External Integrations - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Product
Cortex XSIAM
Creation date
2024-02-26
Last date published
2024-04-17
Category
Administrator Guide
Abstract

You can integrate Cortex XSIAM with other security products of Palo Alto Networks, and of third parties as well.

To aid you with threat investigation, Cortex XSIAM displays the WildFire-issued verdict for each Key Artifactin in an incident. To provide additional verification sources, you can integrate external threat intelligence services with Cortex XSIAM which can then be displayed for each Key Artifactin in an incident. Cortex XSIAM supports the following integrations.

Integration

Description

Threat Intelligence

WildFire

Cortex XSIAM automatically includes WildFire threat intelligence in the incident and alert investigation. WildFire detects known and unknown threats, such as malware. The WildFire verdict contains detailed insights into the behavior of identified threats. The WildFire verdict displays next to relevant Key Artifacts in the incidents details page. See Review WildFire Analysis Details for more information.

AutoFocus™

AutoFocus groups conditions and indicators related to a threat with a tag. Tags can be user-defined or come from threat-research team publications and are divided into classes, such as exploit, malware family, and malicious behavior. See the AutoFocus Administrator’s Guide for more information on AutoFocus tags.

To view AutoFocus tags in Cortex XSIAM incidents, you must obtain the license key for the service and add it to the Cortex XSIAM Configuration. When you add the service, the relevant tags display in the incident details page under Key Artifacts.

VirusTotal

VirusTotal provides aggregated results from over 70 antivirus scanners, domain services included in the block list, and user contributions. The VirusTotal score is represented as a fraction, where, for example, a score of 34/52 means out of 52 queried services, 34 services determined the artifact to be malicious.

To view VirusTotal threat intelligence in Cortex XSIAM incidents, you must obtain the license key for the service and add it to the Cortex XSIAM Configuration. When you add the service, the relevant VirusTotal (VT) score displays in the incident details page under Key Artifacts.

Incident Management

Integration

Description

Third-party ticketing systems

To manage incidents from the application of your choice, you can use the Cortex XSIAM API Reference to send alerts and alert details to an external receiver. After you generate your API key and set up the API to query Cortex XSIAM , external apps can receive incident updates, request additional data about incidents, and make changes such as setting the status and changing the severity or assigning an owner. To get started, see the Cortex XDR API Reference guide.