Forward Requests to Long-Running Integrations - Administrator Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Cloud Documentation

Product
Cortex XSOAR
Version
8
Creation date
2024-03-07
Last date published
2024-10-14
Category
Administrator Guide
Solution
Cloud
Abstract

Configure and manage long-running integrations to export internal data from Cortex XSOAR.

Some long-running integrations provide internal data via API calls, to your third-party software, such as a firewall. You can set up Cortex XSOAR to allow third-party software to access long-running integrations installed either on the Cortex XSOAR tenant or on an engine.

Rather than adding credentials separately for long-running integration instances, you can set up universal credentials for all long-running integrations.

Long-running integrations provide internal data via API calls such as:

Integration

Description

See More

O365 Teams (Using Graph API)

Get authorized access to a user's Teams app in a personal or organizational account.

O365 Teams (Using Graph API)

Generic Webhook

Creates incidents on event triggers. The trigger can be any query posted to the integration.

Generic Webhook

Generic Export Indicators Service

Use the Generic Export Indicators Service integration to provide an endpoint with a list of indicators as a service for the system indicators. You can set up the tenant to export internal data to an endpoint.

Note

This integration replaces the External Dynamic list integration, which is deprecated.

Generic Export Indicators

TAXII Server

Provides TAXII Services for system indicators (Outbound feed).

TAXII Server

TAXII2 Server

Provides TAXII2 Services for system indicators (outbound feed). You can choose to use TAXII v2.0 or TAXII v2.1.

TAXII2 Server

XSOAR-Web-Server

Supports handling configurable user responses (like Yes/No/Maybe) and data collection tasks that can be used to fetch key value pairs.

XSOAR-Web-Server

PingCastle

Listens for PingCastle XML reports.

PingCastle

Publish List

Publishes Cortex XSOAR lists for external consumption.

Publish List

Simple API Proxy

Provides a simple API proxy to restrict privileges or minimize the amount of credentials issued at the API.

Simple API Proxy

Syslog v2

Opens incidents automatically from Syslog clients.

Syslog v2

Web File Repository

Makes your environment ready for testing purpose for your playbooks or automations to download files from a web server.

Web File Repository

Note

  • When running on the tenant, you can only use long-running integrations provided by Cortex XSOAR, you cannot create custom ones. Custom long-running integrations are supported only on engines at this time.

  • Configuring custom certificates or private API Keys in the long-running integration instance is supported only on engines, not on the Cortex XSOAR tenant.

When defining credentials for long-running integrations, you can do one of the following:

  • Set up universal credentials for all long-running integrations

    You need the Account Admin or Instance Administrator's permission to define credentials.

    Tip

    For long-running integrations running on an engine, we strongly recommend defining a username and password, but it is not required.

  • Set up credentials for each separate integration

    Users with sufficient permissions can set the username and password for specific integration instances, on the IntegrationsInstances page.

Important

If you define credentials in long-running integrations, but there is a different username and password in an individual integration instance, the credentials for the integration instance override the long-running integration credentials.

  1. Go to Settings & InfoSettingsIntegrationsLong Running Integrations.

  2. In the Configure Universal Credentials for Long Running Integrations (Optional) section, add a username and password.

  3. Save the configuration.

    When configuring a long-running integration, you don't need to add a username and password.

  • Integration Instance Running on a Tenant

    You can use CURL commands from any terminal to access and test the long-running integration at the URL:

    https://ext-<tenant-address>/xsoar/instance/execute/<instance-name>

    For example, curl -v -u user:pass https://ext-mytenant.paloaltonetworks.com/xsoar/instance/execute/edl_instance_01\?q\=type:ip

    Note

    The data URL must always be prefixed by ext-.

  • Integration Instance Running on an Engine

    You can use CURL commands from any terminal to access and test the long-running integration at the engine URL:

    http://<engine-address>:<integration listen port>/

    For example, curl -v -u user:pass http://<engine_address>:<listen_port>/?n=50

Curl request parameters

When sending a curl request to the URL, use the following parameters:

Argument

Description

Example

n

The maximum number of entries in the output. If no value is provided, will use the value specified in the List Size parameter in the integration instance settings.

https://ext-<tenant-address>/instance/execute/<ExportIndicators_instance_name>?n=50

s

The starting entry index from which to export the indicators.

https://ext-<tenant-address>/instance/execute/<ExportIndicators_instance_name>?s=10&n=50

v

The output format. Supports PAN-OS (text), CSV, JSON, mwg and proxysg (alias: bluecoat).

https://ext-<tenant-address>/instance/execute/<ExportIndicators_instance_name>?v=json

q

The query used to retrieve indicators from the system.

https://ext-<tenant-address>/instance/execute/<ExportIndicators_instance_name>?q="type:ip and sourceBrand:my_source"

t

Only with mwg format. The type indicated on the top of the exported list. Supports: string, applcontrol, dimension, category, ip, mediatype, number and regex.

https://ext-<tenant-address>/instance/execute/<ExportIndicators_instance_name>?v=mwg&t=ip

sp

If set, will strip ports off URLs, otherwise will ignore URLs with ports.

https://ext-<tenant-address>/instance/execute/<ExportIndicators_instance_name>?v=text&sp

di

Only with PAN-OS (text) format. If set, will ignore URLs which are not compliant with PAN-OS URL format instead of being re-written.

https://ext-<tenant-address>/instance/execute/<ExportIndicators_instance_name>?v=text&di

cr

If set, will strip protocols off URLs.

https://ext-<tenant-address>/instance/execute/<ExportIndicators_instance_name>?v=text&pr

cd

Only with proxysg format. The default category for the exported indicators.

https://ext-<tenant-address>/instance/execute/<ExportIndicators_instance_name>?v=proxysg&cd=default_category

ca

Only with proxysg format. The categories which will be exported. Indicators not in these categories will be classified as the default category.

https://ext-<tenant-address>/instance/execute/<ExportIndicators_instance_name>?v=proxysg&ca=category1,category2

tr

Only with PAN-OS (text) format. Whether to collapse IPs.

  • 0 - Do not collapse.

  • 1 - Collapse to ranges.

  • 2 - Collapse to CIDRs

https://ext-<tenant-address>/instance/execute/<ExportIndicators_instance_name>?q="type:ip and sourceBrand:my_source"&tr=1

tx

Whether to output CSV formats as textual web pages.

https://ext-<tenant-address>/instance/execute/<ExportIndicators_instance_name>?v=csv&tx

When configuring a long-running integration instance you may need to define a listening port.

  • Integration Instance Running on a Tenant

    If the long-running integration runs on the Cortex XSOAR tenant, you do not need to enter a Listen Port in the instance settings. The system auto-selects an unused port for the long-running integration when the instance is saved.

  • Integration Instance Running on an Engine

    You must set the Listen Port for access when configuring a long-running integration instance on an engine. Use a unique port for each long-running integration instance. Do not use the same port for multiple instances.