Automation and feed integrations - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-12-12
Category
Administrator Guide
Abstract

Set up an integration instance and start ingesting incidents/indicators.

Integrations are mechanisms through which Cortex XSIAM connects and communicates with other products. These integrations can be executed through REST APIs, webhooks, and other techniques. Integrations enable you to orchestrate and automate SOC operations.

Integrations installed from a content pack

Integrations are included in content packs which you download and install from Marketplace. After you download and install a content pack that includes an integration, you need to configure the integration by adding an instance. You can have multiple instances of an integration, for example, to connect to different environments. Additionally, if you are an MSSP and have multiple tenants, you could configure a separate instance for each tenant.

Note

Some integrations can be downloaded directly without having to initially download a content pack from Marketplace. For more information, see Onboarding data sources.

Cortex XSIAM comes out-of-the-box with integrations to help you onboard, such as:

  • Mail Sender

    Sends email notifications to users.

  • Generic Export Indicators Service

    Provides an endpoint with a list of indicators as a service for the system indicators. For more information about how to set up the integration, see Export indicators using the Generic Export Indicators Integration.

  • Palo Alto Networks WildFire Reports

    Generates a Palo Alto Networks WildFire PDF report. For more information, see Palo Alto Networks WildFire Reports.

  • Rasterize

    Converts URLs, PDF files, and emails to an image file or PDF file. For more information, see Rasterize.

Create an integration

You can create an integration, by adding parameters, commands, arguments, and outputs as well as writing the necessary integration code. You should have a working Cortex XSIAM tenant and programming experience with Python.

To create an integration, on the Automation and feed integrations page, click BYOI.

byoi-8.png

The Cortex XSIAM IDE and the HelloWorld integration template are loaded by default. For more information about how to create an integration including an example, see Create an Integration.

Configure an integration

On the Automation and feed integrations page, after you have either downloaded the integration or created an integration, you can do the following:

Option

Description

Add instance

Configure an integration instance to connect and communicate with other products. For more information, see Add an integration instance.

After configuring the instance, you can also enable/disable the integration instance, copy the instance, and view the integration fetch history.

View Integration's source

View the integration settings and source code.

Edit integration's source

Edit the integration settings and source code. For more information about editing the integration's source code, see Create an Integration.

Note

If the integration was installed from a content pack you need to duplicate the integration before editing.

Duplicate integration

If you want to change the source code, and settings, or download the integration, you need to duplicate the integration.

Delete

Although you can't delete an integration installed from a content pack (unless a duplicate), you can delete an integration instance.

Download the integration

Download the integration in YAML format. You can also upload an integration.

Note

If the integration was installed from a content pack you need to duplicate the integration before downloading.

Version History

If the integration is a duplicate or you create your integration, you can see the changes in the integration.

You can view all the integration changes (the last 100 changes) by clicking the Version History button.

Using integration commands

The command line interface (CLI) enables you to run system commands, integration commands, scripts, etc from the Incident War Room, Alert War Room, or Playground CLI. The CLI auto-complete feature allows you to find relevant commands, scripts, and arguments.

Cortex XSIAM uses the "!" such as !ad-create-user username=[name of user]

Under each integration, you can view a list of commands.

Note

Integration commands are only available when the integration instance is enabled. Some commands depend on a successful connection between Cortex XSIAM and third-party integrations.

You can run the CLI commands in the Playground or in an incident/alert War Room. The Playground is a non-production environment where you can safely develop and test automation scripts, APIs, commands, etc. It is an investigation area that is not connected to a live (active) investigation.

When running the command, the results are returned in the War Room or Playground and also in a JSON format in Context Data.

Tip

If you want to delete context in the Playground, type !DeleteContext all=yes