Integrating Cortex XSOAR ======================== This guide provides information on integrating Genian ZTNA and Palo Alto XSOAR, a Security Orchestration, Automation, and Response (SOAR) system. Overview -------- XSOAR's threat analysis function can be leveraged by Genian ZTNA to send alerts about suspicious nodes, and apply Genian ZTNA tags to to them so that they can be blocked and remediated. Process ------- #. XSOAR detects suspicious node #. XSOAR sends node IP to Genian ZTNA #. Genian ZTNA checks if the node is found in the node database #. If the node is found, Genian ZTNA determines the node ID #. Genian ZTNA applies the node Tag .. note:: If steps 3 or 5 fail, an error message will be output. Successful tag application will output a success confirmation message. Pre-Requisites -------------- Preparing Genian ZTNA '''''''''''''''''''''''' - This guide requires use of Genian ZTNA v6.0 or later #. In the Genian ZTNA Web Console, Navigate to **Management > User** and use the **Tasks** menu to create a new "superAdmin" account, or use an existing account. #. In the **General** section of the User configuration, use the **Generate API Key** button, then click update. Prepare Networking '''''''''''''''''' Verify that the XSOAR server can send traffic to the Genian ZTNA Policy Server using HTTP TCP/80 and HTTPS TCP/443. (The connection port information of Genian ZTNA is in System> Service Management> Connection Port in the UI .) Prepare Genian ZTNA Tag ''''''''''''''''''''''''' Create a tag to be assigned to suspicious nodes under **Preferences > Tag**, or use an existing tag. Preparing XSOAR ''''''''''''''' - This guide requires use of XSOAR v5.5.0 or later #. Check to see if the Genians integration plugin is installed by accessing **Settings > Integrations > Servers & Services** and searching for "Genians" The integrations should be included by default in v6.0.0 and later. If it is installed, skip to the next section, otherwise follow the steps below. #. For manual installation, follow the download link in the XSOAR UI to obtain the necessary files. #. Separately save **Genians.yml** and **Genians.py** being sure to set the file extension in the file names. #. In **Settings > Integrations > Servers & Services** use the **Upload** button and upload **Genians.yml**. Wait for a succesful upload. #. In the code input window on the left of **Integration Settings** , copy and paste only the code from the **Genians.py** file. #. Click the **Save** button on the top right corner to complete the preparation. Configuring XSOAR ----------------- The following is an example of a minimal configuration integration. Configure API linkage to Genian ZTNA ''''''''''''''''''''''''''''''''''''''' #. Go to **Settings > Integrations > Servers & Services** ,search for **Genians** and click **Add Instance**. #. Configure the instance as shown below: .. csv-table:: :header: "Item", "Value", "Info" :widths: 20 25 55 "Name", "Genians_instance_1", "Required input" "Server IP", "192.166.1.50", "Enter the IP of your Genian ZTNA Policy Server" "API Key", "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee ", "Enter the API Key of your Genian ZTNA superAdmin" "Trust any Certificate", "", "Check" "Tag Name", "THREAT", "Enter the name of the Tag you selected in the genian ZTNA preparation" #. Click **Test** and then click **Done**. Configuring Genian ZTNA ------------------------- Create Grouping and Enforcement Settings '''''''''''''''''''''''''''''''''''''''' Under **Policy > Group**: #. Click **Tasks > Create** to create a new Node Group. #. Under General enter an ID and Description and set the Status to Enabled. #. Under Condition, click Add to add the previously selected “THREAT” tag. #. Click **Save**. Under **Policy > Enforcement Policy**: #. Click **Tasks > Create** to create a new Enforcement Policy. #. Follow the wizard and select the previously created “THREAT” Node Group. #. Select the desired Permissions, enable Captive Portal and enter a message to be displayed to the end user. #. Click **Save**. With all configurations now in place, the Genians Network Sensor must be switched from Monitoring to Enforcement mode to facilitate the Layer 2 quarantine of non-compliant nodes on the network. Navigate to **System > Sensor > Edit Sensor Settings** and set the Sensor Operating Mode to Enforcement then click Update at the bottom of the page. Testing and Validation ---------------------- #. Introduce a node that is expected to trigger a threat alet in XSOAR into a network segment. #. XSOAR will identify the threat and notify Genian ZTNA via the API linkage. #. The test node should have a THREAT Tag assigned once the alert is received from XSOAR. #. The node will then be Layer 2 quarantined in real-time by Genian ZTNA, and will be prevented from accessing any resources that are prohibited by the Enforcement Policy configured.