If you ever need to handle security incidents you know how difficult it can be. More often than not, the system that detected the incident lacks the contextual information needed to figure out whether it’s a false positive or something that needs to be investigated further. Other systems typically don’t contain the full information either about the discovered incident. Also, automation would be of great help to tell the system: “Hey, if you see this particular incident from a similar IP address go to my firewall and block it and then inform me when you’re done”. This is where Cortex XSOAR comes in.
If these challenges sound familiar to you, then what you need is an orchestration and automation tool like Palo-Alto’s Cortex XSOAR. This tool is built for making the life of the security analyst a lot easier. It allows you to configure multiple plugins for interacting with multiple systems both automatically and manually.
Together with the flexibility and the reach of security-related information provided by Coralogix, you can easily analyze security alerts from many different sources, correlate the various Indicators of Compromise (IOCs), form a coherent evidence-based timeline, and react to the incident and even automate the handling of similar incidents. XSOAR provides all of that from a single pane of glass.
There are countless use-cases for this integration so we’ll just provide you with a few examples to get you started.
The process for adding the Coralogix integration pack is quite simple and straightforward:
|The name of the Coralogix integration instance (Can be any name you like)
|Whether or not to fetch incidents via this integration
|Do not fetch
|Coralogix WebAPI Endpoint URL
|The Coralogix WebAPI URL
|Yes (Don't change it unless instructed to do so by Coralogix personnel)
|Your Coralogix account Send-Your-Data API key
|Application Name (for tags)
|The Coralogix application name that will be assigned to the tags created by this instance
|Subsystem Name (for tags)
|The Coralogix subsystem name that will be assigned to the tags created by this instance
|Coralogix ES-API Endpoint URL
|The Coralogix ES-API URL
|Basic incidents query
|The Lucene query for fetching incidents. If not specified, will return Coralogix alerts that were sent to the Demisto webhook
|Incidents Application Name
|Limits the incidents query to only return incidents of a specific application name
|Limits the incidents query to only return incidents of a specific severity
|Incidents Name Field
|The Coralogix field value that should be used as the incident's name. If not specified, the integration will use the "alert_name" field
|Incidents first fetch days
|The number of days to look back for incidents
|Maximum number of incidents to fetch at a single call
|Maximum number of incidents to retrieve at each call to Coralogix
After configuring these parameters you should be able to do the following:
!coralogix-search for example:
!coralogix-search query="security.rcode_name:\"NXDOMAIN\"" using="Coralogix_instance_1"
!coralogix-tag for example:
!coralogix-tag name="Data leak started" timestamp="2020-12-31T23:59:59"
Also, just like with any other integration of Cortex XSOAR, you can create any playbook you’d like and combine these operations with operations available from other integrations to automatically respond to security-related incidents.
Hoping you found this content helpful.