on 30-Jun-202305:00 - edited on 11-Sep-202312:19 by LiefZimmerman
Exciting news - an integration between F5 Distributed Cloud (XC) and Palo Alto's Cortex XSOAR product is now available!
Q: What does Palo Alto Networks (PAN) Cortex XSOAR provide?
A: For the modern SOC (Security Operations Centers) the ability to reduce the noise, streamline redundant tasks, detect incidents, collect data, analyze indicators of threats with collaboration in real time while offering automation of remediation is paramount. PAN Cortex XSOAR, does all these things and is easy to use with their war room feature which can manage tickets and conduct post-incident reviews and analysis. Having such a powerful tool integrated with F5 Distributed Cloud’s services enhances the already robust reporting and visibility offered in the Distributed Cloud console.
Q: What does the integration with PAN Cortex XSOAR do?
A: The integration queries the F5 XC API on a schedule and pulls in specific alerts. Originally designed for MSPs (Managed Service Providers) in which one tenant acts as a managing tenant with access rights, the integration can also be used by customers with multiple tenants.
Q: How do I use the integration?
A: When a new alert is discovered, an incident is created. XSOAR will run the fetch-incidents command on an interval basis. The new incidents will populate on the XSOAR's dashboard. To make things easier, the name of the tenant which sourced the alert has been prepended to the incident name.
Figure 1: Sample XSOAR dashboard
To check when the automated fetch-incidents job last ran, go to the Settings > Integrations page. It also shows the number of incidents created and the date.
Figure 2: Pulled incidents page
Q: What commands are available?
A: There are three helper commands that will assist in troubleshooting and information gathering. The first command is the Get Alerts command. Using the same backend call function of fetch-incidents, the output of the Get Alerts command shows each tenant and any alerts associated with that tenant.
Figure 3: Tabled output of Get Alerts
The second command is Get Managed Tenants. This command displays all the tenants using the API Token provided in the F5 XC integration setup. The Get Managed Tenants command is very helpful for verifying that the configuration is setup correctly and viewing the listed managed tenants.
Figure 4: Output of Get Managed Tenants
The last command is Get Alerts by Tenant. The output from Get Alerts by Tenant shows all the alerts for a specific tenant. This command requires the input of the exact tenant's name in order to successfully perform the query. Prior to issuing this command, the Get Managed Tenant command can be used to view the full tenant name.
Note: users must open an F5 XC Support Case to request a shared access signature token in order to download the integration.
Q: What do I configure in F5 XC console? How do I create an API token?
A: Because the integration requires authentication between F5 XC and PAN's XSOAR, an API token needs to be created. From the F5 XC console, once logged into the customer tenant, navigate to the Administration tile. Navigate to Personal Management > Credentials > Add Credentials. Within the pop-up window, enter a name and expiration date, which has a maximum of 6 months. Click Generate.
Note: a new API token will need to be created when the old one expires and uploaded into the PAN XSOAR integration.
Figure 6: Create API Token
Note: this token is not viewable again, so please securely store this token for later reference.
Any generated tokens are visible under the Credentials section.
Q: What do I configure in PAN XSOAR?
A: Once the integration has been downloaded and imported, it will be available under the integrations window within XSOAR. Navigate to Settings > Integrations > Instances. Search for "F5". Click Add instance to create and configure the integration. After the required parameters are configured, click Test, to validate the URL, API token and connection.
Figure 7: XSOAR integration instance setup
Written by F5 experts, this integration provides the ability to execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook.