This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Cortex XSOAR and TAXII

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Cortex XSOAR and TAXII

OKaraduman1
L2 Linker
‎03-07-2024 11:54 AM

Title_Cortex-XSOAR-TAXII_palo-alto-networks.jpg

This blog written by Ozan Karaduman and Winston Marydasan.

 

Executive Summary

 

This blog post delves into the interoperability between Cortex XSOAR and TAXII. Seamlessly bridging the gap between threat intelligence and response, Cortex XSOAR emerges as a pivotal force in security orchestration. By integrating with TAXII servers/Clients, organizations can effortlessly tap into the latest threat intelligence, fortifying their defense strategies. This synergy empowers security teams with unparalleled automation, enabling rapid response to emerging threats. 

 

TAXII - Server and Client

 

A TAXII Server facilitates the sharing and collection of contextualized cyber threat intelligence. It provides a venue for sharing and collecting Indicators of Compromise (IOCs), but also provides opportunities to compare information about suspicious activity.

 

The TAXII Client serves as a REST Client enabling connection to a TAXII Server. It facilitates the retrieval of the most recent cyber threat intelligence from the server and facilitates its integration into your local database. Additionally, it offers the convenience of managing multiple TAXII Servers simultaneously, eliminating concerns about server limitations such as restricting connections to 100 or fewer per day.

 

XSOAR and TAXII

 

XSOAR has numerous Out of the box Integrations with wide varieties of products, in those are TAXII server and TAXII Clients. Which helps us to make XSOAR as a TAXII server and feed required clients or even we can fetch from any TAXII servers(using XSOAR as TAXII client).

 

One of the main use case of  TAXII server/client with respect to XSOAR is the Indicator sharing functionality internally between two XSOAR environments(for example between two XSOAR Tenants in a Multi Tenant environment), or share Indicators with any external parties/products that uses TAXII protocol. Both TAXII 1 and TAXII 2 are supported as well.

 

TAXII Configuration - XSOAR as TAXII Server

In order to use XSOAR as TAXII server, below are the steps/configurations required:

 

  • Access Cortex XSOAR:
    • Log in to your Cortex XSOAR instance
  • Install TAXII Server Integration:
    • In Cortex XSOAR, navigate to the "Settings" page
    • In the left-hand menu, go to Integrations > Servers & Services
    • Search for "TAXII" and install the TAXII Server integration
  • Configure TAXII Server Integration:
    • Name can be anything desired
    • TAXII Version can be selected from the dropdown (version 2.1, 2.0 or 1.1)
    • Specify a listening port of your choice
    • Provide a username and password
    • Please fill the TAXII2 Service URL address field similar to below “https://ext-<tenant>/xsoar/instance/execute/<instance-name>/<taxii2_api_endpoint>/”  
    • After installation, go to Settings > Integrations > Servers & Services
    • Find the TAXII Server integration and click on it to configure
    • Provide the necessary details, including server URL, authentication credentials, and any other required parameters
  • <tenant> is the XSOAR 8 tenant hostname
  • <instance-name> is the name you provided in the configuration
  • <taxii2_api_endpoint> can be /taxii2/ or /taxii/

 

Fig 1_Cortex-XSOAR-TAXII_palo-alto-networks.png

 

  • Define TAXII Channels:
    • Set up TAXII Channels based on your use case. These channels define the types of threat intelligence data you want to share or receive
    • The “Collection JSON” field should be configured to have the required collection name and corresponding Indicator query

Fig 2_Cortex-XSOAR-TAXII_palo-alto-networks.png

  • Map Fields:
    • Map the fields between the TAXII server and Cortex XSOAR to ensure the proper ingestion of threat intelligence data
  • Test the Connection:
    • After configuration, it's advisable to test the connection to ensure that Cortex XSOAR can communicate with the TAXII server
  • Enable and Use TAXII Feeds:
    • Once the integration is configured and tested, you can enable TAXII feeds to start receiving threat intelligence data

 

TAXII Configuration - XSOAR as TAXII Client

  • Access Cortex XSOAR:
    • Log in to your Cortex XSOAR instance.
  • Install TAXII Client Integration:
    • In Cortex XSOAR, navigate to the "Settings" page
    • In the left-hand menu, go to Integrations > Servers & Services
    • Search for "TAXII" and install the TAXII Client integration
  • Configure TAXII Client Integration:
    • “Name” can any desired name which you would like have as the instance name
    • “Source Reliability” allows you to specify how confident or reliable on all the feeds we get through this particular Instance. Please note that this option has impact on Indicator maliciousness 
    • After installation, go to Settings > Integrations > Servers & Services
    • Find the TAXII Client integration and click on it to configure
    • Provide the necessary details, including TAXII Server URL, authentication credentials, and any other required parameters

Fig 3_Cortex-XSOAR-TAXII_palo-alto-networks.png

  • Define TAXII Discovery URL:
    • “Discovery URL” is the TAXII server Url “https://ext-<tenant>/xsoar/instance/execute/<instance-name>/<taxii2_api_endpoint>/”

Fig 4_Cortex-XSOAR-TAXII_palo-alto-networks.png

 

Fig 5_Cortex-XSOAR-TAXII_palo-alto-networks.png

 

  • Test the Connection:
    • After configuration, it's advisable to test the connection to ensure that Cortex XSOAR can communicate with the TAXII server
  • Enable and Use TAXII Feeds:
    • Once the integration is configured and tested, you can enable TAXII feeds to start receiving threat intelligence data

Fig 6_Cortex-XSOAR-TAXII_palo-alto-networks.png

 

Fig 7_Cortex-XSOAR-TAXII_palo-alto-networks.png

 

  • Monitor and Troubleshoot:
    • Monitor the integration for any issues and troubleshoot if necessary. Check logs and error messages to identify and resolve issues
  • Update and Maintain:
  • Regularly update the TAXII client integration and review the configurations as your threat intelligence needs evolve

 

Conclusion

 

In conclusion, integrating Cortex XSOAR with a TAXII server/Client proves to be a powerful synergy in enhancing cybersecurity operations and Information sharing. The seamless exchange of threat intelligence facilitated by TAXII allows organizations to stay ahead of emerging threats and bolster their defense mechanisms. Cortex XSOAR's versatility as a security orchestration, automation, and response platform, coupled with its integration with TAXII, empowers security teams to streamline workflows, automate routine tasks, and make informed decisions based on the latest threat intelligence. By harnessing the capabilities of these technologies, organizations can fortify their cybersecurity posture, respond rapidly to incidents, and ultimately stay resilient in the ever-evolving landscape of cyber threats.

 

Additional Resources

 

TAXII 2 Server reference – Cortex  XSOAR
TAXII Client Reference – Cortex XSOAR
Indicator Concepts – Cortex XSOAR

0 Likes Likes
  • 4579 Views
  • 0 comments
  • 0 Likes
Register or Sign-in
Labels
Popular Blogs
Top Liked Authors
View All
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks