Leveraging the Risk Rules API, the Cortex XSOAR + Attack Surface Intelligence integration allows you to quickly identify critical risks on your infrastructure and get alerts on the Cortex XSOAR platform.
Cortex XSOAR is one of the top leading security orchestration, automation and response (SOAR) platforms available, a valuable tool that helps security teams manage, automate and collaborate, to leverage threat intelligence so security teams can improve their incident management.
For more information on the integrations included with your ASI license, see the ASI Integrations Overview.
Benefits your security team gets when using this integration:
- Visualizing the most critical risks within your organization
- Automating security-policy enforcement in critical systems
- Improving your incident response times
- Staying on top of M&A risks
- Seeing the full context of the security incidents
- Effectively reducing your attack surface
How does it work?
Let’s take a look at the installation, and how to use this integration.
Installation
- Log in to your Cortex XSOAR admin interface
- On the left menu, go to MarketPlace
- Search for “Recorded Future”, and you’ll see ‘Recorded Future Attack Surface Intelligence’ or ‘Recorded Future ASI’, click on it
- On the top right corner, click on “Install”
Usage
The Recorded Future Attack Surface Intelligence integration with Cortex XSOAR works by linking your current Attack Surface Intelligence project, within the Cortex XSOAR interface.
To set this up within your Cortex XSOAR environment:
- Go to Settings -> Integrations -> Instances
- Search for the Recorded Future Attack Surface Intelligence Pack, and select Add Instance:
-
Select a name for the instance (choosing something that includes the Attack Surface Intelligence Project Title can be helpful)
-
Enter configuration:
- Enter the Project ID
- Enter an API Key that has access to the above Project ID
-
Configure the Pack to Fetch incidents and set up any optional mappings and Incident Types
- Set the fetch interval to match the frequency in which your Attack Surface Intelligence Project gets a snapshot (the suggested XSOAR Pack frequency is 1 day)
- Click the Test button to make sure the API Key and Project ID are set up correctly
- Click Save & Exit
- Incidents should immediately populate in your XSOAR instance for each rule that you see in SurfaceBrowser™.
- Clicking the Fetch History icon next to the new Pack instance will show you details of each time the Pack runs
Analyzing the results
Now that the project is up and running in your Cortex XSOAR platform, let’s see what we can find.
After clicking on the Incidents link on the left menu, you’ll land on a page showing all the current incidents found in the past X days (7 days, 30 days, you name it).
On that interface, you’ll be able to find incidents filtered by Severity (Critical, Medium, and Low) as well as the complete list of incidents, along with their ID, Name, Type, Status, and Owner, among other details.
This page allows you to quickly identify the most critical issues and jump right into them, as shown in the above screenshot. Once you click on the ID, it will take you to the particular incident you want to investigate, reporting all the available details, including Indicators, Timeline information, Investigation Data, and much more.
Summary
The Recorded Future Attack Surface Intelligence integration with Cortex XSOAR is here to make your life easier, enabling security teams to gain access to the right incident information from our Attack Surface Intelligence Risk Rules in a handy way.