Palo Alto Networks XSOAR SaaS Superna Zero Trust Playbook Integration
Support Statement
This documentation is provided "as is" without support for 3rd party software. The level of support for this integration guide is best effort without any SLA on response time. No 3rd party product support can be provided by Superna directly. 3rd party components require support contracts. See EULA for more details.
Overview
SecOps automation is a key requirement to combat the never-ending threats to corporate data. Palo Alto Cortex SOAR enables playbooks and automation to reduce the time to detect and respond to cross-device threats. To support this automation, data from external security tools is vital to provide complete, accurate, and concise threat detection details that allow automation and SecOps teams to respond to threats across the corporate IT infrastructure.
Key Benefits
- This integration allows customers to install a content pack from the marketplace and protect storage by leveraging Superna's Zero Trust API and Cyber Storage capabilities.
- Native marketplace integration for easy deployment:
Solution Overview
Superna Defender Zero Trust API is the cornerstone technology used to integrate with SIEM, SOAR, and XDR platforms. Automation begins with data that summarizes the threat and places that information into a SOAR to be acted on by SecOps teams running playbooks to protect corporate IT assets from vulnerabilities and insider or external attackers. This guide covers the basic field mapping used to push Zero Trust Ransomware Defender alerts into XSOAR.
Solution Configuration in Cortex XSOAR SaaS and Defender Zero Trust
Prerequisites
- Installed Superna Security Edition
- License key for the Zero Trust API, or a Security Edition subscription
- Installed Cortex XSOAR SaaS with an on-premises engine to route API calls for the integration
- Eyeglass API token — log in to the Eyeglass VM as admin, go to eyeglass rest API, click Create new token, provide a name (for example,
Zero Trust), and copy the token for use in the steps below
Configure the Integration from the Marketplace
- Locate the Superna integration in the Cortex marketplace and install an instance.
- Enter the on-premises endpoint IP address of the Eyeglass VM.
- Enter the API token created from Eyeglass.
- Select the unsigned certificate checkbox (unless you have a signed certificate installed).
- In the engine drop-down, select an on-premises engine VM that has IP reachability to the Eyeglass VM over HTTPS port 443.
- Click the Test button to verify the API connection succeeds. Resolve any issues before proceeding.
- Click Save and Exit. The integration is now installed and playbooks can be used.
Use Cases for These Playbooks
-
Snapshot Playbook — Run this playbook for any incident where data security is at risk and an immutable snapshot is needed to protect critical data. The snapshot can be used to recover data, and Cyber Storage analytics from Security Edition can detect malicious data activity and log file access to root-cause what data was affected by a security incident.
-
User Lockout Playbook — Run this playbook for any Superna Zero Trust created alerts, as this playbook depends on the customer
userIDfield existing in the incident. When lockout mode in Superna Security Edition is not enabled, this playbook allows SecOps teams to decide when a user lockout should occur, moving the responsibility of data protection decisions from the storage team to the SecOps team. -
User Request Storage Lockout Playbook — Offers an input prompt to accept the
userIDthat should be locked out of storage. Run this playbook in any SecOps workflow where the threat to data is elevated, as a proactive step to prevent data destruction, or as a step in a workflow when employees are leaving the company or have been terminated. -
User Request Storage Unlock Playbook — Offers an input prompt to accept the
userIDthat should be unlocked from storage. Run this playbook in any SecOps workflow to remove a storage lockout for a previously restricted user.