Integrating Cortex XSOAR
This guide provides information on integrating Genian ZTNA and Palo Alto XSOAR, a Security Orchestration, Automation, and Response (SOAR) system.
XSOAR's threat analysis function can be leveraged by Genian ZTNA to send alerts about suspicious nodes, and apply Genian ZTNA tags to to them so that they can be blocked and remediated.
- XSOAR detects suspicious node
- XSOAR sends node IP to Genian ZTNA
- Genian ZTNA checks if the node is found in the node database
- If the node is found, Genian ZTNA determines the node ID
- Genian ZTNA applies the node Tag
If steps 3 or 5 fail, an error message will be output. Successful tag application will output a success confirmation message.
Preparing Genian ZTNA
- This guide requires use of Genian ZTNA v6.0 or later
- In the Genian ZTNA Web Console, Navigate to Management > User and use the Tasks menu to create a new "superAdmin" account, or use an existing account.
- In the General section of the User configuration, use the Generate API Key button, then click update.
Verify that the XSOAR server can send traffic to the Genian ZTNA Policy Server using HTTP TCP/80 and HTTPS TCP/443.
(The connection port information of Genian ZTNA is in System> Service Management> Connection Port in the UI .)
Prepare Genian ZTNA Tag
Create a tag to be assigned to suspicious nodes under Preferences > Tag, or use an existing tag.
- This guide requires use of XSOAR v5.5.0 or later
- Check to see if the Genians integration plugin is installed by accessing Settings > Integrations > Servers & Services and searching for "Genians" The integrations should be included by default in v6.0.0 and later. If it is installed, skip to the next section, otherwise follow the steps below.
- For manual installation, follow the download link in the XSOAR UI to obtain the necessary files.
- Separately save Genians.yml and Genians.py being sure to set the file extension in the file names.
- In Settings > Integrations > Servers & Services use the Upload button and upload Genians.yml. Wait for a succesful upload.
- In the code input window on the left of Integration Settings , copy and paste only the code from the Genians.py file.
- Click the Save button on the top right corner to complete the preparation.
The following is an example of a minimal configuration integration.
Configuring Genian ZTNA
Create Grouping and Enforcement Settings
Under Policy > Group:
- Click Tasks > Create to create a new Node Group.
- Under General enter an ID and Description and set the Status to Enabled.
- Under Condition, click Add to add the previously selected “THREAT” tag.
- Click Save.
Under Policy > Enforcement Policy:
- Click Tasks > Create to create a new Enforcement Policy.
- Follow the wizard and select the previously created “THREAT” Node Group.
- Select the desired Permissions, enable Captive Portal and enter a message to be displayed to the end user.
- Click Save.
With all configurations now in place, the Genians Network Sensor must be switched from Monitoring to Enforcement mode to facilitate the Layer 2 quarantine of non-compliant nodes on the network. Navigate to System > Sensor > Edit Sensor Settings and set the Sensor Operating Mode to Enforcement then click Update at the bottom of the page.
Testing and Validation
- Introduce a node that is expected to trigger a threat alet in XSOAR into a network segment.
- XSOAR will identify the threat and notify Genian ZTNA via the API linkage.
- The test node should have a THREAT Tag assigned once the alert is received from XSOAR.
- The node will then be Layer 2 quarantined in real-time by Genian ZTNA, and will be prevented from accessing any resources that are prohibited by the Enforcement Policy configured.