Cortex XSOAR

The IONIX content pack allows you to seamlessly receive all your IONIX Action Items and supportive information into Cortex XSOAR, and thus create and view dashboards, create custom alerts, streamline remediation and improve investigations. Integration between IONIX and Cortex XSOAR makes use of REST API.

Cortex XSOAR Integration Guide

IONIX can export incidents and relevant information directly to Cortex XSOAR. The integration involves having the Cortex XSOAR make calls to IONIX API endpoints in order to retrieve the information. Thus, you will need to enter the IONIX Server URL as well as a valid IONIX API key to Cortex.

The server URL is https://<your portal’s name at IONIX >.ionix.com, e.g., https://hportal.ionix.com

Generating a new API key:

1. Log into the IONIX portal

2. Click the API Settings button

3. Provide a name for the token, specify if the token is read-write or read-only (only the latter is necessary), and set an expiry date.

4. Click “Create Token”

5. Copy the generated token to a secure file. You’ll need it later.

Configuring your Cortex XSOAR:

1. Head to the XSOAR Marketplace:

XSOAR dashboard showing zero incidents and tasks, a mean time to resolution of 00:00:00, and a navigation menu with options for Home, Reports, Incidents, Indicators, Playbooks, Automations, Jobs, Marketplace, and Settings.

2. Find and install IONIX:

3. Go to Settings:

Screenshot of the XSOAR marketplace showing search results for "Cyberpion", a free content pack offering discovery and vulnerability assessment.

4. Search for IONIX and click on “Add Instance”:

Screenshot of a vulnerability management section in a cybersecurity platform, showing an integration with Cyberpion, allowing seamless retrieval of security solution action items and supportive information.

5. Fill in the server URL and API key that were provided by the IONIX portal (located within setting -> Integration settings):

Screenshot of a vulnerability management settings page showing Cyberpion integration configuration options, including API key, server URL, and incident type settings.

6. Form field names, explanations and tips:

Field Explanation 
Fetches incidentsShould be checked (this determines whether to get IONIX’s action items from the server)
Make sure “Fetches incidents” is enabled
Do not fetchShould be false
ClassifierShould be (by default) IONIX – Classifier
Incident type (if classifier doesn’t exist)Should be (by default) N/A
Mapper (incoming)Should be (by default) IONIX – Mapper
Server URLPaste here the IONIX URL as described above
API KeyPaste here the IONIX API key as described above
Maximum number of incidents per fetchDetermines how many action items are fetched every minute The default is set for 200 and we recommend leaving it as such
Action items category to fetch as incidentsAction items categories to fetch
Options are DNS, PKI, Cloud and Vulnerabilities
Default is set to include all Action Item types
Show only active issuesWe recommend that this checkbox be markedIf not enabled, closed issues (resolved action items) will be fetched in addition to the active ones
Trust any certificateN/A
Use system proxy settingsN/A
Do not use by defaultN/A

7. After clicking “save”, Action items will start to appear at the ‘incidents’ section:

Screenshot of XSOAR interface showing a search bar with a message that no matching incidents were found. The left sidebar shows options like Incidents, Playbooks, and more.

8. Cortex XSOAR pulls Action Items at a rate of 200 every minute until all Action Items are uploaded

9. Click on “Investigate” to see the Action Item details:

Screenshot of a table showing a list of Cyberpion Security Alerts, each with an ID, domain name, description of the issue, severity level, and status. One alert is highlighted and labeled 'Investigate'.

10. Action Items will include the following information:

  • IONIX title
  • IONIX category
  • IONIX domain (AKA asset)
  • IONIX incident description
  • Technical data
  • IONIX Solution

11. Playbook

The playbook added within this content package will allow you to request additional information relating to the Action Items that were reported, in order to help with context, investigation, and effective remediation.

The default playbooks intention is basic, it allows the user to create customized playbooks and/or connect the offered playbook template to a more general playbook.

Users can view the playbook within an incident by clicking the “Work Plan” tab and following the steps presented:

Screenshot of a workflow diagram showing steps for resolving a PKI certificate expiration issue. The diagram includes steps such as checking Cyberpion domain state, waiting for manual review, and clearing the investigation.