Login
    Contents x
    DataBee XSOAR Integration
    • 04 Sep 2024
    • 3 Minutes to read
    • Contributors
    • Print
    • Dark
      Light
    Contents

    DataBee XSOAR Integration

    • Updated on 04 Sep 2024
    • 3 Minutes to read
    • Contributors
    • Print
    • Dark
      Light
    Article summary

    The Palo Alto Cortex XSOAR content pack for DataBee enables organizations to operationalize the insights from DataBee. The XSOAR content pack enables two critical use cases for security operations teams:

    1. Create Incidents: Create incidents in XSOAR for investigation and remediation from the findings generated by DataBee. These findings include results from both Sigma detections and Detection Chains.

    2. Enrich Incident: Add the DataBee commands to existing incident playbooks or use them on demand to add business context to your investigation. Add what DataBee know’s about users and devices to reduce pivoting between tools to complete an investigation.

    The Palo Alto Cortex XSOAR content pack enriches your security incidents by performing cross-correlation with entity data within DataBee, enhancing the accuracy of security investigations by providing additional business context. The XSOAR content pack also amplifies the efficiency of DataBee security detections by allowing you to set up playbooks to open incidents and begin remediating these events.

    Obtaining DataBee’s XSOAR Content Pack

    You can obtain the DataBee XSOAR content pack from the Cortex XSOAR Marketplace or contacting DataBee Support.

    Configuring DataBee on Cortex XSOAR

    1. Once installed, log in to the XSOAR platform.

    2. Navigate to Settings > Integrations > Servers & Services.

    3. Search for DataBee.

    4. Click Add instance to create and configure a new integration instance.

    5. Fill in the data in the following fields:

      1. Name: provide a suitable name for your DataBee instance

      2. Fetches incidents/do not fetch: enable the checkbox depending on your preference to fetch or not fetch incidents/detection findings from DataBee.

      3. You can view classifier, incident type, and mapper as desired.

      4. Authentication

        Base URL: enter the DataBee base URL

        To authenticate, either use the DataBee username and password or a valid DataBee API token. Please go through the quick guide under Help, on the right side of the page, for detailed steps of the authentication methods.

      5. You can select Trust any certificate (not secure) or choose System proxy settings.

      6. Additional findings context outputs: choose additional context data you wish to retrieve from the API. Note that requesting extensive data may impact your Cortex server's performance

      7. Maximum incidents per fetch: enter a numerical value of the number of incidents to be pulled per fetch

      8. First fetch timestamp: timestamp in ISO format or <number> <time unit>, e.g., 2022-01-01T00:00:00.000Z, 12 hours, 7 days, 3 months, now

      9. Severity filter: filter findings based on their severity level, e.g., High

      10. Impact filter: filter findings based on their impact level, e.g., High

      11. Incident fetch interval: enter the duration in hours and minutes between pulling DataBee detection findings and creating incidents in Cortex XSOAR

      12. You can set the log level configuration

      13. There is an option to reset the last run timestamp

    6. Click on the Test button to validate the URL, token, and connection.

    Executing Commands to Enrich Incidents

    You can execute commands from the Cortex XSOAR CLI as part of an automated task or a playbook. As you type, the commands, filters, and arguments along with their descriptions are displayed, helping you craft the perfect query. After you successfully execute a command, a DBot message appears in the War Room with the command details and output.

    Base Command

    Description

    Command Example

    databee-device-search

    Search for devices based on filters.

    !databee-device-search hostname =a limit=1

    databee-user-search

    Search for users based on filters

    !databee-user-search full_name=a limit=1

    databee-finding-search

    Search for security findings based on filters.

    !databee-finding-search impact=High limit=1

    Review DataBee Incidents in XSOAR

    To view all fetched incidents, click on Incidents from the left sidebar. Incidents generated by DataBee will have the “Type” field set to “DataBee Finding”.

    Select an incident by clicking on its ID to see detailed information. The Incident Info tab provides the case details, timeline, indicators, and more. The DataBee tab offers insights into DataBee Findings, analytic evidence, and related information.

    To access playbooks, click on Playbooks from the left sidebar. Use the search function to find available playbooks. You can input test values to simulate scenarios, and the system will display the output results of all findings based on the provided input.

    Was this article helpful?
    What's Next
    Change password!
    Changing your password will log you out immediately. Use the new password to log back in.
    Change profile
    Success!
    First name must have atleast 2 characters. Numbers and special characters are not allowed.
    Last name must have atleast 1 characters. Numbers and special characters are not allowed.
    Enter a valid email
    Enter a valid password
    Your profile has been successfully updated.
    Logout
    ESC

    Eddy AI, facilitating knowledge discovery through conversational intelligence