XSOAR + Attack Surface Intelligence Integration

Leveraging the Risk Rules API, the Cortex XSOAR + Attack Surface Intelligence integration allows you to quickly identify critical risks on your infrastructure and get alerts on the Cortex XSOAR platform.

Cortex XSOAR is one of the top leading security orchestration, automation and response (SOAR) platforms available, a valuable tool that helps security teams manage, automate and collaborate, to leverage threat intelligence so security teams can improve their incident management.

For more information on the integrations included with your ASI license, see the ASI Integrations Overview.

Benefits your security team gets when using this integration:

  • Visualizing the most critical risks within your organization
  • Automating security-policy enforcement in critical systems
  • Improving your incident response times
  • Staying on top of M&A risks
  • Seeing the full context of the security incidents
  • Effectively reducing your attack surface

How does it work?

Let’s take a look at the installation, and how to use this integration.

Installation

  • Log in to your Cortex XSOAR admin interface
  • On the left menu, go to MarketPlace
  • Search for “Recorded Future”, and you’ll see ‘Recorded Future Attack Surface Intelligence’ or ‘Recorded Future ASI’, click on it
ASI-xsoar-1.png

 

  • On the top right corner, click on “Install”
ASI-xsoar-2.png

 

Usage

The Recorded Future Attack Surface Intelligence integration with Cortex XSOAR works by linking your current Attack Surface Intelligence project, within the Cortex XSOAR interface.

To set this up within your Cortex XSOAR environment:

  1. Go to Settings -> Integrations -> Instances
ASI-xsoar-3.pngASI-xsoar-4.png

 

  1. Search for the Recorded Future Attack Surface Intelligence Pack, and select Add Instance:
ASI-xsoar-5.png

 

  1. Select a name for the instance (choosing something that includes the Attack Surface Intelligence Project Title can be helpful)

  2. Enter configuration:

    • Enter the Project ID
    • Enter an API Key that has access to the above Project ID
    ASI-xsoar-6.png

     

  3. Configure the Pack to Fetch incidents and set up any optional mappings and Incident Types

ASI-xsoar-7.png

 

  1. Set the fetch interval to match the frequency in which your Attack Surface Intelligence Project gets a snapshot (the suggested XSOAR Pack frequency is 1 day)
ASI-xsoar-8.png

 

  1. Click the Test button to make sure the API Key and Project ID are set up correctly
ASI-xsoar-9.png

 

  1. Click Save & Exit

  2. Incidents should immediately populate in your XSOAR instance for each rule that you see in SurfaceBrowser™.
ASI-xsoar-10.png

 

  1. Clicking the Fetch History icon next to the new Pack instance will show you details of each time the Pack runs
ASI-xsoar-11.png

 

ASI-xsoar-12.png

 

Analyzing the results

Now that the project is up and running in your Cortex XSOAR platform, let’s see what we can find.

After clicking on the Incidents link on the left menu, you’ll land on a page showing all the current incidents found in the past X days (7 days, 30 days, you name it).

ASI-xsoar-13.png

 

On that interface, you’ll be able to find incidents filtered by Severity (Critical, Medium, and Low) as well as the complete list of incidents, along with their ID, Name, Type, Status, and Owner, among other details.

ASI-xsoar-14.png

 

This page allows you to quickly identify the most critical issues and jump right into them, as shown in the above screenshot. Once you click on the ID, it will take you to the particular incident you want to investigate, reporting all the available details, including Indicators, Timeline information, Investigation Data, and much more.

Summary

The Recorded Future Attack Surface Intelligence integration with Cortex XSOAR is here to make your life easier, enabling security teams to gain access to the right incident information from our Attack Surface Intelligence Risk Rules in a handy way.

This content is confidential. Do not distribute or download content in a manner that violates your Recorded Future license agreement. Sharing this content outside of licensed Recorded Future users constitutes a breach of the terms and/or agreement and shall be considered a breach by your organization.
Was this article helpful?
0 out of 0 found this helpful

Articles in this section

See more