Set up IoT Security and XSOAR for XDR Integration

Set up IoT Security and XSOAR for XDR Integration

1. Log in to the IoT Security portal and then access Cortex XDR integration settings in Cortex XSOAR.

   1. Because IoT Security uses XSOAR to integrate with XDR, you must configure settings for the XDR integration instance in the Cortex XSOAR interface. To access XSOAR, log in to IoT Security and select IntegrationsLaunch Cortex XSOAR.

      

   2. Click Settings in the left navigation menu, search for xdr to locate it among other instances.

      
2. Configure the Cortex XDR integration instance.

   1. Add instance to open the settings panel.
   2. Enter the following and leave other settings at their default values:
      Name: Enter a name for the XDR integration instance.
      Server URL (copy URL from XDR): Copy the URL that you saved earlier in a text file and paste it here.
      API Key ID: Enter the API key ID that you previously noted.
      API Key: Copy the API key string and paste it here.
      Single engine: Choose No engine.

      

   3. When finished, click Test.
      If the test is successful, a Success message appears. If not, check that the settings were entered correctly and then test the configuration again.

      

   4. After the test succeeds, copy the name of the integration instance to use in the job you create next, and then click Save & exit to save your changes and close the settings panel.
3. Create a job to retrieve device attributes from Cortex XDR every 15 minutes.

   1. Click Jobs near the bottom of the left navigation menu to open the Jobs page.
   2. Click New Job at the top of the Jobs page.
   3. Enter the following, leave the other fields at their default values:
      Time triggered: (select)
      Recurring: Select this because you want to periodically import device attributes from Cortex XDR.
      Every: Enter a number and set the interval value (Minutes, Hours, Days, or Weeks) and select the days on which to run the job. (If you don’t select anything, the job runs everyday.) This determines how often XSOAR imports data from Cortex XDR. It’s important to set an interval that allows enough time for the job to complete, considering factors such as the number of devices that are active on the network. You might start by running the job every 15 minutes and then increasing it as necessary until each job completes before the next one starts. You can see the run status of a recurring job on the Jobs page. When in progress, its status is Running. When done, its status changes to Completed.
      Name: Type a name for the job such as XDR device attributes retrieval.
      Playbook: Incremental Export of Cortex XDR - PANW IoT 3rd Party Integration
      Integration Instance Name: Paste the integration instance name that you copied in the previous step. If this field is empty or an entered name doesn’t match an instance, the job won’t run successfully.
      Playbook Poll Interval: Enter a number (the value, though unspecified, is minutes) defining the period of time during which IoT Security must see newly discovered devices or network activity from previously discovered devices to import device attributes from XDR. It’s common to use the same interval as the one for running the recurring job. However, if you increase the interval between jobs, you can set a shorter interval for polling than that for the job. If you leave it blank, the default poll interval is 15 minutes.
      The default value is 15 minutes, which is the interval that XSOAR will use if the field is left blank.
      Site Names: Leave the field empty to import device attributes for all sites. To limit imports to devices at one or more sites, enter comma-separated site names.

      

   4. Create new job.
4. To enable the XDR integration instance, click Enable.

   XSOAR begins an automated process that retrieves incrementally updated device attributes from Cortex XDR occurring within the last 15 minutes.
5. Continue creating and enabling more integration instances and jobs as needed for IoT Security to import device attributes from other Cortex XDR instances.

   Run the job for each integration instance you create. The first time you run a job that references an integration instance triggers XSOAR to report the instance to IoT Security, which then displays the integration instance on the Integrations page.
6. Return to the IoT Security portal and check the status of the Cortex XDR integration instances you created and enabled.

   An integration instance can be in one of four states, which IoT Security displays in the Status column on the Integrations page:

   • Disabled means that either the integration was configured but intentionally disabled or it was never configured and a job that references it is enabled and running.
   • Error means that the integration was configured and enabled but is not functioning properly, possibly due to a configuration error or network condition.
   • Inactive means that the integration was configured and enabled but no job has run for at least the past 60 minutes.
   • Active means that the integration was configured and enabled and is functioning properly.

   When you see that the status of an integration instance has changed from Disabled to Active, its setup is complete.