Cortex XSOAR tool integrations methods

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Cortex XSOAR tool integrations methods

L1 Bithead

Hi,

 

As per below link the integrations can be executed REST API, webhooks, and other techniques. So I'd like to know about what are the other methods available in XSOAR platform.

 

https://xsoar.pan.dev/docs/concepts/concepts#:~:text=Product%20integrations%20(or%20apps)%20are%20me...

 

Regards,

Deepa

3 REPLIES 3

L2 Linker

It's important to understand that "Integrations" is a really broad category. Basically everything that provides a service (long running listener), or a connection to a third party service is an integration. An instance of an integration can (and usually will) have multiple methods associated with it, and those can be called differently.

 

Some integrations can be used to fetch / ingest incidents. Some example of this are the "syslog listener" and "email listener" integrations. The syslog listener literally runs a syslog server and so you can "execute" the integration by sending a syslog message. The email listener "listens" to an email inbox, and so will run (create an incident) when an email arrives. The email integration (and many other similar integrations) are actually implemented via polling, so the "trigger" to execute actually resides completely within the other system.

 

For these kinds of integrations, basically every integration will have a different method to trigger it. Providing a new trigger method is one of the primary reasons why integrations like this are created.

 

Other integrations are used to query data or perform actions from / in external systems. A common example of this is integrations used to look up IOC details (eg, Autofocus, VirusTotal), but other integrations like Splunkpy (for searching splunk logs), Generic SQL and "Send Email" are also relevant here. These integrations are usually executed by other parts of the XSOAR system itself. They can be:

* Used as tasks in a playbook

* Executed Manually in the CLI from an open incident or Playground

* Called from within other Automations with demisto.executeCommand() or similar

 

Since there are so many integrations and they can be used in so many different ways it isn't really possible to give a concrete list of all the ways an integration could be triggered. If you have a specific system you're interested in, or a use case you're interested in executing please describe it and we can look at that in more specific detail.

 

Hi,

 

Thanks for the detailed information.

 

1. We need to integrate Bluecoat ASG into XSOAR. As it is not a part of OOTB integration we have to build a custom integration for the same. As per the below link Bluecoat proxy doesn't have the API that fetch data from it or integrate with 3rd party tools.

https://knowledge.broadcom.com/external/article?articleId=206621#:~:text=The%20ProxySG%20does%20not%....

 

In the same link they have given some workarounds to integrate with third party tools.

For 1st workaround, they don't use Management Center REST API.

For 2nd workaround, it's mentioned that URL's can be used to fetch information about the proxy. we want to understand whether it is possible through XSOAR and also we would like to understand whether web scraping is possible through XSOAR.

 

2. Using OOTB integration "Remote Access v2" its possible to take SSH to the Linux machines. there are more than 3000 Linux devices, is it required to integrate all the devices separately in XSOAR if we want to SSH to all the devices? It would be great if you suggest any other solution to achieve this without adding each SSH device as part of integrations.

 

Regards,

Deepa

 

For 2nd workaround, it's mentioned that URL's can be used to fetch information about the proxy. we want to understand whether it is possible through XSOAR and also we would like to understand whether web scraping is possible through XSOAR.

 

With custom integrations (and automations) you can define your own code in languages such as Python, so even if it's not a proper API you will be able to make arbitrary HTTP(S) requests with python libraries such as the requests library. ( https://requests.readthedocs.io/en/latest/ ) Keep in mind that my comments below about your number of hosts will still apply here if you decide to go with a custom integration.

 

2. Using OOTB integration "Remote Access v2" its possible to take SSH to the Linux machines. there are more than 3000 Linux devices, is it required to integrate all the devices separately in XSOAR if we want to SSH to all the devices? It would be great if you suggest any other solution to achieve this without adding each SSH device as part of integrations.

 

In general, an instance of an integration is intended to represent a single external host or system that XSOAR is connecting to, and stores configuration details for that host/system. So in general you would want to do each separately, but with 3000 hosts this will cause problems with the number of instances you have. Remote Access v2 looks like it will let you override the configured host name with a parameter when running a command so long as the authentication information is the same so this is a possibility, but at 3000 hosts you're still looking at significant effort to run a single command across your whole fleet. If you do go this route, I'd probably suggest looking at something like the Ansible integration instead of straight remote access for the concurrency.

 

Depending on the size and structure of the data you're looking for, you should also consider logging it to your SIEM solution and then fetching it with the SIEM integration rather than talking to each host individually.

 

Lastly, if you're looking to push URLs into an allow/deny list in your proxies, I'd suggest checking out this: https://knowledge.broadcom.com/external/article/166449/ combined with the "Generic Export Indicators Service" integration which can host lists of URLs and supports ProxySG format. This would completely sidestep the issue with the number of hosts, as those hosts would reach out to XSOAR instead of the other way around.

 

I hope that helps!

 

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!