This article leads you through the process of integrating Cortex with Red Canary. Follow the procedure from beginning to end.
Requirements
- Cortex Tenant licensed with
- Pro Per Endpoint (PAN-XDR-ADV-EP)
- Event Forwarding EP (PAN-XDR-EP-FRWRD)
- Cortex Version 3.3 or later
Step 1: Cortex–Create a new Cortex profile
Create a Cortex configuration profile to begin collecting endpoint data in the Cortex Data Lake.
- Login to the Cortex tenant that you want to connect to Red Canary.
- From your address bar, copy the URL, and then save your Cortex Tenant Url. You’ll use this in a later step.
- From your Cortex Homepage, click Endpoints, and then click Policy Management.
- From the Prevention dropdown, click Profiles.
- Scroll down, and then find the default Agent Setting profile.
- Right-click the default Agent Settings profile.
- Click Save As New.
- Enter a name for your Cortex Profile.
- Scroll down to the XDR Pro Endpoints section, and then uncheck Use Default.
- From the XDR Pro Endpoints Capabilities, select Enabled.
- Click Create.
- To apply this security profile to Endpoints, follow these steps. For more information on Endpoint Data Collected by Cortex XDR, click here.
Step 2: Cortex–Create API Key for your Service Account
Create a service account API key to allow Red Canary to pull Indicator of Compromise (IOC) and Behavioral Indicator of Compromise (BIOC) alert data, monitor endpoint health, and respond to threats with Cortex XSOAR capabilities.
- From your Cortex Homepage, click Settings, and then click Configurations.
- From the Integrations dropdown, click API Keys.
- Click Copy URL, and then save your Cortex API Url. You’ll use this in a later step.
- Click +New Key.
- From the Security Level section, select Advanced.
- From the Role dropdown, select Instance Administrator.
- Click Save.
- Click Copy, and then save the API Key for your Service Account. You’ll use this in a later step.
- From the list of API keys, search for the key you just created and copy the key ID number. Save the Cortex API Key ID. You’ll use this in a later step.
Step 3: Cortex–Download your Service Account JSON WEB Token
Download a consolidated package of credentials and tokens which Red Canary uses to authenticate and ingest telemetry data from the Cortex Data Lake hosted in Google Cloud Platform (GCP).
- From your Cortex Homepage, click Settings, and then click Configurations.
- From the Data Management dropdown, click Event Forwarding.
- From the Activation section, click Enable Endpoints Event Forwarding.
- From the Destination section, click Copy, and then save your Cortex GCP Path. You’ll use this in a later step.
- From the Destination section, click Generate and download. You’ll use this file in a later step.
Step 4: Red Canary–Input your Cortex information
Enter your Cortex information into Red Canary to start sending Cortex telemetry to Red Canary.
- From the Red Canary homepage, click the Integrations dropdown.
- Click EDR Products.
- In the search bar, type and then select Cortex Endpoint Detection & Response (EDR).
- Click Cortex.
- Enter a Description.
- Enter your Cortex Tenant URL from Step 1.2.
- Enter your Cortex API URL from Step 2.3.
- Enter your Cortex API Key - Service Account from Step 2.8.
- Enter your Cortex API Key ID from Step 2.9.
- Enter your Cortex GCP Path from Step 3.4.
- Click Choose File, and then upload your Cortex Service Account JSON Web Token from Step 3.5.
- Click Test.
- If you followed the steps correctly a success message will display. If there's an error, you can follow the help text in the message and make your corrections.
- Click Save.
Comments
0 comments
Please sign in to leave a comment.