Automation and feed integrations - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-05-22
Category
Administrator Guide
Abstract

Set up an integration instance and start ingesting incidents/indicators.

Cortex XSIAM comes out-of-the-box with integrations, such as:

Integration

Description

Active Directory Query v2

Active Directory Query integration enables you to access and manage Active Directory objects (users, contacts, and computers).

Mail Sender

Sends email notifications to users. By default, this integration is configured to send emails. You can change the main sender by configuring a different mail sender, such as Gmail. For more information, see

Generic Export Indicator Service

Provides an endpoint with a list of indicators as a service for the system indicators.

Unit 42 Intel Objects Feed

Use the Unit 42 Intel Objects Feed integration to fetch indicators from Unit 42 Intel Objects.

You can add and configure integrations such as messaging (such as EWS, Gmail), authentication (such as AD, SAML, etc), and feeds (such as Unit 42), to use in Cortex XSIAM. For example, the EWS v2 integration enables you to ingest Microsoft emails in Cortex XSIAM as alerts. You can then process the alerts using a playbook, analyze the data, and take any response as required.

In the Developer Hub view detailed information about the integrations including commands, outputs, recommended permissions, etc. You can also see more information about content packs, playbooks, scripts, and Marketplace documentation.

Planning

Before you configure integrations and ingesting data from third parties, consider the following:

  • Whether you want to customize alert/indicator fields: Used to display information from third-party integrations. For more information, see xxxx.

  • Whether to customize alert/indicator types: Classify the different types of attacks with which your organization deals. For more information, see

This is an iterative process. After you initially create your fields and incident types, you can start the process of ingesting data. You can then see how accurately you have mapped out your information. Make changes as you go along and learn more about the information you are receiving. Information that is not mapped to fields is available in context data, but it is much easier to work with the data when it is properly mapped to a field and displayed in the relevant layouts.

How to configure integrations

In the Automation & Feed Integrations page (SettingsConfigurationsData Collection), you can do the following:

  • Configure an instance

  • View existing instances

  • Enable/disable instances

  • Create your own integration (see BYOI)

  • Upload an integration

  • View the version history of the integration

In this example, you will set up the OnboardingIntegration. If you have not done so, download the OnboardingIntegration content pack from Marketplace. Most integrations follow a similar configuration.

  1. Go to SettingsConfigurationsData CollectionAutomation & Feed Integrations and search for OnboardingIntegration.

  2. Click Add Instance.

  3. Add the number of incidents to fetch per minute. By default, there is a maximum number of 5 incidents per minute.

  4. Add the maximum number of incidents to create. By default, there is a maximum number 10 incidents to create.

  5. Add the many incidents you want to create in minutes

  6. Set the Alerts Fetch Interval. By default, the alerts are fetched every one minute.

  7. Select whether to run on an engine.

  8. When troubleshooting the instances troubleshooting adjust the default setting from off to a higher debugging level.

  9. Select Fetches alerts to start ingesting alerts.

    For all integrations, we recommend only fetching alerts when everything is set up. Once enabled, Cortex XSIAM searches for events that occurred within the time frame set for the integration, which is based on the specific integration. The default is 5 incidents per minute.

    Note

    In some integrations, a classifier, an incident type, and mapper fields are included. For more information, see

  10. Test and Save & Exit.

Using integration commands

The command line interface (CLI) enables you to run system commands, integration commands, scripts, etc from the Incident War Room, Alert War Room, or Playground CLI. The CLI auto-complete feature allows you to find relevant commands, scripts, and arguments.

Cortex XSIAM uses the "!" such as !ad-create-user username=[name of user]

Under each integration, you can view a list of commands.

Note

Integration commands are only available when the integration instance is enabled. Some commands depend on a successful connection between Cortex XSOAR and third-party integrations.

You can run the CLI commands in the Playground or in an incident/alert War Room. The Playground is a non-production environment where you can safely develop and test automation scripts, APIs, commands, etc. It is an investigation area that is not connected to a live (active) investigation.

When running the command, the results are returned in the War Room or Playground and also in a JSON format in Context Data.

Tip

If you want to delete context in the Playground, type !DeleteContext all=yes

Classification and Mapping

After you start ingesting alerts/indicators, you should consider whether to create alert/indicator fields and types. You should also review and customize classifiers and mappers, if relevant, for your integration.

Classification determines the type of alert/indicator that is ingested into Cortex XSIAM from a specific integration. You create a classifier and define that classifier in an integration, if applicable.

Mapping enables you to map the fields from your third-party integration to the fields in your alert layouts. Go to SettingsConfigurationsObject Setup and select either Alerts or Indicators.