This article leads you through the process of integrating Cortex with Red Canary. Follow the procedure from beginning to end.
Requirements
- Cortex Tenant licensed with
- Pro Per Endpoint (PAN-XDR-ADV-EP)
- Event Forwarding EP (PAN-XDR-EP-FRWRD)
- Cortex Version 3.3 or later
Step 1: Cortex–Create a new Cortex profile
Create a Cortex configuration profile to begin collecting endpoint data in the Cortex Data Lake.
- Login to the Cortex tenant that you want to connect to Red Canary.
- From your address bar, copy the URL, and then save your Cortex Tenant Url. You’ll use this in a later step.
- From your Cortex Homepage, click Endpoints, and then click Policy Management.
- From the Prevention dropdown, click Profiles.
- Scroll down, and then find the default Agent Setting profile.
- Right-click the default Agent Settings profile.
- Click Save As New.
- Enter a name for your Cortex Profile.
- Scroll down to the XDR Pro Endpoints section, and then uncheck Use Default.
- From the XDR Pro Endpoints Capabilities, select Enabled.
- Click Create.
- To apply this security profile to Endpoints, follow these steps. For more information on Endpoint Data Collected by Cortex XDR, click here.
Step 2: Cortex–Create API Key for your Service Account
Create a service account API key to allow Red Canary to pull Indicator of Compromise (IOC) and Behavioral Indicator of Compromise (BIOC) alert data, monitor endpoint health, and respond to threats with Cortex XSOAR capabilities.
- From your Cortex Homepage, click Settings, and then click Configurations.
- From the Integrations dropdown, click API Keys.
- Click Copy URL, and then save your Cortex API Url. You’ll use this in a later step.
- Click +New Key.
- From the Security Level section, select Advanced.
- From the Role dropdown, select Instance Administrator.
- Click Save.
- Click Copy, and then save the API Key for your Service Account. You’ll use this in a later step.
- From the list of API keys, search for the key you just created and copy the key ID number. Save the Cortex API Key ID. You’ll use this in a later step.
Step 3: Cortex–Download your Service Account JSON WEB Token
Download a consolidated package of credentials and tokens which Red Canary uses to authenticate and ingest telemetry data from the Cortex Data Lake hosted in Google Cloud Platform (GCP).
- From your Cortex Homepage, click Settings, and then click Configurations.
- From the Data Management dropdown, click Event Forwarding.
- From the Activation section, click Enable Endpoints Event Forwarding.
- From the Destination section, click Copy, and then save your Cortex GCP Path. You’ll use this in a later step.
- From the Destination section, click Generate and download. You’ll use this file in a later step.
Step 4: Red Canary–Input your Cortex information
Enter your Cortex information into Red Canary to start sending Cortex telemetry to Red Canary.
- From your Red Canary homepage, click Integrations.
- From the Integrations section, locate and then click the security product you want to integrate with Red Canary.
Note: If you do not see your security product listed, click See all integrations. - In the search bar, type and then select your third-party security source.
- Continue onto the next step by configuring your third-party security source in Red Canary.
Note: Your third-party security source may require that you contact Red Canary to configure. - Enter a Description.
- Enter your Cortex Tenant URL from Step 1.2.
- Enter your Cortex API URL from Step 2.3.
- Enter your Cortex API Key - Service Account from Step 2.8.
- Enter your Cortex API Key ID from Step 2.9.
- Enter your Cortex GCP Path from Step 3.4.
- Click Choose File, and then upload your Cortex Service Account JSON Web Token from Step 3.5.
- Click Test.
- If you followed the steps correctly a success message will display. If there's an error, you can follow the help text in the message and make your corrections.
- Click Save.
Step 5: Cortex Support Portal–Create a Red Canary integration user
You will need to have the Red Canary Integration user email provided to you via email from your Red Canary contact.
Note: Red Canary will receive a time sensitive email to validate this user. Complete this step during normal business hours.
- Login to your Cortex Customer Support Portal.
- Locate the email from your Red Canary contact containing the integration user email. You’ll use this in a later step.
- From your Cortex Customer Support Portal homepage, verify you are in the account you have integrated with Red Canary via the Account Selector.
- Click Members.
- Click Create New User.
-
From the Display Name field, enter RCsupportviewer.
- Generate a temporary password.
-
Enter the First Name and Last Name fields as follows:
-
First Name: Red Canary
-
Last Name: Viewer
-
- Enter the Red Canary integration user email address that you received in Step 5.2.
- The Contact Information field can be left blank.
- Uncheck all of the boxes under the Receive Notifications section.
- Click Submit.
Note: Complete Step 6 immediately following this step.
Step 6: Cortex Gateway–Create a Red Canary Security Operations role
A custom role must be created in Cortex to enable Red Canary’s customer security operations team to support your security needs.
- Navigate to your Cortex Gateway from the Customer Support Portal.
- Click Resources.
- Click XDR Gateway.
- Click Permission Management, and then click Roles.
- Click New Role.
- In the ROLE NAME field, enter Red Canary Security Operations.
- Select the permissions shown in the following images:
- Click Save.
Step 7: Cortex Gateway–Update the Red Canary integration user permissions
The Red Canary integration user created in Step 5 will automatically populate within your Cortex Gateway, however it is not given a role by default. You'll need to update the user’s role to the custom Red Canary Security Operations role you created in Step 6.
- Navigate to your Cortex Gateway from the Customer Support Portal.
- Click Resources.
- Click XDR Gateway.
- Click Permission Management.
- Click Permissions.
- Search for the new Red Canary user and then click the pencil to edit.
- From the Role section, select the role that was created in Step 6.
- Click Save.
- Click Yes on the validation window.
Step 8: Cortex Support Portal–Create a Red Canary Active Remediation user
Note: This step is only applicable for users who have purchased Active Remediation.
To create a Red Canary Active Remediation user in Cortex, you’ll need the Red Canary Active Remediation user email provided to you, via email, from your Red Canary contact. Red Canary will receive a time sensitive email to validate this user.
- Login to your Cortex Customer Support Portal.
- Locate the email from your Red Canary contact containing the Active Remediation user email. You’ll use this in a later step.
- From your Cortex Customer Support Portal homepage, verify you are in your account that you have integrated with Red Canary via the Account Selector.
- Click Members.
- Click Create New User.
- From the Display Name field, enter RCCTXARAccess (NOTE: This can't be more than 15 characters long)
- Generate a temporary password.
- Enter the First Name and Last Name fields as follows:
- First Name: Red Canary
- Last Name: Active Remediation
- Enter the Red Canary integration user email address that you received (see Step 5.2 above)
- The Contact Information field can be left blank.
- Deselect all of the boxes under the Receive Notifications section.
- Click Submit.
Note: Please complete Step 8 immediately following this step.
Step 9: Cortex Gateway–Update the Red Canary Active Remediation user permissions
Note: This step is only applicable for users who have purchased Active Remediation.
The Red Canary Active Remediation user created in Step 7 will automatically populate within your Cortex Gateway, however it is not given a role by default. You'll need to update the user’s role to Privileged Responder.
- Navigate to your Cortex Gateway from the Customer Support Portal.
- Click Resources.
- Click XDR Gateway.
- Click Permission Management.
- Click Permissions.
- Search for the new Red Canary user and then click the pencil to edit.
- From the Role section, select Privileged Responder.
- Click Save.
- Click Yes.
Comments
0 comments
Please sign in to leave a comment.