat data objects coming into the application. This option removes the previously selected sources and collections and prompts you to confirm to allow all sources and collections for the trigger to update the threat data object.
Exclude False Positive: Excludes the identified false positives to filter the data. By default, this option is selected and no false positives are included. This option ignores any conditions configured in the rule to remove false-positive threat data objects.
Exclude Indicators Allowed: Excludes the identified allowed indicators to filter the data. By default, this option is selected and no allowed indicators are included. This option ignores any conditions configured in the rule to remove the allowed threat data objects.
Define the sources and collections, and conditions for the rule. Refer to Automation Rules for more information.
In Actions, choose the following:
Actions: Trigger Playbook
Application: CORTEX-XSOAR
Account: Select an XSOAR account.
Event: Select the event to identify the playbooks from CORTEX-XSOAR to trigger.
Note
To trigger the playbooks of the selected event, ensure that you have configured the event to run playbooks automatically.
Threat Data Objects: Select the threat data objects for which you want to trigger the playbook.
Click Save.
Configure CTIX App in Cortex XSOAR
Configure the CTIX application in the Cortex XSOAR application to see CTIX enrichment for the threat intel data on the SOAR platform.
Steps
Sign in to Cortex XSOAR with administrator credentials.
Click Settings on the bottom left corner and select Servers and Services.
Search for the CTIX app and click Add Instance.
Enter the Access ID, Secret Key, and Endpoint URL fetched from the CTIX application.
Click Save and Exit.
Use CTIX Enrichment in Cortex XSOAR
After you configure the CTIX application, view the enriched data fetched from CTIX for indicators present in Cortex XSOAR. You can view CTIX enriched data for IP, domain, URL, and file.
Execute the following commands in Cortex XSOAR CLI at the bottom of the screen as part of automation or in a playbook:
The command fetches the basic details of the indicator from CTIX into the Cortex XSOAR application.
Add enhanced = True to the command syntax to also fetch intel enriched by any enrichment tools in CTIX in addition to the basic detail of the indicator.
Indicator | Command Syntax | Example |
|---|---|---|
IP |
|
|
Domain |
|
|
URL |
|
|
File |
|
|