Forward Requests to Long Running Integrations - Administrator Guide - 8 - Cortex XSOAR - Cortex

Forward Requests to Long Running Integrations - Administrator Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Product

Cortex XSOAR

Version

Creation date

2024-02-14

Last date published

2024-04-15

Note

Currently, you can only use long running integrations provided by Cortex XSOAR, you cannot create custom ones.
Configuring custom certificates or private API Keys in the long running integration instance is supported only on engines, not on the Cortex XSOAR tenant.

Credentials

For long running integrations running on a tenant, you must set a username and password. For long running integrations running on an engine, we strongly recommend setting a username and password, but it is not required.

Users with sufficient permissions can set the username and password for specific integration instances, on the Integrations → Instances page.

Note

Instance Admins and Account Admins can set universal credentials for all long running integrations on the tenant on the Long Running Integrations page.

If an Admin sets a username and password in Cortex XSOAR for all long running integrations and there is a different username and password set for an individual integration instance, both sets of usernames and passwords work. An exception to this is the Generic Export Indicators Service integration. If you set a username and password for the Generic Export Indicators Service, only the credentials set in the integration instance are accepted and the universal credentials set in the Long Running Integrations page do not work.

Listen Port

Integration Instance Running on a Tenant
If the long running integration runs on the Cortex XSOAR tenant, you do not need to enter a Listen Port in the instance settings. The system auto-selects an unused port for the long running integration when the instance is saved.
Integration Instance Running on an Engine
You must set the Listen Port for access when configuring a long running integration instance on an engine. Use a unique port for each long running integration instance. Do not use the same port for multiple instances.

Test the Connection

Integration Instance Running on a Tenant
You can use CURL commands from any terminal to access and test the long running integration at the URL:
https://ext-<cortex-xsoar-address>/xsoar/instance/execute/<instance-name>
For example: curl -v -u user:pass https://ext-mytenant.paloaltonetworks.com/xsoar/instance/execute/edl_instance_01\?q\=type:ip
Note
The data URL must always be prefixed by ext-.
Integration Instance Running on an Engine
You can use CURL commands from any terminal to access and test the long running integration at the engine URL:
http://<engine-address>:<integration listen port>/
For example: curl -v -u user:pass http://<engine_address>:<listen_port>/?n=50

Curl Request Parameters

When sending a curl request to the URL, you can use the following parameters.

Argument	Description	Example
`n`	The maximum number of entries in the output. If no value is provided, will use the value specified in the List Size parameter in the integration instance settings.	`https://ext-<cortex-xsoar_instance>/instance/execute/<ExportIndicators_instance_name>?n=50`
`s`	The starting entry index from which to export the indicators.	`https://ext-<cortex-xsoar_instance>/instance/execute/<ExportIndicators_instance_name>?s=10&n=50`
`v`	The output format. Supports PAN-OS (text), CSV, JSON, mwg and proxysg (alias: bluecoat).	`https://ext-<cortex-xsoar_instance>/instance/execute/<ExportIndicators_instance_name>?v=json`
`q`	The query used to retrieve indicators from the system.	`https://ext-<cortex-xsoar_instance>/instance/execute/<ExportIndicators_instance_name>?q="type:ip and sourceBrand:my_source"`
`t`	Only with mwg format. The type indicated on the top of the exported list. Supports: string, applcontrol, dimension, category, ip, mediatype, number and regex.	`https://ext-<cortex-xsoar_instance>/instance/execute/<ExportIndicators_instance_name>?v=mwg&t=ip`
`sp`	If set, will strip ports off URLs, otherwise will ignore URLs with ports.	`https://ext-<cortex-xsoar_instance>/instance/execute/<ExportIndicators_instance_name>?v=text&sp`
`di`	Only with PAN-OS (text) format. If set, will ignore URLs which are not compliant with PAN-OS URL format instead of being re-written.	`https://ext-<cortex-xsoar_instance>/instance/execute/<ExportIndicators_instance_name>?v=text&di`
`cr`	If set, will strip protocols off URLs.	`https://ext-<cortex-xsoar_instance>/instance/execute/<ExportIndicators_instance_name>?v=text&pr`
`cd`	Only with proxysg format. The default category for the exported indicators.	`https://ext-<cortex-xsoar_instance>/instance/execute/<ExportIndicators_instance_name>?v=proxysg&cd=default_category`
`ca`	Only with proxysg format. The categories which will be exported. Indicators not in these categories will be classified as the default category.	`https://ext-<cortex-xsoar_instance>/instance/execute/<ExportIndicators_instance_name>?v=proxysg&ca=category1,category2`
`tr`	Only with PAN-OS (text) format. Whether to collapse IPs. 0 - Do not collapse. 1 - Collapse to ranges. 2 - Collapse to CIDRs	`https://ext-<cortex-xsoar_instance>/instance/execute/<ExportIndicators_instance_name>?q="type:ip and sourceBrand:my_source"&tr=1`
`tx`	Whether to output CSV formats as textual web pages.	`https://ext-<cortex-xsoar_instance>/instance/execute/<ExportIndicators_instance_name>?v=csv&tx`