Cortex XSOAR is a major security orchestration, automation, and response (SOAR) platform. It's designed to help empower professional SOC (security operations center) teams in managing their operations through a strong balance of automation and human intervention.

Out of the gate, Cortex XSOAR emphasises a proactive approach to threat management. With powerful machine learning, the platform can help reduce man-hours spent in the early investigative and awareness stages of a threat, as well as automate the most immediate response actions.

What Cortex XSOAR offers to SOC teams:

• Highly scalable platform, able to grow with your enterprise and manage the ever increasing complexities of SOC operations.
• Comprehensive security orchestration with hundreds of available integrations and thousands of playbook automations.
• Improves threat investigations by facilitating collaboration through a virtual war room and investigation canvas.

What does it mean to integrate with Cortex XSOAR?

Integrating is the process of connecting two or more apps for the purpose of sharing their data and preventing operators from having to open multiple sessions in multiple apps. It leads to more responsive human intervention in security matters, as well as opening the door to potential automations that automatically respond to incidents.

Cortex XSOAR is designed to accommodate integrations, whether it be from a custom solution or through the tools available in the app.

The platform offers a BYOI (bring your own integration) functionality allowing you to activate built-in connections and connect to the APIs of your other apps. This functionality can be found in the Cortex XSOAR IDE and we will detail it further in a future post.

Content packs of prebuilt bundles, including integrations, playbooks, dashboards, and other dependencies of security orchestration are available through the XSOAR Marketplace.

Use cases for Cortex XSOAR Integrations:

1. Running commands and playbooks in SentinelOne to get the threat information and orchestrating an automated response to mitigate the threats. SentinelOne integration with XSOAR comes with an arsenal of commands that help the user see only the required information and act on it if necessary.

2. Facilitate case management when connected to a platform such as ServiceNow.

Integrating the two platforms, Cortex XSOAR can get additional details about particular tickets, assign them to relevant users, or even edit and close based on specific parameters without manual input.

3. Enrich data to augment threat intelligence when connected to an such as VirusTotal.

With integrations like this, you can automatically upload objects and retrieve scan results, add indications to the system, and update block lists.

4. Close cases, when no longer active, to better manage incidents inventory.

Using the Fetch Incidents command, Cortex XSOAR can edit or close incidents in your attached analytics or SIEM platform such as IBM QRadar.

5. Manage Network Security/Firewall parameters on the fly.

Add new block/accept policies at the source, destination, or port, for IP addresses and domains when new data is fed from a network monitoring tool.

Considering venturing into security automation and integration? Metron has experience integrating multiple security tools with primary systems, along with setting up automation components.

If you are considering any custom cybersecurity solution that focuses on the resources and needs of your organisation, please send a note to connect@metronlabs.com.