Set up an integration instance and start ingesting cases/indicators.
Integrations are mechanisms through which Cortex Cloud connects and communicates with other products. These integrations can be executed through REST APIs, webhooks, and other techniques. Integrations enable you to orchestrate and automate SOC operations.
Integrations installed from a content pack
Integrations are included in content packs, which you download and install from Marketplace (go to → → ). After you download and install a content pack that includes an integration, you need to configure the integration by adding an instance. You can have multiple instances of an integration, for example, to connect to different environments. Additionally, if you are an MSSP and have multiple tenants, you could configure a separate instance for each tenant.
Note
In addition to content packs that you install from Marketplace, related content packs are automatically downloaded when you adopt playbooks or edit tasks that require content items such as scripts or integrations.
Cortex Cloud comes out-of-the-box with integrations to help you onboard, such as:
Mail Sender
Sends email notifications to users.
Generic Export Indicators Service
Provides an endpoint with a list of indicators as a service for the system indicators. For more information about how to set up the integration, see Export indicators.
Palo Alto Networks WildFire Reports
Generates a Palo Alto Networks WildFire PDF report. For more information, see Palo Alto Networks WildFire Reports.
Rasterize
Converts URLs, PDF files, and emails to an image file or PDF file. For more information, see Rasterize.
Create an integration
You can create an integration, by adding parameters, commands, arguments, and outputs as well as writing the necessary integration code. You should have a working Cortex Cloud tenant and programming experience with Python.
Navigate to the → page and click + Add New.
In the Add Data Source or Integrations page click Create Integration and select Import File.
Drag and drop or browse to and select the relevant integration file.
For more information about how to create an integration, including an example, see Create an Integration.
Configure an integration
From the Data Sources & Integrations page, you can perform actions on an integration such as:
Action | Description |
|---|---|
Add an instance | Configure an integration instance to connect and communicate with other products. For more information, see Add an integration instance. After configuring the instance, you can also enable/disable the integration instance, copy the instance, and view the integration fetch history. |
View the integration's source | View the integration settings and source code. To access this functionality, select an integration from the table and click |
Edit the integration's source code | Edit the integration settings and source code. For more information about editing the integration's source code, see Create an Integration. NoteIf the integration was installed from a content pack, you need to duplicate the integration before editing. |
Duplicate the integration | If you want to change the source code, and settings, or download the integration, you need to duplicate the integration. To access this functionality, select an integration from the table and click |
Show integration commands | Show the commands the integration contains. To access this functionality, select an integration from the table and click |
Delete an integration instance | Although you cannot delete an integration installed from a content pack (unless a duplicate), you can delete an integration instance by either right-clicking an instance and either selecting Delete or by right-clicking an instance and selecting Settings and then deleting from the settings configuration pane. |
Set an integration instance to run always whenever the integration is called or on demand | For each integration instance, you have the option of setting the instance to be used only On Demand, when it is specified with the |
Use integration commands
The command line interface (CLI) enables you to run system commands, integration commands, scripts, etc from the Cases War Room, Issues War Room, or Playground CLI. The CLI auto-complete feature allows you to find relevant commands, scripts, and arguments.
Cortex Cloud uses the "!" such as !ad-create-user username=[name of user]
Under each integration, you can view a list of commands.
Note
Integration commands are only available when the integration instance is enabled. Some commands depend on a successful connection between Cortex Cloud and third-party integrations.
You can run the CLI commands in the Playground or in a case/issue War Room. The Playground is a non-production environment where you can safely develop and test automation scripts, APIs, commands, etc. It is an investigation area that is not connected to a live (active) investigation.
When running the command, the results are returned in the War Room or Playground and also in a JSON format in Context Data.
Tip
In the Playground, you can clear the context data, if needed, which deletes everything in the Playground context data, but does not affect the actual issue or case. To clear the context, run !DeleteContext all=yes' from the CLI or click Clear Context Data while viewing the context data.