When integrating Protectwise with Cortex XSOAR, event data is received in a continues stream of data which can be handled by Cortex XSOAR.
To set up the integration on Cortex XSOAR:
- Go to ‘Settings > Integrations > Servers & Services’
Locate the Protectwise integration by searching for ‘Protectwise’ using the search box on the top of the page.
Click ‘Add instance’ to create and configure a new integration. You should configure the following Protectwise and Cortex XSOAR-specific settings:
Name : A textual name for the integration instance.
- Click ‘Add instance’ to create and configure a new integration. You should configure the following Protectwise and Cortex XSOAR-specific settings:
URL : The hostname or IP address of the application. Make sure it is reachable with respect to IP address and port.
Email & Password: the credentials for accessing the API.
Do not validate certificate (insecure): Select to avoid server certification validation. You may want to do this in case Cortex XSOAR cannot validate the integration server certificate (due to missing CA certificate).
Only fetch events with this text in the name:
To only pull events with a specific name, specify it here. Cortex XSOAR will look for one of the filter values in the Event name (comparison is case insensitive).
Separate multiple names with a comma. For example: Progression,Lateral Movement
Filter by threat category : To pull threats according to threat category.
Filter by killchain stage : To pull threats according to threat killchain stage.
Filter by LOW , MEDIUM , or HIGH threatLevel : To pull threats according to Threat Level.
Select whether to automatically create Cortex XSOAR incidents from the integration's events.
If this option is checked, the first fetch will search for events 10 minutes back from the moment you turn on Fetching. Subsequently, new offences will be fetched as soon as they are generated. Use the "Query to fetch offences" option to pull older offences as incidents.
The next fetch interval depends on the systemwide interval (default 1 min).
Incident type: Specify the Cortex XSOAR incident type that will be set for incidents from this integration.
Use system proxy settings : Select whether to communicate via the system proxy server or not.
Cortex XSOAR engine: If relevant, select the engine that acts as a proxy to the server.
Engines are used when you need to access a remote network segments and there are network devices such as proxies, firewalls, etc. that prevent the Cortex XSOAR server from accessing the remote networks.
For more information on Cortex XSOAR engines see:
- Press the ‘Test’ button to validate connection.
- After completing the test successfully, press the ‘Done’ button.
The following shows how fields provided by the API are mapped as labels in fetched Events.
[killChainStage] Fortification [observedAt] 2017-08-04T13:00:03.436Z [isUpdate] true [type] MaliciousFlow [threatLevel] High [category] Suspicious [observationCount] 2 [sensorId] 1849 [cid] 1820 [message] Critical Lateral Movement Activity on Hosts: 192.168.2.81,192.168.2.170 [confidence] 100 [endedAt] 2017-08-04T12:59:49.156Z [threatScore] 70 [id] 000555ed127a1ca0b771fc0e4270cfcc24510b32d7ff9b9d66dfedcf [startedAt] 2017-08-04T12:59:49.156Z [threatSubCategory] None [priority] false [agentId] 1849 [observedStage] Realtime [netflowCount] 1 [sensorIds] 1849 [Brand] ProtectWise [Instance] ProtectWise_instance_1