Webinar Jan. 18, 2023: Cybersecurity New Year’s Resolution – Go On the Offensive
The Cyberpion content pack allows you to seamlessly receive all your Cyberpion Action Items and supportive information into Cortex XSOAR, and thus create and view dashboards, create custom alerts, streamline remediation and improve investigations. Integration between Cyberpion and Cortex XSOAR makes use of REST API.
Cortex XSOAR Integration Guide
Cyberpion can export incidents and relevant information directly to Cortex XSOAR. The integration involves having the Cortex XSOAR make calls to Cyberpion API endpoints in order to retrieve the information. Thus, you will need to enter the Cyberpion Server URL as well as a valid Cyberpion API key to Cortex.
The server URL is https://<your portal’s name at Cyberpion>.cyberpion.com, e.g., https://hportal.cyberpion.com
Log into the Cyberpion portal
Click the API Settings button
Provide a name for the token, specify if the token is read-write or read-only (only the latter is necessary), and set an expiry date.
Click “Create Token”
Copy the generated token to a secure file. You’ll need it later.
Head to the XSOAR Marketplace:
Find and install Cyberpion:
Go to Settings:
Search for Cyberpion and click on “Add Instance”:
Fill in the server URL and API key that were provided by the Cyberpion portal (located within setting -> Integration settings):
Form field names, explanations and tips:
| Field | Explanation |
|---|---|
| Fetches incidents | Should be checked (this determines whether to get Cyberpion’s action items from the server) Make sure “Fetches incidents” is enabled |
| Do not fetch | Should be false |
| Classifier | Should be (by default) Cyberpion – Classifier |
| Incident type (if classifier doesn’t exist) | Should be (by default) N/A |
| Mapper (incoming) | Should be (by default) Cyberpion – Mapper |
| Server URL | Paste here the Cyberpion URL as described above |
| API Key | Paste here the Cyberpion API key as described above |
| Maximum number of incidents per fetch | Determines how many action items are fetched every minute The default is set for 200 and we recommend leaving it as such |
| Action items category to fetch as incidents | Action items categories to fetch Options are DNS, PKI, Cloud and Vulnerabilities Default is set to include all Action Item types |
| Show only active issues | We recommend that this checkbox be marked
If not enabled, closed issues (resolved action items) will be fetched in addition to the active ones |
| Trust any certificate | N/A |
| Use system proxy settings | N/A |
| Do not use by default | N/A |
After clicking “save”, Action items will start to appear at the ‘incidents’ section:
Cortex XSOAR pulls Action Items at a rate of 200 every minute until all Action Items are uploaded
Click on “Investigate” to see the Action Item details:
Action Items will include the following information:
Playbook
The playbook added within this content package will allow you to request additional information relating to the Action Items that were reported, in order to help with context, investigation, and effective remediation.
The default playbooks intention is basic, it allows the user to create customized playbooks and/or connect the offered playbook template to a more general playbook.
Users can view the playbook within an incident by clicking the “Work Plan” tab and following the steps presented:
Request a free hyper external attack surface scan today.
