Manage external dynamic lists - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-10-13
Category
Administrator Guide
Abstract

Configure and manage your external dynamic lists in Cortex XSIAM.

An External Dynamic List (EDL) is a hosted text file. In Cortex XSIAM, you can configure an EDL to share a list of Cortex XSIAM indicators with other products in your network, such as a firewall. For example, your Palo Alto Networks firewall can add IP address and domain data from the EDL to block or allow lists.

Cortex XSIAM hosts two external dynamic lists you can configure and manage.

  • IP Addresses EDL

  • Domain Names EDL

Note

  • To configure an EDL, you must have a role that includes EDL permissions, such as Instance Admin or Account Admin.

  • Configuring custom certificates or private API Keys in the EDL integration instance is supported only on engines, not on the Cortex XSIAM server.

  • For EDL integrations on the server, you must set a username and password. For long running integrations running on an engine, we strongly recommend setting a username and password, but it is not required.

    You can set credentials for all EDL integrations or for a specific integration instance. If you set a username and password in an EDL integration instance, only those credentials are accepted and the username and password you set in the Cortex XSIAM do not work.

You can set up Cortex XSIAM to export internal data to an EDL using an EDL integration installed either on the Cortex XSIAM tenant or on an engine.

Note

The legacy external dynamic list PAN-OS integration is deprecated. Configure the EDL integration by clicking the Automation & Feed Integration link.

If the EDL integration runs on the Cortex XSIAM tenant, you must set a username and password to allow external access to the data.

  1. Navigate to SettingsConfigurationsIntegrationsExternal Dynamic List Integration.

  2. Enter a username and password for all EDL integration instances. If you do not enter credentials here, you must set them for each integration instance.

  3. In the External Dynamic List - Generic Integration section, click the Automation & Feed Integration link.

  4. Add an instance of the Generic Export Indicators Service.

  5. (Optional) Enter a Username and Password if you want credentials specific for this integration instance.

    Note

    If the EDL integration runs on the Cortex XSIAM server, there is no need to enter a Listen Port in the instance settings. The system auto-selects an unused port for the EDL integration when the instance is saved. If you enter a value for Listen Port, it will be overwritten by the port auto-selected by the system

  6. Enter an indicator query.

    The query updates the EDL list. To view expected results, run !findIndicators query=<your query> from the Cortex XSIAM CLI. Field names in your query must match the machine name for each field.

  7. Enter the maximum list size.

  8. You can run curl commands to access and test the External Dynamic List with this URL: https://edl-<cortex-xsiam-address>/xsoar/instance/execute/<instance-name>.

    For example: curl -v -u user:pass https://ext-mytenant.paloaltonetworks.com/xsoar/instance/execute/edl_instance_01\?q\=type:ip

    Important

    The EDL URL must always be prefixed by ext-.

  9. Save your changes.

Provide access to internal data via an engine using an endpoint port. We strongly recommend also setting a username and password for additional security.

  1. Click the Automation & Feed Integration link.

  2. For the Generic Export Indicators Service, click + Add instance and enter:

    • Listen Port - The service to access the EDL runs on this port from within Cortex XSIAM. You need a unique port for each long running integration instance (do not use the same port for multiple instances).

    • (Optional) Username and Password - The username and password for the EDL.

    • Run on single engine - Select the engine from a drop-down.

  3. Enter an indicator query.

    The query updates the EDL list. To view expected results, run !findIndicators query=<your query> from the Cortex XSOAR CLI. Field names in your query must match the machine name for each field.

  4. Enter the maximum list size.

  5. You can run curl commands to access and test the External Dynamic List with the engine URL: http://<engine-address>:<integration listen port>/.

    For example: curl -v -u user:pass http://<engine_address>:<listen_port>/?n=50

  6. Save your changes.