Forward Requests to Long-Running Integrations - Configure and manage long-running integrations to export internal data from Cortex XSIAM. - Administrator Guide - Cortex XSIAM - Cortex

Forward Requests to Long-Running Integrations - Configure and manage long-running integrations to export internal data from Cortex XSIAM. - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM 3.x Documentation

Product

Cortex XSIAM

Creation date

2025-07-15

Last date published

2026-06-16

Category

Administrator Guide

Abstract

Configure and manage long-running integrations to export internal data from Cortex XSIAM.

Some long-running integrations provide internal data via API calls to your third-party software, such as a firewall. You can set up Cortex XSIAM to allow third-party software to access long-running integrations installed either on the Cortex XSIAM tenant or on an engine.

Long-running integrations provide internal data via API calls such as:

Integration	Description	See More
O365 Teams (Using Graph API)	Get authorized access to a user's Teams app in a personal or organizational account.	O365 Teams (Using Graph API)
Generic Webhook	Creates cases on event triggers. The trigger can be any query posted to the integration.	Generic Webhook
Generic Export Indicators Service	Use the Generic Export Indicators Service integration to provide an endpoint with a list of indicators as a service for the system indicators. You can set up the tenant to export internal data to an endpoint. Note This integration replaces the External Dynamic list integration, which is deprecated. For more information about how to set up the integration, see Manage external dynamic lists.	Generic Export Indicators
Microsoft Teams	Send messages and notifications to team members.	Microsoft Teams
TAXII Server	Provides TAXII Services for system indicators (Outbound feed).	TAXII Server
TAXII2 Server	Provides TAXII2 Services for system indicators (outbound feed). You can choose to use TAXII v2.0 or TAXII v2.1.	TAXII2 Server
PingCastle	Listens for PingCastle XML reports.	PingCastle
Publish List	Publishes Cortex XSIAM lists for external consumption.	Publish List
Simple API Proxy	Provides a simple API proxy to restrict privileges or minimize the number of credentials issued at the API.	Simple API Proxy
Syslog v2	Opens cases automatically from Syslog clients.	Syslog v2
Web File Repository	Make your environment ready for testing purposes for your playbooks or automations to download files from a web server.	Web File Repository

Note

When running on the tenant, you can only use long-running integrations provided by Cortex XSIAM, you cannot create custom ones. Custom long-running integrations are supported only on engines at this time.
Configuring custom certificates or private API Keys in the long-running integration instance is supported only on engines, not on the Cortex XSIAM tenant.
If you have configured a range of Approved IP Ranges under Allowed Sessions on the Security Settings page, any incoming communication must be from approved IP addresses.

Credentials

For long-running integrations running on a tenant, you must set a username and password. For long-running integrations running on an engine, we strongly recommend setting a username and password, but it is not required.

Users with sufficient permissions can set the username and password for specific integration instances on the Data Sources & Integrations page.

Define a listening port for long-running integrations

When configuring a long-running integration instance, you may need to define a listening port.

Integration instance running directly on a tenant
If the long-running integration runs on the Cortex XSIAM tenant, you do not need to enter a Listen Port in the instance settings. The system auto-selects an unused port for the long-running integration when the instance is saved.
Integration instance running on a custom engine
You must set the Listen Port for access when configuring a long-running integration instance on an engine. Use a unique port for each long-running integration instance. Do not use the same port for multiple instances.

Test the long-running integration connection

Integration instance running directly on a tenant
You can use CURL commands from any terminal to access and test the long-running integration. The string xdr in the URL must be replaced by crtx and the data URL must always be prefixed by ext-.
Note
For the TAXII Server and TAXII2 Server integrations, the xdr string is automatically replaced by crtx. For the Microsoft Teams integration, you can use the microsoft-teams-create-messaging-endpoint command to get the correct messaging endpoint based on the server URL, the server version, and the instance configurations. For more information, see Microsoft Teams.
Example:
Tenant URL: https://crtx-cnt-onr-xsiam-dran-9c0.xdr-qa2-uat.us.com
Request URL: https://ext-crtx-cnt-onr-xsiam-dran-9c0.crtx-qa2-uat.us.com/xsoar/instance/execute/edl_instance_01\?q\=type:ip
CURL: curl -v -u user:pass https://ext-crtx-cnt-onr-xsiam-dran-9c0.crtx-qa2-uat.us.com/xsoar/instance/execute/edl_instance_01\?q\=type:ip
Integration instance running on a custom engine
You can use CURL commands from any terminal to access and test the long-running integration at the engine URL:
http://<engine-address>:<integration listen port>/
For example, curl -v -u user:pass http://<engine_address>:<listen_port>/?n=50

Curl request parameters for external dynamic lists

The following list of curl request parameters applies when using the Generic Export Indicators Service integration for external dynamic lists.

Argument	Description	Example
`n`	The maximum number of entries in the output. If no value is provided, will use the value specified in the List Size parameter in the integration instance settings.	`https://ext-<tenant-address>/instance/execute/<ExportIndicators_instance_name>?n=50`
`s`	The starting entry index from which to export the indicators.	`https://ext-<tenant-address>/instance/execute/<ExportIndicators_instance_name>?s=10&n=50`
`v`	The output format. Supports PAN-OS (text), CSV, JSON, mwg, and proxysg (alias: bluecoat).	`https://ext-<tenant-address>/instance/execute/<ExportIndicators_instance_name>?v=json`
`q`	The query is used to retrieve indicators from the system.	`https://ext-<tenant-address>/instance/execute/<ExportIndicators_instance_name>?q="type:ip and sourceBrand:my_source"`
`t`	Only with mwg format. The type is indicated at the top of the exported list. Supports: string, applcontrol, dimension, category, ip, mediatype, number, and regex.	`https://ext-<tenant-address>/instance/execute/<ExportIndicators_instance_name>?v=mwg&t=ip`
`sp`	If set, will strip ports off URLs; otherwise, will ignore URLs with ports.	`https://ext-<tenant-address>/instance/execute/<ExportIndicators_instance_name>?v=text&sp`
`di`	Only with PAN-OS (text) format. If set, will ignore URLs that are not compliant with PAN-OS URL format instead of being rewritten.	`https://ext-<tenant-address>/instance/execute/<ExportIndicators_instance_name>?v=text&di`
`cr`	If set, will strip protocols off URLs.	`https://ext-<tenant-address>/instance/execute/<ExportIndicators_instance_name>?v=text&pr`
`cd`	Only with proxysg format. The default category for the exported indicators.	`https://ext-<tenant-address>/instance/execute/<ExportIndicators_instance_name>?v=proxysg&cd=default_category`
`ca`	Only with proxysg format. The categories that will be exported. Indicators not in these categories will be classified as the default category.	`https://ext-<tenant-address>/instance/execute/<ExportIndicators_instance_name>?v=proxysg&ca=category1,category2`
`tr`	Only with PAN-OS (text) format. Whether to collapse IPs. 0 - Do not collapse. 1 - Collapse to ranges. 2 - Collapse to CIDRs	`https://ext-<tenant-address>/instance/execute/<ExportIndicators_instance_name>?q="type:ip and sourceBrand:my_source"&tr=1`
`tx`	Whether to output CSV formats as textual web pages.	`https://ext-<tenant-address>/instance/execute/<ExportIndicators_instance_name>?v=csv&tx`