Cortex XSOAR Integration

Integration of AIR with Cortex XSOAR is possible via Plug-In.

Steps to Integrate

Step 1: Preparing AIR Server

  1. Create a new webhook by clicking the “Webhooks” tab,
  2. Give an appropriate name to the New Webhook,
  3. Choose Parser “URL: Read Endpoint Name or IP address from URL Path”

4.  Change the other options accordingly and click Save. For more information about how to create webhooks, please refer to https://kb.binalyze.com/triggers-webhooks.

Step 2: Adding Integration File to Cortex XSOAR

Download the integration file. Binalyze AIR.yml

  1. Sign in to Cortex XSOAR server.
  2. Click “Settings” on the left bottom corner.
  3. Click “Upload Integration”.
  4. Select the Binalyze_AIR.yml file and click open.
  5. Paste the webhook URLs that you created in Step 1 to the relevant lines.



  6.  After changing Webhook URLs, Click “Save Version” and close the dialog.

Step 3

  1. Click “Add instance” on the right pane.
  2. Fill in the AIR Server URL, username, and password boxes.

  3. Click “Test”, and you will see “Success”, which means Cortex XSOAR established the test connection with the AIR Server.
  4. The integration is ready to use.

Usage

Isolation

    1. You can use the integration in Automations, Playbooks, or War Room.
    2. To execute an isolation task, write the following command on the bottom of the page:



      !air-isolation endpoint=<ENDPOINTHOSTNAME> isolation=enable
    3. A dialogue pops up, accept and continue.
    4. The command is executed successfully.


Acquisition

    1. To execute an acquisition task, write the following command on the bottom of the page: 


      !air-acquisition endpoint=<ENDPOINTHOSTNAME> profile=quick
    2. The command is executed successfully.
    3. The acquisition profile is started in the endpoint.