Integrating Cortex XSOAR ======================== This guide provides information on integrating Genian |product_name| and Palo Alto XSOAR, a Security Orchestration, Automation, and Response (SOAR) system. Overview -------- XSOAR's threat analysis function can be leveraged by Genian |product_name| to send alerts about suspicious nodes, and apply Genian |product_name| tags to to them so that they can be blocked and remediated. Process ------- #. XSOAR detects suspicious node #. XSOAR sends node IP to Genian |product_name| #. Genian |product_name| checks if the node is found in the node database #. If the node is found, Genian |product_name| determines the node ID #. Genian |product_name| applies the node Tag .. note:: If steps 3 or 5 fail, an error message will be output. Successful tag application will output a success confirmation message. Pre-Requisites -------------- Preparing Genian |product_name| '''''''''''''''''''''''''''''''''''' - This guide requires use of Genian |product_name| v6.0 or later #. In the Genian |product_name| Web Console, Navigate to **Management > User** and use the **Tasks** menu to create a new "superAdmin" account, or use an existing account. #. In the **General** section of the User configuration, use the **Generate API Key** button, then click update. Prepare Networking '''''''''''''''''' Verify that the XSOAR server can send traffic to the Genian |product_name| Policy Server using HTTP TCP/80 and HTTPS TCP/443. (The connection port information of Genian |product_name| is in System> Service Management> Connection Port in the UI .) Prepare Genian |product_name| Tag ''''''''''''''''''''''''''''''''''' Create a tag to be assigned to suspicious nodes under **Preferences > Tag**, or use an existing tag. Preparing XSOAR ''''''''''''''''' - This guide requires use of XSOAR v5.5.0 or later #. Check to see if the Genians integration plugin is installed by accessing **Settings > Integrations > Servers & Services** and searching for "Genians" The integrations should be included by default in v6.0.0 and later. If it is installed, skip to the next section, otherwise follow the steps below. #. For manual installation, follow the download link in the XSOAR UI to obtain the necessary files. #. Separately save **Genians.yml** and **Genians.py** being sure to set the file extension in the file names. #. In **Settings > Integrations > Servers & Services** use the **Upload** button and upload **Genians.yml**. Wait for a successful upload. #. In the code input window on the left of **Integration Settings** , copy and paste only the code from the **Genians.py** file. #. Click the **Save** button on the top right corner to complete the preparation. Configuring XSOAR ----------------- The following is an example of a minimal configuration integration. Configure API linkage to Genian |product_name| ''''''''''''''''''''''''''''''''''''''''''''''''''' #. Go to **Settings > Integrations > Servers & Services** ,search for **Genians** and click **Add Instance**. #. Configure the instance as shown below: .. csv-table:: :header: "Item", "Value", "Info" :widths: 20 25 55 "Name", "Genians_instance_1", "Required input" "Server IP", "192.166.1.50", "Enter the IP of your Genian |product_name| Policy Server" "API Key", "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee ", "Enter the API Key of your Genian |product_name| superAdmin" "Trust any Certificate", "", "Check" "Tag Name", "THREAT", "Enter the name of the Tag you selected in the genian |product_name| preparation" #. Click **Test** and then click **Done**. Configuring Genian |product_name| --------------------------------- Create Grouping and Enforcement Settings '''''''''''''''''''''''''''''''''''''''''' Under **Policy > Group**: #. Click **Tasks > Create** to create a new Node Group. #. Under General enter an ID and Description and set the Status to Enabled. #. Under Condition, click Add to add the previously selected “THREAT” tag. #. Click **Save**. Under **Policy > Enforcement Policy**: #. Click **Tasks > Create** to create a new Enforcement Policy. #. Follow the wizard and select the previously created “THREAT” Node Group. #. Select the desired Permissions, enable Captive Portal and enter a message to be displayed to the end user. #. Click **Save**. With all configurations now in place, the Genians Network Sensor must be switched from Monitoring to Enforcement mode to facilitate the Layer 2 quarantine of non-compliant nodes on the network. Navigate to **System > Sensor > Edit Sensor Settings** and set the Sensor Operating Mode to Enforcement then click Update at the bottom of the page. Testing and Validation -------------------------- #. Introduce a node that is expected to trigger a threat alet in XSOAR into a network segment. #. XSOAR will identify the threat and notify Genian |product_name| via the API linkage. #. The test node should have a THREAT Tag assigned once the alert is received from XSOAR. #. The node will then be Layer 2 quarantined in real-time by Genian |product_name|, and will be prevented from accessing any resources that are prohibited by the Enforcement Policy configured.