Palo Alto XSOAR Integration
About Palo Alto XSOAR Integration
TrackMe provides a native integration with Palo Alto Cortex XSOAR, allowing to easily track and monitor Palo Alto XSOAR alerts and incidents.
This integration provides REST API integration capabilities with Palo Alto Cortex XSOAR for comprehensive incident management and monitoring.
Overview
TrackMe XSOAR Integration (TA-trackme-xsoar) is a Splunk Technology Add-on that provides seamless integration between TrackMe and Palo Alto Cortex XSOAR. This integration enables:
REST API Integration: Create one or more XSOAR accounts in TrackMe to interact on-demand with Cortex XSOAR
Authentication: Based on XSOAR key and key ID as per the XSOAR API
Incident Management: Create or update incidents in a streaming manner
Resilient Backend: Automatically stores and reattempts failing REST API calls
Comprehensive Logging: Consistent and easy access to different logs
Key Features
Core Functionality:
XSOAR Command: Use the generating command xsoar to run GET/POST/DELETE REST calls to the XSOAR API
Streaming Incidents: Use the streaming command xsoarstreamincident to create or update incidents in a streaming manner
Resilient Store: Automatically stores and reattempts failing REST API calls for incident management
Incident Store: Stores incidents and key information in KVstore for tracking and management
Authentication & Security:
XSOAR key and key ID based authentication
FIPS compatible
Compatible with both standalone instances and Search Head Cluster (SHC) deployments
Installation
Installation Requirements:
No dependencies required
Developed on top of the Splunk UCC framework
Compatible with all supported versions of Splunk
Compatible with both standalone instances and Search Head Cluster (SHC) deployments
FIPS compatible
Installation Steps:
Download the application from the official download page
Install as usual in Splunk
Restart Splunk after the initial installation
Configure XSOAR accounts in the application
Download:
Official Download Page: https://downloads.trackme-solutions.com/TA-trackme-xsoar/
GitHub Repository: https://github.com/trackme-limited/TA-trackme-xsoar
Usage
XSOAR Command Usage:
The xsoar command provides REST API access to XSOAR:
| xsoar account="xsoar" method="GET" endpoint="/incident"
Streaming Incident Command:
The xsoarstreamincident command creates or updates incidents:
| eval incident_name="TrackMe entity alert", incident_details="Entity status changed", incident_severity=2
| xsoarstreamincident account="xsoar" incident_details="$incident_details$" incident_name="$incident_name$" incident_severity=2 incident_type="unclassified"
Active Commands for TrackMe Integration:
For opened incidents:
| eval incident_name="The TrackMe entity " . alias . " has received an incident", incident_details="The TrackMe entity " . alias . " has received an incident: " . object_state . ", detection_time: " . detection_time . ", messages: " . mvjoin(messages, "|")
| xsoarstreamincident account="xsoar" incident_details="$incident_details$" incident_name="$incident_name$" incident_severity=2 incident_type="unclassified" external_incident_id="$incident_id$"
For closed incidents:
| eval incident_name="The TrackMe entity " . alias . " has received an incident closure", incident_details="The TrackMe entity " . alias . " has received an incident closure update and is now in a non-alerting state: " . object_state . ", detection_time: " . detection_time . ", messages: " . mvjoin(messages, "|"), incident_reason="The TrackMe entity has returned to a non alerting state"
| xsoarstreamincident account="xsoar" incident_details="$incident_details$" incident_name="$incident_name$" incident_severity=2 incident_type="unclassified" incident_reason="$incident_reason$" incident_closeNotes="$incident_details$" external_incident_id="$incident_id$"
Command Parameters
xsoarstreamincident Command Parameters:
The following arguments are available for the xsoarstreamincident command:
external_incident_id: The external incident ID for lookup and update
incident_closeNotes: Notes for closing the incident
incident_closeReason: Reason for closing the incident
incident_closed: The date the incident was closed
incident_createInvestigation: Whether to create an investigation for the incident
incident_customFields: Custom fields for the incident, as a JSON string
incident_details: The details of the incident
incident_labels: Labels for the incident, as a JSON string
incident_modified: The date the incident was last modified
incident_name: The name of the incident
incident_playbookId: The ID of the playbook to run for the incident
incident_rawJSON: The raw JSON of the incident
incident_reason: The reason for the incident
incident_severity: The severity of the incident (number)
incident_sla: The SLA for the incident (number)
incident_status: The status of the incident (number)
incident_type: The type of the incident
Data Storage
Incident Store:
The application stores incidents and their key information in the following KVstore collection:
KVstore name: kv_xsoar_incidents_store
KVstore transforms name: xsoar_incidents_store
Access the KVstore content:
| inputlookup xsoar_incidents_store | eval keyid=_key
| eval _time=mtime
| sort - 0 _time
Resilient Store:
The application stores failing calls in a Splunk KVstore for automated reattempt purposes:
KVstore name: kv_xsoar_resilient_store
KVstore transforms name: xsoar_resilient_store
Access the resilient store content:
| inputlookup xsoar_resilient_store | eval keyid=_key
| eval _time=ctime
| sort - 0 _time
Resilient Store Configuration:
Enable or disable resilient store functionalities (default is enabled)
Define maximum number of attempts for a given REST call
Automated reattempts using the command xsoarresilient
Orchestrated by the saved search: xsoarresilient (scheduled by default)
Troubleshooting
Log Access:
The application provides comprehensive logging for troubleshooting:
Application internal REST API: .. code-block:
index=_internal sourcetype=xsoar:rest_api
Command xsoar: .. code-block:
index=_internal sourcetype=xsoar:custom_commands:xsoar
Command xsoarstreamincident: .. code-block:
index=_internal sourcetype=xsoar:custom_commands:xsoarstreamincident
Command xsoarresilient: .. code-block:
index=_internal sourcetype=xsoar:custom_commands:xsoarresilient
Audit & Troubleshoot Menu:
The application provides an “Audit && Troubleshoot” menu with shortcuts to internal log events. Use the extracted field log_level to filter on certain types of log events such as error.
Resilient Store Behaviors:
When a reattempt is needed and processed successfully, the information is logged and the KVstore record is permanently deleted
When a transaction ID record reaches the maximum number of attempts, the information is logged and the KVstore record is permanently deleted
Resilient Store Limitations:
Updates or closures require first the response from XSOAR to know the incident id
Updates or closures cannot be re-attempted if the initial incident opening call has not been successful
The resilient store can re-attempt an update of an incident only if the incident could be opened successfully first
Documentation References
Official Documentation:
Cortex SOAR REST API Documentation: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR-8-API
Create or Update Incident API: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR-8-API/Create-or-update-an-incident
Resources:
GitHub Repository: https://github.com/trackme-limited/TA-trackme-xsoar
Download Page: https://downloads.trackme-solutions.com/TA-trackme-xsoar/
Related TrackMe Documentation:
Alerting Architecture & Third-Party Integration - For information about TrackMe alerting capabilities