Skip to main content
Red Canary help

Integrate Cortex XDR with Red Canary

  • Updated .

This article leads you through the process of integrating Cortex with Red Canary. Follow the procedure from beginning to end. 

Requirements

  • Cortex Tenant licensed with
    • Pro Per Endpoint (PAN-XDR-ADV-EP)
    • Event Forwarding EP (PAN-XDR-EP-FRWRD)
  • Cortex Version 3.3 or later 

Step 1: Cortex–Create a new Cortex profile

Create a Cortex configuration profile to begin collecting endpoint data in the Cortex Data Lake.

  1. Login to the Cortex tenant that you want to connect to Red Canary.
  2. From your address bar, copy the URL, and then save your Cortex Tenant Url. You’ll use this in a later step.
  3. From your Cortex Homepage, click Endpoints, and then click Policy Management.
    1.png
  4. From the Prevention dropdown, click Profiles.
    2.png
  5. Scroll down, and then find the default Agent Setting profile.
  6. Right-click the default Agent Settings profile.   
  7. Click Save As New.
    3.png
  8. Enter a name for your Cortex Profile.
  9. Scroll down to the XDR Pro Endpoints section, and then uncheck Use Default.
  10. From the XDR Pro Endpoints Capabilities, select Enabled.
    4.png
  11. Click Create.
  12. To apply this security profile to Endpoints, follow these steps. For more information on Endpoint Data Collected by Cortex XDR, click here.

Step 2: Cortex–Create API Key for your Service Account

Create a service account API key to allow Red Canary to pull Indicator of Compromise (IOC) and Behavioral Indicator of Compromise (BIOC) alert data, monitor endpoint health, and respond to threats with Cortex XSOAR capabilities.

  1. From your Cortex Homepage, click Settings, and then click Configurations.
  2. From the Integrations dropdown, click API Keys.
    5.png
  3. Click Copy URL, and then save your Cortex API Url. You’ll use this in a later step.
    6.png
  4. Click +New Key.
    7.png
  5. From the Security Level section, select Advanced.
  6. From the Role dropdown, select Instance Administrator
  7. Click Save.
  8. Click Copy, and then save the API Key for your Service Account. You’ll use this in a later step.
    8.png
  9. From the list of API keys, search for the key you just created and copy the key ID number. Save the Cortex API Key ID. You’ll use this in a later step.
    9.png

Step 3: Cortex–Download your Service Account JSON WEB Token

Download a consolidated package of credentials and tokens which Red Canary uses to authenticate and ingest telemetry data from the Cortex Data Lake hosted in Google Cloud Platform (GCP).

  1. From your Cortex Homepage, click Settings, and then click Configurations.
    10.png
  2. From the Data Management dropdown, click Event Forwarding.
  3. From the Activation section, click Enable Endpoints Event Forwarding
  4. From the Destination section, click Copy, and then save your Cortex GCP Path. You’ll use this in a later step.
  5. From the Destination section, click Generate and download. You’ll use this file in a later step. 

Step 4: Red Canary–Input your Cortex information

Enter your Cortex information into Red Canary to start sending Cortex telemetry to Red Canary.

  1. From your Red Canary homepage, click Integrations.
  2. From the Integrations section, locate and then click the security product you want to integrate with Red Canary.
    Note: If you do not see your security product listed, click See all integrations.
     
  3. In the search bar, type and then select your third-party security source.
  4. Continue onto the next step by configuring your third-party security source in Red Canary.
    Note: Your third-party security source may require that you contact Red Canary to configure.
  5. Enter a Description.
  6. Enter your Cortex Tenant URL from Step 1.2.
  7. Enter your Cortex API URL from Step 2.3.
  8. Enter your Cortex API Key - Service Account from Step 2.8.
  9. Enter your Cortex API Key ID from Step 2.9.
  10. Enter your Cortex GCP Path from Step 3.4.
  11. Click Choose File, and then upload your Cortex Service Account JSON Web Token from Step 3.5.
  12. Click Test.
  13. If you followed the steps correctly a success message will display. If there's an error, you can follow the help text in the message and make your corrections.
    13.png
  14. Click Save.

Step 5: Cortex Support Portal–Provide Red Canary your Account Registration Link

Provide Red Canary with your Account Registration Link so we can request that a new user be added to your account. Once provided, we will use it to request user creation, and you will need to approve.

  1. Login to your Cortex Customer Support Portal.
  2. Click Account Management and then click Account Details.

  3. Copy and then save the Account Registration Link.

  4. Email this link to your Red Canary contact who is supporting your integration experience.
    Note: Red Canary will use this link to request one to two users. If you have purchased Active Remediation, two user requests will be submitted. 

Step 6: Cortex Support Portal–Approve the new user notification(s)

Red Canary needs you to approve the new user notification(s). 

Note: You will receive two separate user approval notifications if you are an Active Remediation user. These users will default to the “Standard User” support portal role, which Red Canary requires.

  1. The Red Canary contact who is supporting your integration experience will notify you that the user request(s) have been submitted for your approval.
  2. Login to your Cortex Customer Support Portal.
  3. Click the Notification bell.
  4. Click Approve for the notification titled “New user RC Viewer has requested access to your account.”
  5. If you have purchased Active Remediation, click Approve for the notification titled “New user RC Active Remediation has requested access to your account.”

Step 7: Cortex Gateway–Create a Red Canary Security Operations role

A custom role must be created in Cortex to enable Red Canary’s customer security operations team to support your security needs.

  1. Navigate to your Cortex Gateway from the Customer Support Portal.
  2. Click Resources.
  3. Click XDR Gateway.

  4. Click Permission Management, and then click Roles.
  5. Click New Role.
  6. In the ROLE NAME field, enter Red Canary Security Operations.
  7. Select the permissions shown in the following images:


  8. Click Save.

Step 8: Cortex Gateway–Update the Red Canary integration user permissions

The Red Canary integration user created in Step 5 will automatically populate within your Cortex Gateway, however it is not given a role by default. You'll need to update the user’s role to the custom Red Canary Security Operations role you created in Step 6.

  1. Navigate to your Cortex Gateway from the Customer Support Portal.
  2. Click Resources.
  3. Click XDR Gateway.

  4. Click Permission Management.

  5. Click Permissions.
  6. Search for the new Red Canary user and then click the pencil to edit.

  7. From the Role section, select the role that was created in Step 6.

  8. Click Save.
  9. Click Yes on the validation window.

Step 9: Cortex Gateway–Update the Red Canary Active Remediation user permissions

Note: This step is only applicable for users who have purchased Active Remediation.

The Red Canary Active Remediation user created in Step 7 will automatically populate within your Cortex Gateway, however it is not given a role by default. You'll need to update the user’s role to Privileged Responder.

  1. Navigate to your Cortex Gateway from the Customer Support Portal.
  2. Click Resources.
  3. Click XDR Gateway.
  4. Click Permission Management.
  5. Click Permissions.
  6. Search for the new Red Canary user and then click the pencil to edit.
  7. From the Role section, select Privileged Responder.
  8. Click Save.
  9. Click Yes.
  10.  

Comments

0 comments

Please sign in to leave a comment.