Configure IoT Security and Cortex XSOAR

1. Log in to IoT Security and from there access AssetCentre settings in Cortex XSOAR.

   1. Log in to IoT Security and then click Integrations.

   2. IoT Security uses Cortex XSOAR to integrate with AssetCentre, and the settings you must configure to integrate IoT Security with it are in the XSOAR interface. To access these settings, click Launch Cortex XSOAR.
      The Cortex XSOAR interface opens in a new browser window.
   3. Click Settings in the left navigation menu, search for assetcentre to locate it among other instances.
2. Configure the Rockwell AssetCentre integration instance.

   1. Click Add instance to open the settings panel.
   2. Enter the following and leave the other settings at their default values:
      Name: Either use the default name (Rockwell AssetCentre_instance_1) or enter a new one.
      Remember the instance name because you are going to use it again when creating a job that Cortex XSOAR will run to gather data from the SQL database specified in this integration instance.
      SQL Server Host/IP: Enter the domain name or IP address of the Microsoft SQL server.
      SQL Server Port: Enter the default TCP port number 1433 or, if a different port number is set on the SQL server, enter that.
      SQL Database: Enter the name of the database from which you want XSOAR to retrieve device information.
      Each integration instance can retrieve device information from a single database. If you want to retrieve device information from other databases, you must create additional integration instances for them.
      Username: Enter the name of the user account you previously configured for XSOAR to access the Microsoft SQL server.
      Password: Enter the password associated with the user account.
      Run on Single engine: Choose the XSOAR engine that you want to communicate with the Microsoft SQL server.

   3. When finished, click Run test or Test.
      If the test is successful, a Success message appears. If not, check that the settings were entered correctly and then test the configuration again.

   4. After the test succeeds, click Save & exit to save your changes and close the settings panel.
3. To enable the Rockwell FactoryTalk AssetCentre integration instance, click Enable.
4. Create a job for XSOAR to retrieve information about devices in the AssetCentre SQL database specified in the integration instance and then forward it to IoT Security.

   1. Copy the name of the integration instance and open a duplicate browser window.
   2. Navigate to Jobs in the new window, and then click New Job at the top of the page.
   3. In the New Job panel that appears, enter the following and leave the other settings at their default values:
      Time triggered: (select)
      Recurring: Select this because you want to periodically import device information from AssetCentre.
      Every: Enter a number and set the interval value (Minutes, Hours, Days, or Weeks) and select the days and times on which to run the job. This determines how often and when XSOAR retrieves data from AssetCentre. Consider running the job every day or every other day at a time when network activity is light, such as late at night, to help reduce potential latency. As a general guideline, it takes approximately 20 minutes for XSOAR to import data for 10,000 devices into IoT Security. You can see the run status of a recurring job on the Jobs page and note how long it takes. When in progress, its status is Running. When done, its status changes to Completed.
      Name: Enter a name for the job.
      Playbook: Choose Import Rockwell AssetCentre devices to PANW IoT cloud.
      Integration Instance Name: Paste the name of the integration instance that you copied earlier.
      Playbook Poll Interval: If you want to import device information incrementally from AssetCentre, enter a number indicating the period of time that XSOAR polls AssetCentre for any newly discovered devices or new or different attributes for previously discovered devices. The value you enter, though unspecified, is minutes. When XSOAR runs the next job, it then imports the devices and attributes to IoT Security that AssetCentre discovered during this interval. It’s common to use the same interval as the one for running the recurring job. However, if you increase the interval between jobs, you can set a shorter interval for polling than that for the job.
      If you leave it blank, Cortex XSOAR imports all available device attributes each time the job runs the playbook. XSOAR then uploads whatever is new or has changed since the last import to IoT Security.
   4. Create new job.
5. Optional Create more integration instances and jobs to import device information from other AssetCentre databases into IoT Security.

   To create more integration instances, repeat the previous steps, entering unique names for each one and different settings as appropriate for your AssetCentre databases.

   For each additional integration instance, create a job for Cortex XSOAR to run, with a similar configuration as the one you initially created. However, as you add more jobs, consider staggering their run times so that the data retrievals are spread out.
6. Return to the IoT Security portal and check the status of the AssetCentre integration.

   An integration instance can be in one of the following four states, which IoT Security displays in the Status column on the Integrations page:

   • Disabled means that either the integration was configured but intentionally disabled or it was never configured and a job that references it is enabled and running.
   • Error means that the integration was configured and enabled but is not functioning properly, possibly due to a configuration error or network condition.
   • Inactive means that the integration was configured and enabled but no job has run for at least the past 60 minutes.
   • Active means that the integration was configured and enabled and is functioning properly.

   When you see that the status of an integration instance is Active, its setup is complete.