Request Demo
Integrations

Automate Security Incidents Management with Cortex XSOAR and Coralogix

What is Cortex XSOAR?

If you ever needed to handle security incidents you know how difficult it can be. More often than not, the system that detected the incident lacks the contextual information needed to figure out whether it’s a false positive or something that needs to be investigated further. Other systems typically don’t contain the full information either about the discovered incident. Also, automation would be of great help to tell the system: “Hey, if you see this particular incident from a similar IP address go to my firewall and block it and then inform me when you’re done”. This is where Cortex XSOAR comes in.

If these challenges sound familiar to you, then what you need is an orchestration and automation tool like Palo-Alto’s Cortex XSOAR. This tool is built for making the life of the security analyst a lot easier. It allows you to configure multiple plugins for interacting with multiple systems both automatically and manually. Together with the flexibility and the reach of security-related information provided by Coralogix, you can easily analyze security alerts from many different sources, correlate the various Indicators of Compromise (IOCs), form a coherent evidence-based timeline, and react to the incident and even automate the handling of similar incidents. XSOAR provides all of that from a single pane of glass.

Integration Benefits

  1. The ability to automatically create an incident in Cortex XSOAR for every alert in Coralogix that was sent to a Demisto Webhook.
  2. The ability to search for data that you have in your Coralogix account, both automatically as part of a playbook as well as manually directly from the Cortex XSOAR war room.
  3. The ability to tag a timestamp in Coralogix both automatically as part of a playbook as well as manually directly from the Cortex XSOAR war room.

Use Cases

There are countless use-cases for this integration so we’ll just provide you with few examples to get you started.

  1. Use Coralogix STA to collect and automatically analyze network traffic and have a firewall, like CheckPoint to automatically block access to addresses related to an attack detected by the STA.
  2. Investigate a security incident, either detected by Coralogix or by any other installed system, that supposedly involved both internal and external actors and you would like to form a timeline that would include security-related events as well code changes of the company’s product to figure out whether there’s a correlation between code changes and various security-related activities.
  3. Investigate a security incident either detected by Coralogix or by any other installed system and you need some information related to AWS CloudTrail, Coralogix STA, Database logs, Code and configuration changes, servers logs, or any other type of data that is stored on your Coralogix account and you’d like to search for it without leaving the Cortex XSOAR war room.

How to Integrate Coralogix and XSOAR

The process for adding the Coralogix integration pack is quite simple and straightforward:

  1. Navigate to Cortex XSOAR Marketplace.
  2. Search for Coralogix.
  3. Click on Install on the top right corner and then on Install at the bottom right corner.
  4. Once it is installed, click on Settings > Integrations and then on Add instance on the right-hand side and fill in the following parameters:
Parameter NameDescriptionRequiredDefault Value
NameThe name of the Coralogix integration instance (Can be any name you like)Yes N/A
Fetches incidentsWhether or not to fetch incidents via this integrationNoDo not fetch
Coralogix WebAPI Endpoint URLThe Coralogix WebAPI URLYes (Don't change it unless instructed to do so by Coralogix personnel)https://webapi.coralogix.com
Private KeyYour Coralogix account private keyYesN/A
Application Name (for tags)The Coralogix application name that will be assigned to the tags created by this instanceYesCortex XSOAR
Subsystem Name (for tags)The Coralogix subsystem name that will be assigned to the tags created by this instanceYesCortex XSOAR
Coralogix ES-API Endpoint URLThe Coralogix ES-API URLYeshttps://coralogix-esapi.coralogix.com:9443
Basic incidents queryThe Lucene query for fetching incidents. If not specified, will return Coralogix alerts that were sent to the Demisto webhookNoN/A
Incidents Application NameLimits the incidents query to only return incidents of a specific application nameNoN/A
Incidents SeverityLimits the incidents query to only return incidents of a specific severityNoN/A
Incidents Name FieldThe Coralogix field value that should be used as the incident's name. If not specified, the integration will use the "alert_name" fieldNoN/A
Incidents first fetch daysThe number of days to look back for incidentsNo3
Maximum number of incidents to fetch at a single callMaximum number of incidents to retrieve at each call to CoralogixNo50

After configuring these parameters you should be able to do the following:

  1. Automatically fetch incidents from Coralogix (based on the Demisto webhook) by checking the box next to “Fetches incidents” in the integration instance settings.
  2. Search for information in your Coralogix account directly from the Cortex XSOAR war room by using the command !coralogix-search for example:
!coralogix-search query="security.rcode_name:\"NXDOMAIN\"" using="Coralogix_instance_1"
  1. Tag interesting timestamps on the Coralogix timeline directly from the Cortex XSOAR war room by using the command !coralogix-tag for example:
!coralogix-tag name="Data leak started" timestamp="2020-12-31T23:59:59"

Also, just like with any other integration of Cortex XSOAR, you can create any playbook you’d like and combine these operations with operations available from other integrations to automatically respond to security-related incidents.

Hoping you found this content helpful.

Start solving your production issues faster

Let's talk about how Coralogix can help you

Managed, scaled, and compliant monitoring, built for CI/CD

Get a demo

No credit card required

Get a personalized demo

Jump on a call with one of our experts and get a live personalized demonstration