Configure and manage long running integrations to export internal data from Cortex XSIAM.
Some long running integrations provide internal data via API calls, to your third-party software, such as a firewall. You can set up Cortex XSIAM to allow third-party software to access long running integrations installed either on the Cortex XSIAM tenant or on an engine. For example, you can provide access to external dynamic lists.
Long running integrations that provide internal data via API calls include, but are not limited to:
O365 Teams (Using Graph API)
Generic Webhook
Generic Export Indicators Service
TAXII Server
TAXII2 Server
XSOAR-Web-Server
PingCastle
Publish List
Simple API Proxy
Syslog v2
Web File Repository
Note
Currently, you can only use long running integrations provided by Cortex XSIAM, you cannot create custom ones.
Configuring custom certificates or private API Keys in the long running integration instance is supported only on engines, not on the Cortex XSIAM tenant.
Credentials
For long running integrations running on a tenant, you must set a username and password. For long running integrations running on an engine, we strongly recommend setting a username and password, but it is not required.
Users with sufficient permissions can set the username and password for specific integration instances, on the
→ page.Listen Port
Integration Instance Running on a Tenant
If the long running integration runs on the Cortex XSIAM tenant, you do not need to enter a Listen Port in the instance settings. The system auto-selects an unused port for the long running integration when the instance is saved.
Integration Instance Running on an Engine
You must set the Listen Port for access when configuring a long running integration instance on an engine. Use a unique port for each long running integration instance. Do not use the same port for multiple instances.
Test the Connection
Integration Instance Running on a Tenant
You can use CURL commands from any terminal to access and test the long running integration at the URL:
https://ext-<cortex-xsoar-address>/xsoar/instance/execute/<instance-name>
For example:
curl -v -u user:pass https://ext-mytenant.paloaltonetworks.com/xsoar/instance/execute/edl_instance_01\?q\=type:ip
Note
The data URL must always be prefixed by ext-.
Integration Instance Running on an Engine
You can use CURL commands from any terminal to access and test the long running integration at the engine URL:
http://<engine-address>:<integration listen port>/
For example:
curl -v -u user:pass http://<engine_address>:<listen_port>/?n=50
Curl Request Parameters
When sending a curl request to the URL, you can use the following parameters.
Argument | Description | Example |
---|---|---|
| The maximum number of entries in the output. If no value is provided, will use the value specified in the List Size parameter in the integration instance settings. |
|
| The starting entry index from which to export the indicators. |
|
| The output format. Supports PAN-OS (text), CSV, JSON, mwg and proxysg (alias: bluecoat). |
|
| The query used to retrieve indicators from the system. |
|
| Only with mwg format. The type indicated on the top of the exported list. Supports: string, applcontrol, dimension, category, ip, mediatype, number and regex. |
|
| If set, will strip ports off URLs, otherwise will ignore URLs with ports. |
|
| Only with PAN-OS (text) format. If set, will ignore URLs which are not compliant with PAN-OS URL format instead of being re-written. |
|
| If set, will strip protocols off URLs. |
|
| Only with proxysg format. The default category for the exported indicators. |
|
| Only with proxysg format. The categories which will be exported. Indicators not in these categories will be classified as the default category. |
|
| Only with PAN-OS (text) format. Whether to collapse IPs.
|
|
| Whether to output CSV formats as textual web pages. |
|