Add an integration instance - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-10-07
Category
Administrator Guide
Abstract

Set up an integration instance and start ingesting incidents/indicators.

Configure an integration instance to connect and communicate with other products.

When you define an integration instance for your third-party security and incident management vendors events triggered by this integration instance can become incidents in Cortex XSIAM. When incidents are created, you can run playbooks on these incidents to enrich them with information from other products in your system. For indicators, you can run enrich those indicators depending on the integration instance and add to an incident if required.

Although you can view the integration documents when adding an instance, the Developer Hub has more detailed information about the integrations including commands, outputs, and recommended permissions. You can also see more information about content packs, playbooks, scripts, and Marketplace documentation.

Before you begin

  • From Marketplace, download and install the relevant content pack, which includes your integration.

  • Consider whether you want to add credentials, which enable you to save login information without exposing usernames, passwords, certificates, and SSH keys. For more information, see Manage credentials.

  1. Go to SettingsConfigurationsData CollectionAutomation & Feed Integrations and search for the integration.

  2. In the integration you want to add, click Add instance.

  3. Add the parameters, as required.

  4. If you want to fetch alerts, select the Fetches alerts.

    For more information, see Fetch incidents from an integration instance.

  5. (Optional) To check that the integration instance is working correctly, click Test.

  6. Save & Exit.

    Expand the integration to see more details such as the number of pulled incidents/indicators or error messages.

    integration-details.png

    You can also enable/disable the integration instance, copy the instance, and view the integration fetch history.

    If you encounter an error, see Troubleshoot Integrations.

Example 78. 

In this example, you will set up the OnboardingIntegration.

If you have not done so, download the OnboardingIntegration content pack from Marketplace. Most integrations follow a similar configuration.

  1. Go to SettingsConfigurationsData CollectionAutomation & Feed Integrations and search for OnboardingIntegration.

  2. Click Add Instance.

  3. Add the number of incidents to fetch per minute. By default, there is a maximum number of 5 incidents per minute.

  4. Add the maximum number of incidents to create. By default, there is a maximum number 10 incidents to create.

  5. Add the many incidents you want to create in minutes

  6. Set the Alerts Fetch Interval. By default, the alerts are fetched every one minute.

  7. Select whether to run on an engine.

  8. When troubleshooting the instances troubleshooting adjust the default setting from off to a higher debugging level.

  9. Select Fetches alerts to start ingesting alerts.

    For all integrations, we recommend only fetching alerts when everything is set up. Once enabled, Cortex XSIAM searches for events that occurred within the time frame set for the integration, which is based on the specific integration. The default is 5 incidents per minute.

    Note

    In some integrations, a classifier, an incident type, and mapper fields are included.

  10. Test and Save & Exit.