Integrating Cortex XSOAR

This guide provides information on integrating Genian NAC and Palo Alto XSOAR, a Security Orchestration, Automation, and Response (SOAR) system.

Overview

XSOAR's threat analysis function can be leveraged by Genian NAC to send alerts about suspicious nodes, and apply Genian NAC tags to to them so that they can be blocked and remediated.

Process

  1. XSOAR detects suspicious node
  2. XSOAR sends node IP to Genian NAC
  3. Genian NAC checks if the node is found in the node database
  4. If the node is found, Genian NAC determines the node ID
  5. Genian NAC applies the node Tag

Note

If steps 3 or 5 fail, an error message will be output. Successful tag application will output a success confirmation message.

Pre-Requisites

Preparing Genian NAC

  • This guide requires use of Genian NAC v5.0.0 or later
  1. In the Genian NAC Web Console, Navigate to Management > User and use the Tasks menu to create a new "superAdmin" account, or use an existing account.
  2. In the General section of the User configuration, use the Generate API Key button, then click update.

Prepare Networking

Verify that the Genian NAC Policy Server and the XSOAR server can communicate using HTTP TCP/80 and HTTPS TCP/443

(The connection port information of Genian NAC is in System> Service Management> Connection Port in the UI .)

Prepare Genian NAC Tag

Create a tag to be assigned to suspicious nodes under Preferences > Tag, or use an existing tag.

Preparing XSOAR

  • This guide requires use of XSOAR v5.5.0 or later
  1. Check to see if the Genians integration plugin is installed by accessing Settings > Integrations > Servers & Services and searching for "Genians" The integrations should be included by default in v6.0.0 and later. If it is installed, skip to the next section, otherwise follow the steps below.
  2. For manual installation, follow the download link in the XSOAR UI to obtain the necessary files.
  3. Separately save Genians.yml and Genians.py being sure to set the file extension in the file names.
  4. In Settings > Integrations > Servers & Services use the Upload button and upload Genians.yml. Wait for a succesful upload.
  5. In the code input window on the left of Integration Settings , copy and paste only the code from the Genians.py file.
  6. Click the Save button on the top right corner to complete the preparation.

Configuring XSOAR

The following is an example of a minimal configuration integration.

Configure API linkage to Genian NAC

  1. Go to Settings > Integrations > Servers & Services ,search for Genians and click Add Instance.

  2. Configure the instance as shown below:

    Item Value Info
    Name Genians_instance_1 Required input
    Server IP 192.166.1.50 Enter the IP of your Genian NAC Policy Server
    API Key aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee Enter the API Key of your Genian NAC superAdmin
    Trust any Certificate   Check
    Tag Name THREAT Enter the name of the Tag you selected in the genian NAC preparation
  3. Click Test and then click Done.

Configuring Genian NAC

Create Grouping and Enforcement Settings

Under Policy > Group:

  1. Click Tasks > Create to create a new Node Group.
  2. Under General enter an ID and Description and set the Status to Enabled.
  3. Under Condition, click Add to add the previously selected “THREAT” tag.
  4. Click Save.

Under Policy > Enforcement Policy:

  1. Click Tasks > Create to create a new Enforcement Policy.
  2. Follow the wizard and select the previously created “THREAT” Node Group.
  3. Select the desired Permissions, enable Captive Portal and enter a message to be displayed to the end user.
  4. Click Save.

With all configurations now in place, the Genians Network Sensor must be switched from Monitoring to Enforcement mode to facilitate the Layer 2 quarantine of non-compliant nodes on the network. Navigate to System > Sensor > Edit Sensor Settings and set the Sensor Operating Mode to Enforcement then click Update at the bottom of the page.

Testing and Validation

  1. Introduce a node that is expected to trigger a threat alet in XSOAR into a network segment.
  2. XSOAR will identify the threat and notify Genian NAC via the API linkage.
  3. The test node should have a THREAT Tag assigned once the alert is received from XSOAR.
  4. The node will then be Layer 2 quarantined in real-time by Genian NAC, and will be prevented from accessing any resources that are prohibited by the Enforcement Policy configured.