Set up an integration instance and start ingesting incidents/indicators.
Integrations are mechanisms through which Cortex XSIAM connects and communicates with other products. These integrations can be executed through REST APIs, webhooks, and other techniques. Integrations enable you to orchestrate and automate SOC operations.
Integrations installed from a content pack
Integrations are included in content packs which you download and install from Marketplace. After you download and install a content pack that includes an integration, you need to configure the integration by adding an instance. You can have multiple instances of an integration, for example, to connect to different environments. Additionally, if you are an MSSP and have multiple tenants, you could configure a separate instance for each tenant.
Note
Some integrations can be downloaded directly without having to initially download a content pack from Marketplace. For more information, see Onboarding data sources.
Cortex XSIAM comes out-of-the-box with integrations to help you onboard, such as:
Mail Sender
Sends email notifications to users.
Generic Export Indicators Service
Provides an endpoint with a list of indicators as a service for the system indicators. For more information about how to set up the integration, see Export indicators using the Generic Export Indicators Integration.
Palo Alto Networks WildFire Reports
Generates a Palo Alto Networks WildFire PDF report. For more information, see Palo Alto Networks WildFire Reports.
Rasterize
Converts URLs, PDF files, and emails to an image file or PDF file. For more information, see Rasterize.
Create an integration
You can create an integration, by adding parameters, commands, arguments, and outputs as well as writing the necessary integration code. You should have a working Cortex XSIAM tenant and programming experience with Python.
To create an integration, on the Automation and feed integrations page, click BYOI.
The Cortex XSIAM IDE and the HelloWorld integration template are loaded by default. For more information about how to create an integration including an example, see Create an Integration.
Configure an integration
On the Automation and feed integrations page, after you have either downloaded the integration or created an integration, you can do the following:
Option | Description |
---|---|
Add instance | Configure an integration instance to connect and communicate with other products. For more information, see Add an integration instance. After configuring the instance, you can also enable/disable the integration instance, copy the instance, and view the integration fetch history. |
View Integration's source | View the integration settings and source code. |
Edit integration's source | Edit the integration settings and source code. For more information about editing the integration's source code, see Create an Integration. NoteIf the integration was installed from a content pack you need to duplicate the integration before editing. |
Duplicate integration | If you want to change the source code, and settings, or download the integration, you need to duplicate the integration. |
Delete | Although you can't delete an integration installed from a content pack (unless a duplicate), you can delete an integration instance. |
Download the integration | Download the integration in YAML format. You can also upload an integration. NoteIf the integration was installed from a content pack you need to duplicate the integration before downloading. |
Version History | If the integration is a duplicate or you create your integration, you can see the changes in the integration. |
You can view all the integration changes (the last 100 changes) by clicking the Version History button.
Using integration commands
The command line interface (CLI) enables you to run system commands, integration commands, scripts, etc from the Incident War Room, Alert War Room, or Playground CLI. The CLI auto-complete feature allows you to find relevant commands, scripts, and arguments.
Cortex XSIAM uses the "!
" such as !ad-create-user username=[name of user]
Under each integration, you can view a list of commands.
Note
Integration commands are only available when the integration instance is enabled. Some commands depend on a successful connection between Cortex XSIAM and third-party integrations.
You can run the CLI commands in the Playground or in an incident/alert War Room. The Playground is a non-production environment where you can safely develop and test automation scripts, APIs, commands, etc. It is an investigation area that is not connected to a live (active) investigation.
When running the command, the results are returned in the War Room or Playground and also in a JSON format in Context Data.
Tip
If you want to delete context in the Playground, type !DeleteContext all=yes