Cortex XSOAR

The IONIX content pack allows you to seamlessly receive all your IONIX Action Items and supportive information into Cortex XSOAR, and thus create and view dashboards, create custom alerts, streamline remediation and improve investigations. Integration between IONIX and Cortex XSOAR makes use of REST API.

Cortex XSOAR Integration Guide

IONIX can export incidents and relevant information directly to Cortex XSOAR. The integration involves having the Cortex XSOAR make calls to IONIX API endpoints in order to retrieve the information. Thus, you will need to enter the IONIX Server URL as well as a valid IONIX API key to Cortex.

The server URL is https://<your portal’s name at IONIX >, e.g.,

Generating a new API key:

1. Log into the IONIX portal

2. Click the API Settings button

3. Provide a name for the token, specify if the token is read-write or read-only (only the latter is necessary), and set an expiry date.

4. Click “Create Token”

5. Copy the generated token to a secure file. You’ll need it later.

Configuring your Cortex XSOAR:

1. Head to the XSOAR Marketplace:

2. Find and install IONIX:

3. Go to Settings:

4. Search for IONIX and click on “Add Instance”:

5. Fill in the server URL and API key that were provided by the IONIX portal (located within setting -> Integration settings):

6. Form field names, explanations and tips:

Field Explanation 
Fetches incidentsShould be checked (this determines whether to get IONIX’s action items from the server)
Make sure “Fetches incidents” is enabled
Do not fetchShould be false
ClassifierShould be (by default) IONIX – Classifier
Incident type (if classifier doesn’t exist)Should be (by default) N/A
Mapper (incoming)Should be (by default) IONIX – Mapper
Server URLPaste here the IONIX URL as described above
API KeyPaste here the IONIX API key as described above
Maximum number of incidents per fetchDetermines how many action items are fetched every minute The default is set for 200 and we recommend leaving it as such
Action items category to fetch as incidentsAction items categories to fetch
Options are DNS, PKI, Cloud and Vulnerabilities
Default is set to include all Action Item types
Show only active issuesWe recommend that this checkbox be markedIf not enabled, closed issues (resolved action items) will be fetched in addition to the active ones
Trust any certificateN/A
Use system proxy settingsN/A
Do not use by defaultN/A

7. After clicking “save”, Action items will start to appear at the ‘incidents’ section:

8. Cortex XSOAR pulls Action Items at a rate of 200 every minute until all Action Items are uploaded

9. Click on “Investigate” to see the Action Item details:

10. Action Items will include the following information:

  • IONIX title
  • IONIX category
  • IONIX domain (AKA asset)
  • IONIX incident description
  • Technical data
  • IONIX Solution

11. Playbook

The playbook added within this content package will allow you to request additional information relating to the Action Items that were reported, in order to help with context, investigation, and effective remediation.

The default playbooks intention is basic, it allows the user to create customized playbooks and/or connect the offered playbook template to a more general playbook.

Users can view the playbook within an incident by clicking the “Work Plan” tab and following the steps presented: