Skip to main content

Arcanna.ai and Palo Alto Cortex XSOAR

Introduction

Arcanna.ai is a decision intelligence platform that uses NLP, deep learning and user feedback that can be integrated with Palo Alto Cortex XSOAR to assist in decision making, learn from daily incident resolutions and to incorporate knowledge to scale team’s capacity and to lead to a true autonomous SOC.

Palo Alto Cortex XSOAR is a security orchestration, automation, and response (SOAR) platform that is able to ingest alerts from various data sources and to automate playbooks for incident handling. It also includes incident management capabilities. Arcanna.ai integrates seamlessly with Cortex XSOAR enabling users to interact with Arcanna.ai directly from their playbooks.

Arcanna.ai integration is available in the Cortex XSOAR marketplace and can be easily enabled directly from XSOAR. The Arcanna.ai content pack enables you to ask Arcanna.ai for a Decision at any point in a playbook, and to automatically close the feedback-loop by sending feedback to Arcanna.ai when you close the incident with a reason.

Incidents created by Cortex XSOAR are usually enriched via automated investigation steps part of the SOAR playbook, resulting in a rich context that Arcanna.ai can use to make the decision.

Main benefits on using Arcanna.ai in conjunction with Cortex XSOAR are:

  • Improve operational efficiency and response time by assisting human decisions in SOC.
  • Reduce the number of false positives, making decisions on tickets with relevant context.
  • Improve automated decision making by building your own deep learning model tailored to the particularities of your environment.

Prerequisites

  • Arcanna.ai - Arcanna.ai can be deployed on-premise or in your Kubernetes cluster. For setup, you can follow this user guide. For flexibility reasons, Arcanna.ai is exporting the AI processed alerts to an internal Elasticsearch/Opensearch data warehouse, that needs be installed at the same time with Arcanna.ai. You can use an Elasticsearch/Opensearch instance you already have, or a new one dedicated just for Arcanna.ai backend.
  • Cortex XSOAR - is free as Community edition here

How to connect with Cortex XSOAR

  1. First you need an Arcanna.ai API token. This can be generated from the Arcanna.ai web interface. Go to the drop down menu below your Username on the top right corner and select API Keys.

On this page you will be able to manage the API keys. Click on Add new user key, provide a relevant name for the key then the key will be generated automatically.

info

Make sure that you copy the API Key generated, as it will not be displayed after exiting this section. You will also need this key in order to finish the integration process in Cortex XSOAR at a further step.

  1. Define the integration in Arcanna.ai. Go in Integrations and select External Data Source as category. Subcategory is External REST API alerts. After that, you will be asked to provide the predefined API Key that you just created at Step 1 and give it a name.

  1. Go to your Palo Alto Cortex XSOAR instance and go to Marketplace, search for Arcanna. Select it and click on the Install button.

After the installation is complete, go to Settings -> Integrations -> Servers & Services. Here you should see your newly installed Arcanna instance.

You can see all of the commands available for this integration by clicking on the Show commands button. Please note that these commands come by default from Arcanna and further commands can be added, based on the needs of the user.

In the beginning, you will not have any instances available, so click on Add Instance and you will be prompted with the following window, explained below:

  • Name - The name of your instance, it can be anything you want
  • Server URL - The IP of Arcanna.ai server on port 9666.
  • API Key - The API Key that you previously generated from Arcanna.ai
  • Default Arcanna Job ID - The Job ID created in Arcanna that you would like to be considered as default. This is not mandatory.
  • A closing reason to Arcanna labels - This field comes populated with the predefined mapping that we considered fit for an end-to-end integration. Example can be seen in the screenshot below. However it can be customized as per your needs.
  • Alert closing reason - This field also comes pre-populated with closeReason. This field use to signal to Arcanna the status for closing an alert or marking feedback for Arcanna

You can test the connection and make sure it gets successful. Click Save & Exit and the integration is complete.

info

When deployed in VM or in AWS, URL includes the same IP used to access the UI. When deployed in the Kubernetes environment, the URL would be the ingress port or port node configured at deployment.

Create an AI job

Go to AI Jobs page, Create a new job for decision making.

Use the previously defined integration and tune your input parameter. Arcanna also allows you to add a tag to offenses, which can be anything you want.

Select the Generic Model as the Processor since we’ll train a model from scratch.

Use the Arcanna.ai database to store the processed data.

The Automation step allows you to define an automation, such as enriching some fields with VirusTotal or creating a ticket in a different Incident Response platform. For this use case, this step is not mandatory, due to the fact that Palo Alto Cortex XSOAR and Arcanna.ai communicate between each other with a closed feedback-loop.

You can press Create and Start job and you are all set.

At this point, Arcanna.ai will be able to receive incidents that have been called through a Cortex XSOAR playbook, be it automatically or manually by an analyst.

Create a Cortex XSOAR playbook

Below you have a Playbook example created by us that showcases the closed feedback-loop between Cortex XSOAR and Arcanna.ai.