Forward Requests to Long-Running Integrations - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-10-07
Category
Administrator Guide
Abstract

Configure and manage long-running integrations to export internal data from Cortex XSIAM.

Some long-running integrations provide internal data via API calls, to your third-party software, such as a firewall. You can set up Cortex XSIAM to allow third-party software to access long-running integrations installed either on the Cortex XSIAM tenant or on an engine.

Long-running integrations provide internal data via API calls such as:

Integration

Description

See More

O365 Teams (Using Graph API)

Get authorized access to a user's Teams app in a personal or organizational account.

O365 Teams (Using Graph API)

Generic Webhook

Creates incidents on event triggers. The trigger can be any query posted to the integration.

Generic Webhook

Generic Export Indicators Service

Use the Generic Export Indicators Service integration to provide an endpoint with a list of indicators as a service for the system indicators. You can set up the tenant to export internal data to an endpoint.

Note

This integration replaces the External Dynamic list integration, which is deprecated.

Generic Export Indicators

TAXII Server

Provides TAXII Services for system indicators (Outbound feed).

TAXII Server

TAXII2 Server

Provides TAXII2 Services for system indicators (outbound feed). You can choose to use TAXII v2.0 or TAXII v2.1.

TAXII2 Server

PingCastle

Listens for PingCastle XML reports.

PingCastle

Publish List

Publishes Cortex XSIAM lists for external consumption.

Publish List

Simple API Proxy

Provides a simple API proxy to restrict privileges or minimize the amount of credentials issued at the API.

Simple API Proxy

Syslog v2

Opens incidents automatically from Syslog clients.

Syslog v2

Web File Repository

Makes your environment ready for testing purpose for your playbooks or automations to download files from a web server.

Web File Repository

Note

  • When running on the tenant, you can only use long-running integrations provided by Cortex XSIAM, you cannot create custom ones. Custom long-running integrations are supported only on engines at this time.

  • Configuring custom certificates or private API Keys in the long-running integration instance is supported only on engines, not on the Cortex XSIAM tenant.

For long running integrations running on a tenant, you must set a username and password. For long running integrations running on an engine, we strongly recommend setting a username and password, but it is not required.

Users with sufficient permissions can set the username and password for specific integration instances, on the Automation & Feed Integrations page.

  • Integration Instance Running on a Tenant

    You can use CURL commands from any terminal to access and test the long-running integration at the URL:

    https://ext-<tenant-address>/xsoar/instance/execute/<instance-name>

    For example, curl -v -u user:pass https://ext-mytenant.paloaltonetworks.com/xsoar/instance/execute/edl_instance_01\?q\=type:ip

    Note

    The data URL must always be prefixed by ext-.

  • Integration Instance Running on an Engine

    You can use CURL commands from any terminal to access and test the long-running integration at the engine URL:

    http://<engine-address>:<integration listen port>/

    For example, curl -v -u user:pass http://<engine_address>:<listen_port>/?n=50

Curl request parameters

When sending a curl request to the URL, use the following parameters:

Argument

Description

Example

n

The maximum number of entries in the output. If no value is provided, will use the value specified in the List Size parameter in the integration instance settings.

https://ext-<tenant-address>/instance/execute/<ExportIndicators_instance_name>?n=50

s

The starting entry index from which to export the indicators.

https://ext-<tenant-address>/instance/execute/<ExportIndicators_instance_name>?s=10&n=50

v

The output format. Supports PAN-OS (text), CSV, JSON, mwg and proxysg (alias: bluecoat).

https://ext-<tenant-address>/instance/execute/<ExportIndicators_instance_name>?v=json

q

The query used to retrieve indicators from the system.

https://ext-<tenant-address>/instance/execute/<ExportIndicators_instance_name>?q="type:ip and sourceBrand:my_source"

t

Only with mwg format. The type indicated on the top of the exported list. Supports: string, applcontrol, dimension, category, ip, mediatype, number and regex.

https://ext-<tenant-address>/instance/execute/<ExportIndicators_instance_name>?v=mwg&t=ip

sp

If set, will strip ports off URLs, otherwise will ignore URLs with ports.

https://ext-<tenant-address>/instance/execute/<ExportIndicators_instance_name>?v=text&sp

di

Only with PAN-OS (text) format. If set, will ignore URLs which are not compliant with PAN-OS URL format instead of being re-written.

https://ext-<tenant-address>/instance/execute/<ExportIndicators_instance_name>?v=text&di

cr

If set, will strip protocols off URLs.

https://ext-<tenant-address>/instance/execute/<ExportIndicators_instance_name>?v=text&pr

cd

Only with proxysg format. The default category for the exported indicators.

https://ext-<tenant-address>/instance/execute/<ExportIndicators_instance_name>?v=proxysg&cd=default_category

ca

Only with proxysg format. The categories which will be exported. Indicators not in these categories will be classified as the default category.

https://ext-<tenant-address>/instance/execute/<ExportIndicators_instance_name>?v=proxysg&ca=category1,category2

tr

Only with PAN-OS (text) format. Whether to collapse IPs.

  • 0 - Do not collapse.

  • 1 - Collapse to ranges.

  • 2 - Collapse to CIDRs

https://ext-<tenant-address>/instance/execute/<ExportIndicators_instance_name>?q="type:ip and sourceBrand:my_source"&tr=1

tx

Whether to output CSV formats as textual web pages.

https://ext-<tenant-address>/instance/execute/<ExportIndicators_instance_name>?v=csv&tx

When configuring a long-running integration instance you may need to define a listening port.

  • Integration Instance Running on a Tenant

    If the long-running integration runs on the Cortex XSIAM tenant, you do not need to enter a Listen Port in the instance settings. The system auto-selects an unused port for the long-running integration when the instance is saved.

  • Integration Instance Running on an Engine

    You must set the Listen Port for access when configuring a long-running integration instance on an engine. Use a unique port for each long-running integration instance. Do not use the same port for multiple instances.