Forward Requests to Long Running Integrations - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Product
Cortex XSIAM
Creation date
2024-02-26
Last date published
2024-05-22
Category
Administrator Guide
Abstract

Configure and manage long running integrations to export internal data from Cortex XSIAM.

Some long running integrations provide internal data via API calls, to your third-party software, such as a firewall. You can set up Cortex XSIAM to allow third-party software to access long running integrations installed either on the Cortex XSIAM tenant or on an engine. For example, you can provide access to external dynamic lists.

Long running integrations that provide internal data via API calls include, but are not limited to:

  • O365 Teams (Using Graph API)

  • Generic Webhook

  • Generic Export Indicators Service

  • TAXII Server

  • TAXII2 Server

  • XSOAR-Web-Server

  • PingCastle

  • Publish List

  • Simple API Proxy

  • Syslog v2

  • Web File Repository

Note

  • Currently, you can only use long running integrations provided by Cortex XSIAM, you cannot create custom ones.

  • Configuring custom certificates or private API Keys in the long running integration instance is supported only on engines, not on the Cortex XSIAM tenant.

Credentials

For long running integrations running on a tenant, you must set a username and password. For long running integrations running on an engine, we strongly recommend setting a username and password, but it is not required.

Users with sufficient permissions can set the username and password for specific integration instances, on the IntegrationsInstances page.

Listen Port

  • Integration Instance Running on a Tenant

    If the long running integration runs on the Cortex XSIAM tenant, you do not need to enter a Listen Port in the instance settings. The system auto-selects an unused port for the long running integration when the instance is saved.

  • Integration Instance Running on an Engine

    You must set the Listen Port for access when configuring a long running integration instance on an engine. Use a unique port for each long running integration instance. Do not use the same port for multiple instances.

Test the Connection

  • Integration Instance Running on a Tenant

    You can use CURL commands from any terminal to access and test the long running integration at the URL:

    https://ext-<cortex-xsoar-address>/xsoar/instance/execute/<instance-name>

    For example: curl -v -u user:pass https://ext-mytenant.paloaltonetworks.com/xsoar/instance/execute/edl_instance_01\?q\=type:ip

    Note

    The data URL must always be prefixed by ext-.

  • Integration Instance Running on an Engine

    You can use CURL commands from any terminal to access and test the long running integration at the engine URL:

    http://<engine-address>:<integration listen port>/

    For example: curl -v -u user:pass http://<engine_address>:<listen_port>/?n=50

Curl Request Parameters

When sending a curl request to the URL, you can use the following parameters.

Argument

Description

Example

n

The maximum number of entries in the output. If no value is provided, will use the value specified in the List Size parameter in the integration instance settings.

https://ext-<cortex-xsiam_instance>/instance/execute/<ExportIndicators_instance_name>?n=50

s

The starting entry index from which to export the indicators.

https://ext-<cortex-xsiam_instance>/instance/execute/<ExportIndicators_instance_name>?s=10&n=50

v

The output format. Supports PAN-OS (text), CSV, JSON, mwg and proxysg (alias: bluecoat).

https://ext-<cortex-xsiam_instance>/instance/execute/<ExportIndicators_instance_name>?v=json

q

The query used to retrieve indicators from the system.

https://ext-<cortex-xsiam_instance>/instance/execute/<ExportIndicators_instance_name>?q="type:ip and sourceBrand:my_source"

t

Only with mwg format. The type indicated on the top of the exported list. Supports: string, applcontrol, dimension, category, ip, mediatype, number and regex.

https://ext-<cortex-xsiam_instance>/instance/execute/<ExportIndicators_instance_name>?v=mwg&t=ip

sp

If set, will strip ports off URLs, otherwise will ignore URLs with ports.

https://ext-<cortex-xsiam_instance>/instance/execute/<ExportIndicators_instance_name>?v=text&sp

di

Only with PAN-OS (text) format. If set, will ignore URLs which are not compliant with PAN-OS URL format instead of being re-written.

https://ext-<cortex-xsiam_instance>/instance/execute/<ExportIndicators_instance_name>?v=text&di

cr

If set, will strip protocols off URLs.

https://ext-<cortex-xsiam_instance>/instance/execute/<ExportIndicators_instance_name>?v=text&pr

cd

Only with proxysg format. The default category for the exported indicators.

https://ext-<cortex-xsiam_instance>/instance/execute/<ExportIndicators_instance_name>?v=proxysg&cd=default_category

ca

Only with proxysg format. The categories which will be exported. Indicators not in these categories will be classified as the default category.

https://ext-<cortex-xsiam_instance>/instance/execute/<ExportIndicators_instance_name>?v=proxysg&ca=category1,category2

tr

Only with PAN-OS (text) format. Whether to collapse IPs.

  • 0 - Do not collapse.

  • 1 - Collapse to ranges.

  • 2 - Collapse to CIDRs

https://ext-<cortex-xsiam_instance>/instance/execute/<ExportIndicators_instance_name>?q="type:ip and sourceBrand:my_source"&tr=1

tx

Whether to output CSV formats as textual web pages.

https://ext-<cortex-xsiam_instance>/instance/execute/<ExportIndicators_instance_name>?v=csv&tx