Configure integrations - Administrator Guide - 8.5 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR On-prem Documentation

Product
Cortex XSOAR
Version
8.5
Creation date
2024-03-10
Last date published
2024-11-28
Category
Administrator Guide
Solution
On-prem
Abstract

Configure an integration including creating your own integration

Integrations are mechanisms through which Cortex XSOAR connects and communicates with other products. These integrations can be executed through REST APIs, webhooks, and other techniques. Integrations enable you to orchestrate and automate SOC operations.

Integrations can be one-way or two-way. Two-way integrations allow both systems to interact directly, making it easier to manage security operations across multiple tools.

Integrations installed from a content pack

Integrations are included in content packs which you download and install from Marketplace. After you download and install a content pack that includes an integration, you need to configure the integration by adding an instance. You can have multiple instances of an integration, for example, to connect to different environments. Additionally, if you are an MSSP and have multiple tenants, you could configure a separate instance for each tenant.

Cortex XSOAR comes out-of-the-box with several integrations to help you onboard, such as:

  • Mail Sender

    Sends email notifications to users. By default, this integration is configured to send emails. You can change the main sender by configuring a different mail sender, such as Gmail. For more information, see Configure notifications in Cortex XSOAR.

  • Generic Export Indicators Service

    Provides an endpoint with a list of indicators as a service for the system indicators. For more information about how to set up the integration, see Export indicators using the Generic Export Indicators Integration.

  • Palo Alto Networks WildFire Reports

    Generates a Palo Alto Networks WildFire PDF report. For more information, see Palo Alto Networks WildFire Reports.

  • Rasterize

    Converts URLs, PDF files, and emails to an image file or PDF file. For more information, see Rasterize.

Create an integration

You can create an integration, by adding parameters, commands, arguments, and outputs as well as writing the necessary integration code. You should have a working Cortex XSOAR tenant and programming experience with Python.

To create an integration, on the Instances page, click BYOI.

byoi-8.png

The Cortex XSOAR IDE and the HelloWorld integration template are loaded by default. For more information about how to create an integration including an example, see Create an Integration.

Configure an integration

On the Instance integration page, after you have either downloaded the integration or created an integration, you can do the following:

Option

Description

Add instance

Configure an integration instance to connect and communicate with other products. For more information, see Add an integration instance.

After configuring the instance, you can also enable/disable the integration instance, copy the instance, and view the integration fetch history.

View Integration's source

View the integration settings and source code.

Edit integration's source

Edit the integration settings and source code. For more information about editing the integration's source code, see Create an Integration.

Note

If the integration was installed from a content pack you need to duplicate the integration before editing.

Duplicate integration

If you want to change the source code, and settings, or download the integration, you need to duplicate the integration.

Delete

Although you can't delete an integration installed from a content pack (unless a duplicate), you can delete an integration instance.

Download the integration

Download the integration in YAML format. You can also upload an integration.

Note

If the integration was installed from a content pack you need to duplicate the integration before downloading.

Version History

If the integration is a duplicate or you create your integration, you can see the changes in the integration.

Contribute to Marketplace

You can send the integration to Palo Alto Networks for review and for it to be added to Marketplace. For more information, see Content pack contributions.

You can view all the integration changes (the last 100 changes) by clicking the Version History button.