Add Indicators to SIEM Using a Time Triggered Job - Administrator Guide - 6.9 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Product
Cortex XSOAR
Version
6.9
Creation date
2022-09-29
Last date published
2024-09-04
End_of_Life
EoL
Category
Administrator Guide
Abstract

Use a time-triggered job to push indicators to a SIEM.

In this example, after you have processed indicators you can push relevant indicators to your SIEM by customizing the TIM-Add All Indicator Types To SIEM playbook. This playbook pushes the indicators (IP, bad hash, domains and URLs) that have been tagged to their respective lists in the SIEM. By default, the playbook is configured to work with ArcSight and QRadar, but you should change this to match the SIEM in your system. After configuration, run a time triggered job to run the playbook

  1. Customize the TIM - Add All Indicators Types to SIEM playbook.

    1. Go to Playbooks and search for TIM - Add All Indicator Types to SIEM and either detach or duplicate the playbook.

      Note

      If you detach the playbook, it does not receive content pack updates, until attached. If you want to receive content pack updates and keep your changes you should duplicate the playbook.

    2. Click the Playbook Triggered task at the top of the playbook.

      1. Select From indicators and set the query for the indicators to add. For example tags:approved_black, approved_white, etc.

        The purpose of the playbook is to send to SIEM only indicators that have been processed and tagged accordingly after an automatic or manual review process. The playbook comes out-of-the box with queries, but you can update it if required.

      2. Save the playbook.

    3. Make sure the playbook includes a task that closes the investigation once it completes. Save the playbook.

  2. Define a Job to Push the Indicators to the SIEM.

    1. Select JobsNew Job.

    2. Select Time Triggered.

    3. (Optional) Select Recurring and determine how often you want the job to run. For example, run daily at midnight.

    4. In the Playbook field, select the TIM - Add All Indicator Types To SIEM playbook to run.

    5. Create Create New Job.

    Whenever an indicator is ingested that has a relevant tag such as approved_black, the job pushes that indicator to the SIEM.

  3. (Optional) Test the work flow.

    1. Open the job that you created, when you processed indicators.

      You can tag any indicator with the tags that you want to push. It does not necessarily need to be this job.

    2. In Work Plan open the Create Process Indicators Manually incident task.

    3. In the Outputs tab, copy the incident ID for the incident that was created.

    4. Go to Incidents and search for the incident ID that was created.

    5. Review the indicators and add update the indicators with tags that you want to push to the SIEM,

    6. When finished with the review, in the Work Plan , click the Manually review the incident task, select Yes, and Mark Completed.

    7. Select the job you defined in step 2 and click Run now,

    8. Go to Indicators and run the query tags:SIEM.

      This is the tag appended to every indicator that has been processed and pushed to the SIEM.