Coralogix

Overview


Use this integration to pull incidents and supporting information from your Coralogix account and tag interesting points in time from Cortex XSOAR.

Use Cases


  1. Configure your Coralogix account as a full fledged SIEM solution by using any of its available integrations and tools and streamline the process of security incident handling by using Cortex XSOAR's playbooks to automatically pull the incidents from Coralogix and handle them by any of the other Cortex XSOAR integrations.
  2. Use supporting data from Coralogix while you prepare the security incident report directly from the war room in Cortex XSOAR.
  3. Automatically tag the timestamps in Coralogix at which point a security incident was detected by any of the other Cortex XSOAR integrations.

Configure Coralogix on Cortex XSOAR


  1. Navigate to Marketplace.
  2. Search for Coralogix.
  3. Click on Install on the top right corner and then on Install at the bottom right corner.
  4. Once it is installed, click on Settings > Integrations and then on Add instance on the right-hand side and fill in the following parameters:
Parameter NameDescriptionRequiredDefault Value
Fetches incidentsWhether or not to fetch incidents via this integrationNoDo not fetch
Coralogix WebAPI Endpoint URLThe Coralogix WebAPI URLYes (Don't change it unless instructed to do so by Coralogix personnel)https://webapi.coralogix.com
Private KeyYour Coralogix account private keyYesN/A
Application Name (for tags)The Coralogix application name that will be assigned to the tags created by this instanceYesCortex XSOAR
Subsystem Name (for tags)The Coralogix subsystem name that will be assigned to the tags created by this instanceYesCortex XSOAR
Coralogix ES-API Endpoint URLThe Coralogix ES-API URLYeshttps://coralogix-esapi.coralogix.com:9443
Basic incidents queryThe Lucene query for fetching incidents. If not specified, will return Coralogix alerts that were sent to the Demisto webhookNoN/A
Incidents Application NameLimits the incidents query to only return incidents of a specific application nameNoN/A
Incidents SeverityLimits the incidents query to only return incidents of a specific severityNoN/A
incidents Name FieldThe Coralogix field value that should be used as the incident's name. If not specified, the integration will use the "alert_name" fieldNoN/A
Incidents first fetch daysThe number of days to look back for incidentsNo3
Maximum number of incidents to fetch at a single callMaximum number of incidents to retrieve at each call to CoralogixNo50

Commands


You can execute the following commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

  1. coralogix-search
  2. coralogix-tag

1. coralogix-search


Returns logs from your Coralogix account according to the specified Lucene query

Base Command

coralogix-search

Input
Argument NameDescriptionRequiredDefault
queryThe Lucene query to runYesN/A
app_nameA Coralogix application name to filter results byNoempty
subsystem_nameA Coralogix subsystem name to filte results byNoempty
severityA Coralogix severity name to filter results byNoempty
since_timestampThe timestamp in the format of YYYY-MM-DD (e.g 1978-03-31T23:59:59) from which you would like to start the searchNoempty
to_timestampThe timestamp in the format of YYYY-MM-DD (e.g 1978-03-31T23:59:59) that will be the upper boundary of the search timespanNo'now'
max_items_to_retrieveMaximum number of log entries to retrieve from CoralogixNo50
Command Examples

!coralogix-search query="security.rcode_name:\"NXDOMAIN\"" using="Coralogix_instance_1"
!coralogix-search query="security.rcode_name:\"NXDOMAIN\"" max_items_to_retrieve="100" since_timestamp="2020-12-31T23:59:59" using="Coralogix_instance_1"

Output
coralogix.timestampcoralogix.metadata.applicationNamecoralogix.metadata.subsystemNamesecurity.source_ipsecurity.destination_ipsecurity.event_typesecurity.source_portsecurity.destination_portsecurity.protocolsecurity.querysecurity.query_type_name...
2020-08-27T02:39:35.886Ztest-statest-sta172.31.7.153172.31.0.2bro_dns3316153udpupload.wikimedia.org.ncsa.uiuc.eduA...
2020-08-27T02:52:35.699Ztest-statest-sta172.31.7.153172.31.0.2bro_dns4461853udpwww.googgle.comAAAA...

2. coralogix-tag


Allows you to tag an interesting point in time in Coralogix from Cortex XSOAR

Base Command

coralogix-tag

Input
Argument NameDescriptionRequiredDefault
nameThe name of the tag that will be created in CoralogixYesN/A
timestampThe timestamp at which the tag will be created in CoralogixNoDefaults to the current timestamp
icon_urlA URL to an icon file (JPG or PNG) that will be displayed as the tag at Coralogix. Can be up to 50KB in sizeNoDefaults to a lightning icon
Command Example

!coralogix-tag name="Data leak started"

Output
Tag added successfully