AIR
TACTICAL
General
Cortex XSOAR Integration
Integration of AIR with Cortex XSOAR is possible via Plug-In.
Steps to Integrate
Step 1: Preparing AIR Server
1. Create a new webhook by clicking the “Webhooks” tab.
2. Give an appropriate name to the New Webhook.
3. Choose Parser “Cortex XSOAR: Generic Cortex XSOAR Webhook Parser”.
4. Change the other options accordingly and click Save. For more information about how to create webhooks, please refer to Triggers (Webhooks).
Step 2: Adding Integration File to Cortex XSOAR
1. Sign in to Cortex XSOAR server.
2. Click “Settings” on the left bottom corner.
3. Click “Upload Integration”.
4. Select the Binalyze_AIR.yml file and click open.
5. Paste the webhook URLs that you created in Step 1 to the relevant lines.
6. After changing Webhook URLs, Click “Save Version” and close the dialog.
Step 3
1. Click “Add instance” on the right pane.
2. Fill in the AIR Server URL, username, and password boxes.
3. Click “Test”, and you will see “Success”, which means Cortex XSOAR established the test connection with the AIR Server.
4. The integration is ready to use.
Usage
Isolation
- You can use the integration in Automations, Playbooks, or War Room.
- To execute an isolation task, write the following command on the bottom of the page:
1
!air-isolation endpoint=<ENDPOINTHOSTNAME> isolation=enable
Copied!
- A dialogue pops up, accept and continue.
- The command is executed successfully.
Acquisition
- To execute an acquisition task, write the following command on the bottom of the page:
1
!air-acquisition endpoint=<ENDPOINTHOSTNAME> profile=quick
Copied!
- The command is executed successfully.
- The acquisition profile is started in the endpoint.
Last modified 1mo ago
Copy link