IoT Security
Third-party Integrations Using Cohosted XSOAR
Table of Contents
Third-party Integrations Using Cohosted XSOAR
Use a cohosted Cortex XSOAR instance for IoT Security
integration with third-party solutions.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
One of the following Cortex XSOAR setups:
|
When you buy and activate an
IoT Security Third-party Integrations Add-on license, a cloud-hosted,
purpose-built instance of Cortex XSOAR is generated exclusively
for your IoT Security
tenant at no extra charge. It enables IoT Security
to integrate with both cloud-based third-party systems and—by means of an on-site
Cortex XSOAR engine—with third-party systems deployed on premises. (For
Cortex XSOAR engine installation instructions, refer to the
“Cortex XSOAR Engine Installation” section for the third-party
product that you are integrating with IoT Security.)
An IoT Security Third-party Integrations Add-on does not
require the purchase of a full Cortex XSOAR product. After you enable the
add-on, IoT Security automatically generates a cloud-hosted XSOAR
instance with limited functionality (in contrast to a full Cortex XSOAR product)
to assist IoT Security with the integrations it supports.
Access and Manage Your Cohosted XSOAR
Once the cohosted Cortex XSOAR is available, you can log in to your
Cortex XSOAR instance from the IoT Security portal. Navigate to the
Integrations page, and under the Integrations section, click
Launch Cortex XSOAR.
When you log into a cohosted Cortex XSOAR instance with IoT Security,
you have a special IoT Security role with the following limitations:
- You can only access the Settings and Jobs page.
- You can't access the Cortex XSOAR Marketplace.
- You can't run Cortex XSOAR commands from the CLI.
- You can't set configuration flags.
Because the cohosted Cortex XSOAR instance relies on having the third-party
integrations add-on license, you can find the serial number for the cohosted
Cortex XSOAR in the IoT Security portal. Navigate to
, and locate the XSOAR Serial Number.
Available Third-party Integrations
After you activate the add-on during the onboarding process,
a limited, cloud-hosted Cortex XSOAR instance is generated exclusively
to support third-party integrations included in the add-on. There
is no extra charge for this dedicated XSOAR instance, which supports
integrations with the following third-party systems:
- Asset Discovery
- Asset Management
- AIMS
- Jamf Pro
- Microsoft SCCM
- Nuvolo
- RENOVOLive
- ServiceNow
- SoftPro Medusa
- Endpoint Protection
- Network Management
- Identity and Access Management
- Microsoft Entra ID
- IP Address Management
- Wireless Network Controllers
- Security Information and Event Management
- Network Access Control
- Aruba ClearPass
- Cisco ISE
- Cisco ISE pxGrid
- Extreme Networks ExtremeCloud IQ
- Forescout
- Vulnerability Scanning
When integrating IoT Security with one of the third-party systems, you’ll use the interface
of the dedicated XSOAR instance to configure this side of the integration and the user
interface of the remote system to configure the other side. The XSOAR interface has been
scaled down to just those features and settings essential for IoT Security to
integrate with these other systems. To access the XSOAR interface, log in to the IoT Security portal, open the Integrations page, and then click Launch
Cortex XSOAR. Due to the automatic authentication
mechanism that occurs between IoT Security and XSOAR when you click this link,
it’s the only way to access the interface of your XSOAR instance.
If you don’t see all available third-party integrations
in the Cortex XSOAR interface, it's possible that your XSOAR instance needs
to update to the latest content pack. Content packs include
code changes to the jobs and playbooks of existing integrations
as well as additional new third-party integrations. To get the latest
XSOAR content pack, log in to your Customer Support Portal account
and create a case with your request.
Some integrations such as ServiceNow, Nuvolo, and Qualys occur completely in the cloud, from the
IoT Security cloud through Cortex XSOAR to the third-party cloud. Others such as Cisco
ISE, SIEM, and Aruba ClearPass occur both in the cloud and on premises. The IoT Security
cloud sends data to Cortex XSOAR, which forwards it to an XSOAR engine installed on a VM on premises.
The XSOAR engine then forwards the data across the network to a third-party server
that’s also on premises. The following shows which integrations require an on-premises
XSOAR engine when IoT Security is communicating through a cohosted XSOAR instance:
| Asset Management Integrations | Requires an XSOAR Engine on Premises | XSOAR Engine Communications |
|---|---|---|
| AIMS | No (cloud-hosted AIMS instance), Yes (on-premises AIMS system) | HTTPS on TCP 443 to https://<your-domain>.iot.demisto.live/ and HTTPS on TCP 443 (default) to an on-premises AIMS system |
| Microsoft SCCM | Yes | HTTPS on TCP 443 to https://<your-domain>.iot.demisto.live/ and TCP 1433 (default) to an on-premises SCCM SQL system |
| Nuvolo | No | — |
| ServiceNow | No | — |
| SoftPro Medusa | No (cloud-hosted SoftPro Medusa), Yes (on-premises SoftPro Medusa servers) | HTTPS on TCP 443 to https://<your-domain>.iot.demisto.live/ and HTTPS on TCP 443 (default) to your on-premises SoftPro Medusa |
| Endpoint Protection | Requires an XSOAR Engine on Premises | XSOAR Engine Communications |
|---|---|---|
| Cortex XDR | No | — |
| CrowdStrike | No | — |
| Microsoft Defender XDR | No | — |
| Tanium | No (cloud-hosted Tanium), Yes (one or more on-premises Tanium servers) | HTTPS on TCP 443 to https://<your-domain>.iot.demisto.live/ and HTTPS on TCP 443 to your on-premises Tanium API |
| Network Management | Requires an XSOAR Engine on Premises | XSOAR Engine Communications |
|---|---|---|
| Aruba AirWave | Yes | HTTPS on TCP 443 to https://<your-domain>.iot.demisto.live/ |
| Aruba Central | No (cloud-hosted Aruba Central), Yes (one or more on-premises Aruba Central servers) | HTTPS on TCP 443 to https://<your-domain>.iot.demisto.live/ and SSH on TCP 22 to an on-premises Aruba Central server |
| Cisco DNA Center | Yes | HTTPS on TCP 443 to https://<your-domain>.iot.demisto.live/ and HTTPS on TCP 443 to your on-premises Cisco DNA Center API |
| Cisco Meraki Cloud | No | — |
| Cisco Prime Infrastructure | Yes | HTTPS on TCP 443 to https://<your-domain>.iot.demisto.live/ and HTTPS on TCP 443 to your on-premises Cisco Prime instance |
| SNMP Discovery | Yes | HTTPS on TCP 443 to https://<your-domain>.iot.demisto.live/ and SNMP on UDP 161 to local network switches |
| Network Discovery | Yes | HTTPS on TCP 443 to https://<your-domain>.iot.demisto.live/ and SNMP on UDP 161 to local network switches |
| IP Address Management | Requires an XSOAR Engine on Premises | XSOAR Engine Communications |
|---|---|---|
| BlueCat IPAM | Yes | HTTPS on TCP 443 to https://<your-domain>.iot.demisto.live/ and HTTP or HTTPS on TCP 80 or TCP 443 to your on-premises BlueCat Address Manager |
| Infoblox IPAM | Yes | HTTPS on TCP 443 to https://<your-domain>.iot.demisto.live/ and to your on-premises Infoblox Grid Master API |
| Wireless Network Controllers | Requires an XSOAR Engine on Premises | XSOAR Engine Communications |
|---|---|---|
| Aruba WLAN Controllers | Yes | HTTPS on TCP 443 to https://<your-domain>.iot.demisto.live/ and HTTPS on TCP 4343 (default) to the API of on-premises Aruba WLAN controllers |
| Cisco WLAN Controllers | Yes | HTTPS on TCP 443 to https://<your-domain>.iot.demisto.live/ and SSH on TCP 22 (default) to on-premises Cisco WLAN controllers |
| Security Information and Event Management | Requires an XSOAR Engine on Premises | XSOAR Engine Communications |
|---|---|---|
| SIEM | Yes | HTTPS on TCP 443 to https://<your-domain>.iot.demisto.live/ and syslog event messages on UDP 514 (default) to your SIEM server |
| Network Access Control | Requires an XSOAR Engine on Premises | XSOAR Engine Communications |
|---|---|---|
| Aruba ClearPass | Yes | HTTPS on TCP 443 to https://<your-domain>.iot.demisto.live/ and to the on-premises Aruba ClearPass system |
| Cisco ISE | Yes | HTTPS on TCP 443 to https://<your-domain>.iot.demisto.live/ and HTTPS on TCP 443 and 9060 to your on-premises Cisco ISE system |
| Cisco ISE pxGrid | Yes | HTTPS on TCP 443 to https://<your-domain>.iot.demisto.live/ and SSL on TCP 8910 (default) to your on-premises Cisco pxGrid controller or ISE system |
| Forescout | Yes | HTTPS on TCP 443 to https://<your-domain>.iot.demisto.live/ and HTTPS on TCP 443 (default) to your on-premises Forescout system |
| Vulnerability Scanning | Requires an XSOAR Engine on Premises | XSOAR Engine Communications |
|---|---|---|
| Qualys | No | — |
| Rapid7 | No (cloud-hosted Rapid7 system), Yes (on-premises Rapid7 system) | HTTPS on TCP 443 to https://<your-domain>.iot.demisto.live/, HTTPS on TCP 3780 (default) to your on-premises Rapid7 web interface, and HTTPS on TCP 8080 and 443 (default) to your on-premises Rapid7 API |
| Tenable (Tenable.io) | No | — |
After you set up IoT Security to work with a full-featured or
cohosted XSOAR instance and configure some integration instances in XSOAR, various
settings become available for use in the IoT Security portal. For
example, options to quarantine a device and release a previously quarantined device only
appear after you configure an integration instance that supports such actions.