Common integration use cases for Cortex XSIAM, including analytics and SIEM, authentication, case management, data enrichment, threat intelligence, forensic and malware,
The following categories are common use cases for Cortex XSIAM integrations. While this list is not meant to be exhaustive, it's a starting point to understand what use cases are supported by Cortex XSIAM and third-party integrations.
Top use cases:
Fetch incidents with relevant filters.
Create, close, and delete incidents/events/cases.
Update incidents - update status, assignees, severity, SLA, and more.
Get events related to an incident/case for enrichment/investigation purposes.
Query SIEM (consider aggregating logs).
These integrations usually include the Fetch Incidents option for an instance. It can also include list-incidents or get-incident as integration commands, or important information for an event or incident.
Analytics & SIEM integration Example: ArcSight ESM
Top use cases:
Use credentials from the authentication vault to configure instances in Cortex XSIAM. (Save credentials in: Settings & Info → Settings → Integrations → Credentials.) Integrations that use credentials from the vault should have the Switch to credentials option.
Lock/Delete Account – Use an integration to lock/unlock a third-party account.
Reset Account - Perform a reset password command for a third-party account.
Lock an external credentials vault - in case of an emergency (if the vault has been compromised), allow the option to lock/unlock the entire vault via an integration.
Step-Up authentication - Enforce Multi-Factor Authentication for an account.
Create, update, and delete users.
Manage user groups.
Block users, force change of passwords.
Manage access to resources and applications.
Create, update, and delete roles.
Authentication integration example: CyberArk AIM v2 (Partner Contribution)
Top use cases:
Create, get, edit, close a ticket or issue, and add and view comments.
Assign a ticket/issue to a specified user.
List all tickets, and filter by name, date, and assignee.
Get details about a managed object, update, create, delete.
Add and manage users.
Case Management/Ticketing integration example: ServiceNow V2
Top use cases:
Enrich information about different IOC types: Upload object for scan and get the scan results. (If there’s an option to upload private/public, the default should be set to private.) Search for former scan results about an object to get information about a sample without uploading it yourself. Enrich information and scoring for the object.
Add indicators to the system and search for existing indicators.
Add indicators to the exclusion list.
Calculate DBot Score for indicators.
Enrich asset – get vulnerability information for an asset (or a group of assets) in the organization.
Generate/trigger a scan on specified assets.
Get a scan report including vulnerability information for a specified scan and export it.
Get details for a specified vulnerability.
Scan assets for a specific vulnerability.
Data Enrichment & Threat Intelligence integration example: Unit 42 Objects Feed.
Top use cases:
Get message – download the email itself, retrieve metadata, body.
Download attachments for a given message.
Manage senders – block/allow specified mail senders.
Manage URLs – block/allow the sending of specified URLs.
Encode/decode URLs in messages
Release a held message when a gateway has placed a suspicious message on hold.
Email Gateway integration example: MimeCast v2
Top use cases:
Fetch incidents & events
Get event details (from a specified incident)
Quarantine a file
Isolate and contain endpoints
Update indicators (for example, network and hashes) by policy (can be block, monitor) – deny list
Add indicators to the exclusion list
Search for indicators in the system (Seen indicators and related incidents/events)
Download file based on hash, and path
Trigger scans on specified hosts
Update .DAT files for signatures and compare existing .DAT file to the newest one on the Cortex XSIAM tenant
Get information for a specified host (OS, users, addresses, hostname)
Get policy information and assign policies to endpoints
Endpoint integration example: Tanium V2
Top use cases:
Submit a file and get a report (detonation)
Submit a URL and get a report (detonation)
Search for past analysis (input being a hash/URL)
Retrieve a PCAP file
Retrieve screenshots taken during analysis
Forensic and Malware Analysis example: Cuckoo Sandbox
Top use cases:
Create block/accept policies (source, destination, port), for IP addresses and domains
Add addresses and ports (services) to predefined groups, create groups, and more
Support custom URL categories
Fetch network logs for a specific address for a configurable time frame
URL filtering categorization change request
Built-in blocked rule command for fast-blocking
If there is a Management Firewall allow the option to manage policy rules through it
Get/fetch alerts
Get PCAP file, packet
Get network logs filtered by time range, IP addresses, ports, and more
Create/manage/delete policies and rules
Update signatures from an online source / upload + get last signature update information
Install policy (if existing)
Network Security Firewall integration examples: Tufin (Partner Contribution), Protectwise
Top use cases:
Enrich asset – get vulnerability information for an asset (or a group of assets) in the organization.
Generate/trigger a scan on specified assets
Get a scan report including vulnerability information for a specified scan and export it
Get details for a specified vulnerability
Scan assets for a specific vulnerability
Vulnerability Management integration example: Tenable.sc