Skip to main content

ProtectWise

This Integration is part of the ProtectWise Pack.#

When integrating Protectwise with Cortex XSOAR, event data is received in a continues stream of data which can be handled by Cortex XSOAR.

To set up the integration on Cortex XSOAR:

  1. Go to ‘Settings > Integrations > Servers & Services’
  2. Locate the Protectwise integration by searching for ‘Protectwise’ using the search box on the top of the page.
    1. Click ‘Add instance’ to create and configure a new integration. You should configure the following Protectwise and Cortex XSOAR-specific settings:

      Name : A textual name for the integration instance.

URL : The hostname or IP address of the application. Make sure it is reachable with respect to IP address and port.

Email & Password: the credentials for accessing the API.

Do not validate certificate (insecure): Select to avoid server certification validation. You may want to do this in case Cortex XSOAR cannot validate the integration server certificate (due to missing CA certificate).

Only fetch events with this text in the name: To only pull events with a specific name, specify it here. Cortex XSOAR will look for one of the filter values in the Event name (comparison is case insensitive).
Separate multiple names with a comma. For example: Progression,Lateral Movement

Filter by threat category : To pull threats according to threat category.

Filter by killchain stage : To pull threats according to threat killchain stage.

Filter by LOW , MEDIUM , or HIGH threatLevel : To pull threats according to Threat Level.

Fetch incidents: Select whether to automatically create Cortex XSOAR incidents from the integration's events.
If this option is checked, the first fetch will search for events 10 minutes back from the moment you turn on Fetching. Subsequently, new offences will be fetched as soon as they are generated. Use the "Query to fetch offences" option to pull older offences as incidents.
The next fetch interval depends on the systemwide interval (default 1 min).

Incident type: Specify the Cortex XSOAR incident type that will be set for incidents from this integration.

Use system proxy settings : Select whether to communicate via the system proxy server or not.

Cortex XSOAR engine: If relevant, select the engine that acts as a proxy to the server.

Engines are used when you need to access a remote network segments and there are network devices such as proxies, firewalls, etc. that prevent the Cortex XSOAR server from accessing the remote networks.

For more information on Cortex XSOAR engines see:
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-2/cortex-xsoar-admin/engines

  1. Press the ‘Test’ button to validate connection.
  2. After completing the test successfully, press the ‘Done’ button.

Commands:

protectwise-event-info - Lookup a single event and its associated observations for ProtectWise.
protectwise-event-pcap-download - Event Pcap Download.
protectwise-event-pcap-info - Get ProtectWise Event Pcap info.
protectwise-observation-info - Lookup a single observation for ProtectWise.
protectwise-observation-pcap-download - Observation Pcap Download.
protectwise-observation-pcap-info - Get ProtectWise Observation Pcap info.
protectwise-search-events - search Events ,Events are resources that describe a threat and contains a collection of observations.
protectwise-search-observations - search observations in ProtectWise.
protectwise-show-sensors - Collection of all available sensors.

Example:

The following shows how fields provided by the API are mapped as labels in fetched Events.

[killChainStage] Fortification
[observedAt] 2017-08-04T13:00:03.436Z
[isUpdate] true
[type] MaliciousFlow
[threatLevel] High
[category] Suspicious
[observationCount] 2
[sensorId] 1849
[cid] 1820
[message] Critical Lateral Movement Activity on Hosts: 192.168.2.81,192.168.2.170
[confidence] 100
[endedAt] 2017-08-04T12:59:49.156Z
[threatScore] 70
[id] 000555ed127a1ca0b771fc0e4270cfcc24510b32d7ff9b9d66dfedcf
[startedAt] 2017-08-04T12:59:49.156Z
[threatSubCategory] None
[priority] false
[agentId] 1849
[observedStage] Realtime
[netflowCount] 1
[sensorIds] 1849
[Brand] ProtectWise
[Instance] ProtectWise_instance_1

image

image

image
image

image