Skip to main content

Cortex XSOAR

Palo Alto Cortex XSOAR is a security orchestration, automation, and response (SOAR) platform designed to ingest alerts from multiple data sources and automate playbooks for efficient incident response. It also offers robust incident management capabilities.

Arcanna - Cortex XSOAR integration

Arcanna integrates seamlessly with Cortex XSOAR, allowing users to interact with Arcanna directly within their playbooks, enhancing automation and decision-making processes.

Arcanna integration is available in the Cortex XSOAR marketplace and can be easily enabled directly from XSOAR. The Arcanna content pack enables you to ask Arcanna for a Decision at any point in a playbook, and to automatically close the feedback-loop by sending feedback to Arcanna when you close the incident with a reason.

Incidents created by Cortex XSOAR are usually enriched via automated investigation steps part of the SOAR playbook, resulting in a rich context that Arcanna can use to make the decision.

Main benefits on using Arcanna in conjunction with Cortex XSOAR are:

  • Improve operational efficiency and response time by assisting human decisions in SOC.
  • Reduce the number of false positives, making decisions on tickets with relevant context.
  • Improve automated decision making by building your own deep learning model tailored to the particularities of your environment.

Steps to configure Cortex XSOAR integration:

Prerequisites

  • A valid Arcanna instance - for setup, follow this user guide.
  • Cortex XSOAR - is free as Community edition here.

How to connect

Go to Arcanna instance:

  1. Generate an Arcanna API Key

  2. Connect to Cortex XSOAR:

    • Go to the Integrations tab
    • Search for Cortex XSOAR integration and click on it:
    integration-tab
    • Fill in all the fields as shown below using your own API Key and Title, and then click Confirm:
    integration-create

  3. Create an Arcanna use case using Cortex XSOAR integration:

    • Go to AI Use Cases tab and click Create use case
    • Complete the Title and select the Cortex XSOAR integration just created as the input, as shown below: integration-create
    • Click Save and run to save and start the use case.

Go to Cortex XSOAR dashboard:

  1. Navigate to your Palo Alto Cortex XSOAR instance and open the Marketplace. Search for Arcanna, select it, and click the Install button:

If Arcanna is already installed, you can find it under the Installed Content Packs tab:

After the installation is complete, go to Settings -> Integrations -> Servers & Services. Here you should see your newly installed Arcanna instance.

You can see all of the commands available for this integration by clicking on the Show commands button. Please note that these commands come by default from Arcanna and further commands can be added, based on the needs of the user.

In the beginning, you will not have any instances available, so click on Add Instance and you will be prompted with the following window, explained below:

  • Name - The name of your instance, it can be anything you want.
  • Server URL - The URL of Arcanna instance (IP:PORT or DNS, default port=9666).
  • Password - The API Key that you previously generated from Arcanna.
  • Default Arcanna Job ID - The Use Case ID created in Arcanna that you would like to be considered as default. This is not mandatory.
info

When deployed in VM or in AWS, URL includes the same IP used to access the UI. When deployed in the Kubernetes environment, the URL would be the ingress port or port node configured at deployment.

Test the connection and make sure it gets successful. Click Save & Exit and the integration is complete.

At this point, using the use case created above, Arcanna is able to receive incidents that have been called through a Cortex XSOAR playbook, be it automatically or manually by an analyst.

Configure Playbook with Arcanna commands

  • Create a Playbook trigger first.

  • When creating a new task, select from the available Arcanna automation commands, and specify the Arcanna instance if multiple instances are defined.

setup-cortex-integrations

Get jobs - Returns a list of jobs which use the defined API Key

  • Add a new task and choose arcanna-get-jobs automation and click Run. The result should look like this: setup-cortex-integrations
  • Go to Outputs tab to see a more detailed response: setup-cortex-integrations

Get decision set - Returns a list of possible Arcanna decisions for the specified job

  • Add a new task and choose arcanna-get-decision-set automation, configure job_id or get it from the previous task job_id=${Arcanna.Jobs.job_id} and click Run. The result should look like this: setup-cortex-integrations

Send Event to Arcanna

  • Add a new task and choose arcanna-send-event automation.
  • Configure job_id or get it from the previous task job_id=${Arcanna.Jobs.job_id}.
  • Configure title or get it from the incident title=${incident.name}.
  • Configure event_json with the incident to be send event_json=${incident_json}.
  • Configure id_value with the incident ID to be used in Arcanna id_value=${incident.alertid}.
  • Configure severity with the incident severity to be send severity=${incident.severity}.
setup-cortex-integrations
  • When running the playbook, the response should look like this:
setup-cortex-integrations
  • Repeat this step to send multiple events to Arcanna.
  • Now we can navigate to the job's Event Explorer page and review our documents:
setup-integrations

Export Event from Arcanna

  • Add a new task and choose arcanna-export-event automation.
  • Configure job_id or get it from the previous task job_id=${Arcanna.Event.job_id}.
  • Configure event_id or get it from the previous task job_id=$${Arcanna.Event.event_id}.
setup-integrations
  • When running the playbook, the response should look like this: setup-cortex-integrations

Get Event status - Used to obtain Arcanna's prediction for a given alert

  • Add a new task and choose arcanna-export-event automation.
  • Configure job_id or get it from the previous task job_id=${Arcanna.Event.job_id}.
  • Configure event_id or get it from the previous task event_id=$${Arcanna.Event.event_id}. setup-integrations
  • When running the playbook, the response should look like this: setup-cortex-integrations
  • Observe the Arcanna result is no_decision since no AI model is trained yet.

Send Analyst Feedback to Arcanna - Used to incorporate analyst knowledge into Arcanna

  • Before this step: Go to Arcanna and select Decision Points
  • Add a new task and choose arcanna-export-event automation.
  • Configure job_id or get it from the previous task job_id=${Arcanna.Event.job_id}.
  • Configure the label selection as one from the decision set ${Arcanna.Event.decision_set}. Here, we manually select it to be 'Drop'.
  • Configure event_id or get it from the previous task event_id=$${Arcanna.Event.event_id}. Here, we manually select it to our incident ID.
  • Configure username to be displayed in Arcanna as the user who applied the feedback.
setup-integrations
  • When running the playbook, the response should look like this:
setup-cortex-integrations
  • Repeat this step to generate enough labeled data to trigger a retrain session.
  • Now we can navigate to the job's Feedback Page in Arcanna and verify that the feedback has been applied:
setup-integrations

Trigger AI Model training

  • Add a new task and choose arcanna-trigger-train automation.
  • Configure job_id or get it from the previous task job_id=${Arcanna.Jobs.job_id}.
  • Configure username to be displayed in Arcanna as the user who triggered the training session.
setup-integrations
  • If everything goes well, the output message should include 'status': 'ok'.
setup-integrations

Repeat the step Send Event to Arcanna and Get Event status. Observe the response indicates that the prediction for the above unseen alert is 'Drop' (class_1):

setup-integrations