XSOAR connector and action

XSOAR connector uses the XSOAR REST API to create Cortex XSOAR incidents.

Create connectors in Kibana

You can create connectors in Stack Management > Connectors or as needed when you’re creating a rule. For example:

XSOAR connector

Connector configuration

XSOAR connectors have the following configuration properties:

Name: The name of the connector.
URL: The XSOAR instance URL.
API key: The XSOAR API key for authentication.

Note

If you do not have an API key, refer to Create a new API key to make one for your XSOAR instance.
API key id: The XSOAR API key ID for authentication. (Mandatory for cloud instance users.)

Test connectors

You can test connectors as you’re creating or editing the connector in Kibana. For example:

XSOAR params test

XSOAR actions have the following configuration properties.

Name

The incident name.

Playbook

The playbook to associate with the incident.

Start investigation

If turned on, will automatically start the investigation process after the incident is created.

Severity

The severity of the incident. Can be Unknown, Informational, Low, Medium, High or Critical.

Note

Turn on Keep severity from rule to create an incident that inherits the rule's severity.

Body

A JSON payload that includes additional parameters to be included in the API request.

		{
  "details": "This is an example incident",
  "type": "Unclassified"
}

	

Connector networking configuration

Use the Action configuration settings to customize connector networking configurations, such as proxies, certificates, or TLS settings. You can set configurations that apply to all your connectors or use xpack.actions.customHostSettings to set per-host configurations.