Set up IoT Security and Cortex XSOAR for Microsoft Defender XDR Integration
Table of Contents
Expand all | Collapse all
-
- Integrate IoT Security with AIMS
- Set up AIMS for Integration
- Set up IoT Security and XSOAR for AIMS Integration
- Send Work Orders to AIMS
- Integrate IoT Security with Microsoft SCCM
- Set up Microsoft SCCM for Integration
- Set up IoT Security and XSOAR for SCCM Integration
- Integrate IoT Security with Nuvolo
- Set up Nuvolo for Integration
- Set up IoT Security and XSOAR for Nuvolo Integration
- Send Security Alerts to Nuvolo
- Send Vulnerabilities to Nuvolo
- Integrate IoT Security with ServiceNow
- Set up ServiceNow for Integration
- Set up IoT Security and XSOAR for ServiceNow Integration
- Send Security Alerts to ServiceNow
- Send Vulnerabilities to ServiceNow
-
- Integrate IoT Security with Cortex XDR
- Set up Cortex XDR for Integration
- Set up IoT Security and XSOAR for XDR Integration
- Integrate IoT Security with CrowdStrike
- Set up CrowdStrike for Integration
- Set up IoT Security and XSOAR for CrowdStrike Integration
- Integrate IoT Security with Microsoft Defender XDR
- Set up Microsoft Defender XDR for Integration
- Set up IoT Security and Cortex XSOAR for Microsoft Defender XDR Integration
- Integrate IoT Security with Tanium
- Set up Tanium for Integration
- Set up IoT Security and XSOAR for Tanium Integration
-
- Integrate IoT Security with Aruba AirWave
- Set up Aruba AirWave for Integration
- Set up IoT Security and Cortex XSOAR for Aruba AirWave Integration
- View Device Location Information
- Integrate IoT Security with Aruba Central
- Set up Aruba Central for Integration
- Set up IoT Security and XSOAR for Aruba Central Integration
- Integrate IoT Security with Cisco DNA Center
- Set up Cisco DNA Center to Connect with XSOAR Engines
- Set up IoT Security and XSOAR for DNA Center Integration
- Integrate IoT Security with Cisco Meraki Cloud
- Set up Cisco Meraki Cloud for Integration
- Set up IoT Security and XSOAR for Cisco Meraki Cloud
- Integrate IoT Security with Cisco Prime
- Set up Cisco Prime to Accept Connections from IoT Security
- Set up IoT Security and XSOAR for Cisco Prime Integration
- Integrate IoT Security with Network Switches for SNMP Discovery
- Set up IoT Security and Cortex XSOAR for SNMP Discovery
- Integrate IoT Security with Switches for Network Discovery
- Set up IoT Security and Cortex XSOAR for Network Discovery
-
- Integrate IoT Security with Aruba WLAN Controllers
- Set up Aruba WLAN Controllers for Integration
- Set up IoT Security and XSOAR for Aruba WLAN Controllers
- Integrate IoT Security with Cisco WLAN Controllers
- Set up Cisco WLAN Controllers for Integration
- Set up IoT Security and XSOAR for Cisco WLAN Controllers
-
- Integrate IoT Security with Aruba ClearPass
- Set up Aruba ClearPass for Integration
- Set up IoT Security and XSOAR for ClearPass Integration
- Put a Device in Quarantine Using Aruba ClearPass
- Release a Device from Quarantine Using Aruba ClearPass
- Integrate IoT Security with Cisco ISE
- Set up Cisco ISE to Identify IoT Devices
- Set up Cisco ISE to Identify and Quarantine IoT Devices
- Configure ISE Servers as an HA Pair
- Set up IoT Security and XSOAR for Cisco ISE Integration
- Put a Device in Quarantine Using Cisco ISE
- Release a Device from Quarantine Using Cisco ISE
- Apply Access Control Lists through Cisco ISE
- Integrate IoT Security with Cisco ISE pxGrid
- Set up Integration with Cisco ISE pxGrid
- Put a Device in Quarantine Using Cisco ISE pxGrid
- Release a Device from Quarantine Using Cisco ISE pxGrid
- Integrate IoT Security with Forescout
- Set up Forescout for Integration
- Set up IoT Security and XSOAR for Forescout Integration
- Put a Device in Quarantine Using Forescout
- Release a Device from Quarantine Using Forescout
-
- Integrate IoT Security with Qualys
- Set up QualysGuard Express for Integration
- Set up IoT Security and XSOAR for Qualys Integration
- Perform a Vulnerability Scan Using Qualys
- Get Vulnerability Scan Reports from Qualys
- Integrate IoT Security with Rapid7
- Set up Rapid7 InsightVM for Integration
- Set up IoT Security and XSOAR for Rapid7 Integration
- Perform a Vulnerability Scan Using Rapid7
- Get Vulnerability Scan Reports from Rapid7
- Integrate IoT Security with Tenable
- Set up Tenable for Integration
- Set up IoT Security and XSOAR for Tenable Integration
- Perform a Vulnerability Scan Using Tenable
- Get Vulnerability Scan Reports from Tenable
Set up IoT Security and Cortex XSOAR for Microsoft Defender XDR Integration
Set up IoT Security and Cortex XSOAR to integrate with Microsoft Defender XDR.
Configure Cortex XSOAR with a Microsoft Defender XDR integration instance and
jobs to import device and vulnerability information from Microsoft Defender XDR. You
can set the jobs to run on demand or at regular intervals. The configuration
requires the following information from Microsoft Defender XDR:
- Domain URL for Microsoft Defender XDR
- Tenant ID
- Client ID
- Client Secret ID
- Log in to IoT Security, and from there access the Microsoft Defender XDR integration settings in Cortex XSOAR.
- Log in to IoT Security and then click Integrations.Launch Cortex XSOAR from the IoT Security portal.IoT Security uses Cortex XSOAR to integrate with Microsoft Defender XDR. The settings you must configure are in the Cortex XSOAR interface. To access these settings from the Integrations page, Launch Cortex XSOAR. The Cortex XSOAR interface opens in a new browser tab or window.Find the Microsoft Defender XDR integration.Click Settings in the left navigation menu. Search for Microsoft Defender XDR to locate it among other integrations.Configure the Microsoft Defender XDR integration instance.
- Click Add instance to open the settings panel.In the settings panel, configure the following settings:
- Name: Use the default name of the instance or enter a new one.Remember the instance name because you're going to use it again when creating the jobs that Cortex XSOAR runs to gather device data and vulnerability information from Microsoft Defender XDR.
- Domain URL: Select the Microsoft Defender XDR API Gateway URL based on the geographical cluster where your account is registered. The possible domain URL options are:
- https://api-us.securitycenter.microsoft.com
- https://api-eu.securitycenter.microsoft.com
- https://api-uk.securitycenter.microsoft.com
- https://api-au.securitycenter.microsoft.com
- Tenant ID: Enter the Tenant ID from your Microsoft application.
- Client ID: Enter the Client ID from your Microsoft application.
- Client Secret: Enter the Client Secret ID from your Microsoft application.
- Run on Single engine: Choose No engine.
When finished, click Test to test the integration instance.If the test is successful, a Success message appears. If not, check that the settings were entered correctly, and then test the configuration again.After the test succeeds, click Save & exit to save your changes and close the settings panel.Create a job for Cortex XSOAR to query Microsoft Defender XDR for devices and device attributes and import them to IoT Security.- Create a new Cortex XSOAR job.Copy the name of the instance you created, click Jobs near the bottom of the left navigation menu, and then click New Job at the top of the page.Configure the new Cortex XSOAR job.In the New Job panel that appears, configure the following and leave the other settings at their default values:
- Recurring: Select this if you want to periodically import device information from Microsoft Defender XDR. Clear it if you want to import device details on demand.
- Every: If you select Recurring, enter a number and set the interval value (Minutes, Hours, Days, or Weeks) and select the days on which to run the job. If you don't select specific days, then the job will run every day by default. This determines how often Cortex XSOAR queries Microsoft Defender XDR for information about device details.
- Name: Enter a name for the job.
- Playbook: Choose Import MS Defender devices to PANW IoT cloud.
- Integration Instance Name: Paste the instance name of your Microsoft Defender XDR integration instance.
Click Create new job and verify that the job appears in the Jobs list.Create a job for Cortex XSOAR to query Microsoft Defender XDR for vulnerabilities and vulnerability details and import them to IoT Security.- Create a new Cortex XSOAR job.Stay on the Jobs page, and click New Job at the top of the page.Configure the new Cortex XSOAR job.In the New Job panel that appears, configure the following and leave the other settings at their default values:
- Recurring: Select this if you want to periodically import vulnerabilities and vulnerability information from Microsoft Defender XDR. Clear it if you want to import vulnerability information on demand.
- Every: If you select Recurring, enter a number and set the interval value (Minutes, Hours, Days, or Weeks) and select the days on which to run the job. If you don't select specific days, then the job will run every day by default. This determines how often Cortex XSOAR queries Microsoft Defender XDR for information about vulnerabilities.
- Name: Enter a name for the job.
- Playbook: Choose Import MS Defender Vulnerabilities to PANW IoT cloud.
- Integration Instance Name: Paste the same instance name you used for the device details job.
- Optional Playbook Duration in days: Choose the number of days that you want to poll for discovered vulnerabilities. If the field is blank, then Cortex XSOAR requests vulnerabilities discovered in the last 30 days by default.
- Optional Import vulnerabilities by CVE levels: Choose the CVE severity levels for vulnerabilities that you want to import. You can select multiple levels at once. If no level is selected, then Cortex XSOAR imports only CVEs with a severity level of Critical by default.
Click Create new job and verify that the job appears in the Jobs list.Enable the jobs and run them.- Check the job status for the jobs you created.If the jobs are Disabled, select the appropriate check boxes and then click Enable.Run the device details import job.After you enable the jobs, select only the check box for the device details import job and click Run now. The Run Status should change from Idle to Running.Run the vulnerabilities import job.Once the device details import job's Run Status changes to Completed, deselect that job. Select the check box for the vulnerabilities import job and click Run now. The Run Status should change from Idle to Running.For either job, if you selected Recurring, Cortex XSOAR queries Microsoft Defender XDR for information at the defined intervals and forwards imported information to IoT Security.If you cleared Recurring, Cortex XSOAR immediately queries Microsoft Defender XDR and forwards imported information to IoT Security.Optional Create additional integration instances, and configure and run jobs for each integration instance as needed.Return to the IoT Security portal and check the status of the Aruba AirWave integration.An integration instance can be in one of the following four states, which IoT Security displays in the Status column on the Integrations page:
- Disabled means that either the integration was configured but intentionally disabled or it was never configured and a job that references it is enabled and running.
- Error means that the integration was configured and enabled but is not functioning properly, possibly due to a configuration error or network condition.
- Inactive means that the integration was configured and enabled but no job has run for at least the past 60 minutes.
- Active means that the integration was configured and enabled and is functioning properly.
When you see that the status of an integration instance is Active, its setup is complete.