Integrate your Cloud SIEM with Cortex XSOAR (formerly Demisto) to automatically remediate security incidents identified by and increase observability into incident details. Cortex XSOAR is an industry-leading Security Orchestration, Automation & Response (SOAR) solution. The integration allows Cortex xSOAR users to implement playbooks to automatically remediate incidents identified by Cloud SIEM.

In addition, users working in Cortex xSOAR can use commands to run queries and investigate logs directly from the Cortex xSOAR interface. Cortex xSOAR users can query directly from Cortex xSOAR to investigate open questions and run Lucene queries in their accounts or investigate specific events to retrieve the logs responsible for triggering security rules.

Advantages of the integration

  • Cortex xSOAR can automatically fetch security events as incidents. If you prefer to be selective about incident fetching, filter security events by rule severity and/or rule name.

  • Cortex xSOAR playbooks can trigger automated responses to incidents originating in security events logged by

  • Get event details for a specific incident. Any Cortex xSOAR playbook can use commands to increase observability by querying logs for additional details.

  • Cortex xSOAR analysts can query logs directly from the Cortex xSOAR interface. Any queries in standard Lucene syntax are acceptable.

To set up the integration in Cortex xSOAR

In Cortex xSOAR, click Settings > Integrations and search for Click the cogswheel to configure a new instance and open the integration panel.

Fill in the integration panel. Instructions are provided directly in the panel and Cortex xSOAR help page.

  • Incident fetching

    A security event is logged by whenever a security rule triggers in your Cloud SIEM account. The event log contains details about the rule that was triggered and its conditions.

    If enabled, the integration will fetch security events from as incidents in Cortex xSOAR. The import command runs every minute to fetch new incidents based on the filtering configurations set in the integration panel.

    The maximum number of incidents returned per query is configurable, but capped at 50. By default, the results are returned sorted by date ascending (earliest first).

    Events from the last 3 minutes are excluded from incident fetching to allow for sufficient log processing time.

  • First-time retroactive fetch

    This is a one-time retroactive fetch of security events that triggered before the integration was established. You can check the log retention policy in your Cloud SIEM account to see how far back your security logs are kept in storage. Click here or go to > Settings > Usage and billing.

    The earliest events you can possibly fetch are dependent on your Time-bound retention plan.