Palo Alto Network’s Cortex XSOAR
If you ever need to handle security incidents you know how difficult it can be. More often than not, the system that detected the incident lacks the contextual information needed to figure out whether it's a false positive or something that needs to be investigated further. Other systems typically don't contain the full information either about the discovered incident. Also, automation would be of great help to tell the system: "Hey, if you see this particular incident from a similar IP address go to my firewall and block it and then inform me when you're done". This is where Cortex XSOAR comes in.
If these challenges sound familiar to you, then what you need is an orchestration and automation tool like Palo-Alto's Cortex XSOAR. This tool is built for making the life of the security analyst a lot easier. It allows you to configure multiple plugins for interacting with multiple systems both automatically and manually.
Together with the flexibility and the reach of security-related information provided by Coralogix, you can easily analyze security alerts from many different sources, correlate the various Indicators of Compromise (IOCs), form a coherent evidence-based timeline, and react to the incident and even automate the handling of similar incidents. XSOAR provides all of that from a single pane of glass.
Benefits
The ability to automatically create an incident in Cortex XSOAR for every alert in Coralogix that was sent to a Demisto Webhook.
The ability to search for data that you have in your Coralogix account, both automatically as part of a playbook as well as manually directly from the Cortex XSOAR war room.
The ability to tag a timestamp in Coralogix both automatically as part of a playbook as well as manually directly from the Cortex XSOAR war room.
Use Cases
There are countless use-cases for this integration so we'll just provide you with a few examples to get you started.
Use Coralogix STA to collect and automatically analyze network traffic and have a firewall, like CheckPoint to automatically block access to addresses related to an attack detected by the STA.
Investigate a security incident, either detected by Coralogix or by any other installed system, that supposedly involved both internal and external actors and you would like to form a timeline that would include security-related events as well code changes of the company's product to figure out whether there's a correlation between code changes and various security-related activities.
Investigate a security incident either detected by Coralogix or by any other installed system and you need some information related to AWS CloudTrail, Coralogix STA, Database logs, Code and configuration changes, servers logs, or any other type of data that is stored on your Coralogix account and you'd like to search for it without leaving the Cortex XSOAR war room.
Integration
The process for adding the Coralogix integration pack is quite simple and straightforward:
Navigate to Cortex XSOAR Marketplace.
Search for Coralogix.
Click on Install on the top right corner and then on Install at the bottom right corner.
Once it is installed, click on Settings > Integrations and then on Add instance on the right-hand side and fill in the following parameters:
[table id=42 /]
After configuring these parameters you should be able to do the following:
Automatically fetch incidents from Coralogix (based on the Demisto webhook) by checking the box next to "Fetches incidents" in the integration instance settings.
Search for information in your Coralogix account directly from the Cortex XSOAR war room by using the command
!coralogix-search
for example:
- Tag interesting timestamps on the Coralogix timeline directly from the Cortex XSOAR war room by using the command
!coralogix-tag
for example:
Also, just like with any other integration of Cortex XSOAR, you can create any playbook you'd like and combine these operations with operations available from other integrations to automatically respond to security-related incidents.
Hoping you found this content helpful.