Use cases - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Product
Cortex XSIAM
Creation date
2024-07-16
Last date published
2024-11-12
Category
Administrator Guide
Abstract

Learn more about common use cases for Cortex XSIAM.

The following are common use cases for the different categories of Cortex XSIAM integrations. While this list is not meant to be exhaustive, it's a starting point to understand what use cases are supported by Cortex XSIAM and third-party integrations.

Analytics and SIEM

Abstract

Learn more about analytics and SIEM top use cases.

Top use cases:

  • Fetch incidents with relevant filters.

  • Create, close and delete incidents/events/cases.

  • Update incidents - update status, assignees, severity, SLA, etc.

  • Get events related to an incident/case for enrichment/investigation purposes.

  • Query SIEM (consider aggregating logs).

Note

These integrations usually include the Fetch Incidents option for an instance. It can also include list-incidents or get-incident as integration commands, or important information for an event or incident.

Analytics & SIEM Integration Example: ArcSight ESM

Authentication

Abstract

Learn more about the authentication top use cases.

Top use cases:

  • Use credentials from the authentication vault to configure instances in Cortex XSIAM. (Save credentials in: SettingsConfigurationsIntegrationsCredentials.) The integration should include the isFetchCredentials parameter. Integrations that use credentials from the vault should have the Switch to credentials option.

  • Lock/Delete Account – Use an integration to lock/unlock a third-party account.

  • Reset Account - Perform a reset password command for a third-party account.

  • Lock an external credentials vault - in case of emergency (if the vault has been compromised), allow the option to lock/unlock the entire vault via an integration.

  • Step-Up authentication - Enforce Multi Factor Authentication for an account.

Authentication Integration Example: CyberArk AIM

Case Management

Abstract

Learn more about the Case Management top use cases.

Top use cases:

  • Create, get, edit, close a ticket or issue, add + view comments.

  • Assign a ticket/issue to a specified user.

  • List all tickets, filter by name, date, assignee.

  • Get details about a managed object, update, create, delete.

  • Add and manage users.

Case Management/Ticketing integration example: ServiceNow

Data Enrichment & Threat Intelligence

Abstract

Learn more about the top uses cases for Data Enrichment and Threat Intelligence.

Top use cases:

  • Enrich information about different IOC types: Upload object for scan and get the scan results. (If there’s an option to upload private/public, the default should be set to private.) Search for former scan results about an object to get information about a sample without uploading it yourself. Enrich information and scoring for the object.

  • Add indicators to the system and search for existing indicators.

  • Add indicators to the exclusion list.

  • Calculate DBot Score for indicators.

  • Enrich asset – get vulnerability information for an asset (or a group of assets) in the organization.

  • Generate/trigger a scan on specified assets.

  • Get a scan report including vulnerability information for a specified scan and export it.

  • Get details for a specified vulnerability.

  • Scan assets for a specific vulnerability.

Data Enrichment & Threat Intelligence Integration Example: Unit 42 Objects Feed.

Email Gateway

Abstract

Learn more about the top use cases for the Email Gateway.

Top use cases:

  • Get message – download the email itself, retrieve metadata, body.

  • Download attachments for a given message.

  • Manage senders – block/allow specified mail senders.

  • Manage URLs – block/allow the sending of specified URLs.

  • Encode/decode URLs in messages

  • Release a held message when a gateway has placed a suspicious message on hold.

Email Gateway integration example: MimeCast

Forensics and Malware Analysis

Abstract

Learn more about the top use cases for forensics and malware analysis.

Top use cases:

  • Submit a file and get a report (detonation).

  • Submit a URL and get a report (detonation).

  • Search for past analysis (input being a hash/URL).

  • Retrieve a PCAP file.

  • Retrieve screenshots taken during analysis.

Sandbox Integration Example: Cuckoo Sandbox

IAM (Identity and Access Management)

Abstract

Learn more about the top use cases for Identity and Access Management (IAM).

Top use cases:

  • Create, update, and delete users.

  • Manage user groups.

  • Block users, force change of passwords.

  • Manage access to resources and applications.

  • Create, update, and delete roles.

Network Security (Firewall)

Abstract

Learn more about the top use cases for network security (firewall).

Top use cases:

  • Create block/accept policies (source, destination, port), for IP addresses and domains.

  • Add addresses and ports (services) to predefined groups, create groups, etc.

  • Support custom URL categories.

  • Fetch network logs for a specific address for a configurable time frame.

  • URL filtering categorization change request.

  • Built-in blocked rule command for fast-blocking.

  • If there is a Management FW, allow the option to manage policy rules through it.

Network Security Firewall Integration Example: Palo Alto Networks PAN-OS

Network Security (IDS/IPS)

Abstract

Learn more about top use cases for network security (IDS/IPS).

Top use cases:

  • Get/fetch alerts.

  • Get PCAP file, packet.

  • Get network logs filtered by time range, IP addresses, ports, etc.

  • Create/manage/delete policies and rules.

  • Update signatures from an online source / upload + get last signature update information.

  • Install policy (if existing).

Network Security (IPS/IDS) Integration Example: ProtectWise

Vulnerability Management

Abstract

Learn more about the top use cases for vulnerability management.

Top use cases:

  • Enrich asset – get vulnerability information for an asset (or a group of assets) in the organization.

  • Generate/trigger a scan on specified assets.

  • Get a scan report including vulnerability information for a specified scan and export it.

  • Get details for a specified vulnerability.

  • Scan assets for a specific vulnerability.

Vulnerability Management integration example: Tenable.io