Polarity's Cortex XSOAR integration searches Cortex XSOAR Incidents, Indicators, and Evidence. It also supports creating incidents from entities, and allows a user to execute pre-defined playbooks from the Polarity Overlay Window. Additionally, user's can submit data from other Polarity integrations as evidence for an Incident. Finally, the integration supports creating indicators from the Overlay Window.
In order to prevent too many false positives, the integration supports exact match searching of indicators against Incidents, Indicators, and Evidence.
As an example, if you run a search on the domain "mail.com", the integration will return Indicator results for the Domain "mail.com" but will not return Email results for "user@mail.com".
When searching Evidence, the Cortex XSOAR REST API supports searching the Evidence "description" field. When searching Incidents, matches are made against the Incident Name as well as Incident Labels.
 |
 |
 |
|---|---|---|
| View Indicator | View Incident | Run Playbooks and Playbook History |
 |
 |
 |
|---|---|---|
| Create Indicator | Create Incident | Add Evidence to incident |
To learn more about Cortex XSOAR, visit the official website.
The base URL for the Cortex XSOAR instance which should include the schema (i.e., https://). For v6 and v8 servers you should provide the URL to your Cortex web application.
The API URL for the Cortex XSOAR v8 API which should include the schema (i.e., https://). This value is only required if you are authenticating to Cortex XSOAR v8. The API URL format will be https://api-{fqdn} and can be copied directly from the v8 API Keys settings page.
A valid Cortex XSOAR API Key which can be found in your Cortex XSOAR Dashboard Settings
If you are running a multi-tenant deployment, the API key must be generated specifically for the tenant you wish to search.
A valid Cortex XSOAR v8 API Key ID which can be found in your Cortex XSOAR API Keys Table. This value is only required if you are authenticating to Cortex XSOAR v8.
If checked, the Cortex XSOAR v8 server you are connecting to includes a license for Threat Intelligence Management (TIM). If not checked, links to indicator details will not be provided within Polarity as the Indicator full view page in Cortex requires a TIM license. Cortex XSOAR v6 users should leave this option enabled.
If checked, users will be able to create Indicators when searching On Demand if there are none currently existing for your searched entity. This setting must be visible to all users.
If checked, users will be able to create incidents when searching On Demand if there are none currently existing for your searched entity.
If checked, users will be able to submit data from selected Polarity integrations as Incident evidence. This setting must be visible to all users.
When creating an Incident the Incident's Name is set to the entity's Value and a "Polarity" label is included. You can optionally run a Playbook upon incident creation.
If you see the following error it typically means the API key is invalid:
{
"id":"forbidden",
"status":403,
"title":"Forbidden",
"detail":"Issue with CSRF code",
"error":"http: named cookie not present",
"encrypted":false,
"multires":null
}Also ensure the API key is generated for the tenet you wish to search if you have a multi-tenet deployment.
Installation instructions for integrations are provided on the PolarityIO GitHub Page.
Polarity is a memory-augmentation platform that improves and accelerates analyst decision making. For more information about the Polarity platform please see: