Palo Alto Cortex XSOAR integration – Help Center

Palo Alto Cortex XSOAR integration is available with a paid SecurityScorecard plan. See our plans page for more information about levels of features and access. You must also have a paid Cortex XSOAR account.

Integrate SecurityScorecard with XSOAR (Security Orchestration, Automation, and Response) to receive incidents and build Playbooks based on SecurityScorecard data.

If you use XSOAR, this integration is useful for monitoring and addressing security-related alerts. If you are a SecurityScorecard user, this integration enables you to put essential Scorecard data closer to your security infrastructure.

Create a bot user with an API token

Note: If you do not have administrative permissions in SecurityScorecard, ask an administrator to create the user and API token for you.

In SecurityScorecard, click your profile avatar and select My Settings.
On the Users tab under Admin Settings, click Add User.
Make the new user a bot so that it will not expire. This prevents a scenario where human users attempt to refresh an expired API token, causing the integration to stop working.
Click Add.
Name the bot user and make sure it has read-only access. Then click Add.
Click Create token for the new bot user.
Copy the API token and click Done.

Install the integration components

In Cortex XSOAR, select Marketplace in the left pane.
On the Marketplace page, select SecurityScorecard.
On the SecurityScorcard page click Install in the top-right corner.
When XSOAR adds the integration to the installation cart, click Install in the bottom-right corner.

Installation completes in a few seconds.

Configure the integration

Select Settings in the left pane.
In the Settings page, select Integrations, and then Servers & Services.
Click the gear icon for SecurityScorecard (Partner Contribution).
From the popup window, select or enter your configuration choices:

- Name - Provide a unique name for the integration connection.
- Fetches incidents - Set to true to ensure SecurityScorecard alerts generate incidents in XSOAR.
- API Base URL - Provide your API URL, typically https://api.securityscorecard.io/.
- Username/Email - Provide the email address of the user for which the API token was generated in SecurityScorecard. If you created a bot user, enter the bot user ID from your SecurityScorecard settings.

- Incidents Fetch Interval - Set to one day, since SecurityScorecard provides new data each day.
- Fetch Limit - Set the batch size for responses from SecurityScorecard. For more than 50 results the integration makes multiple requests.
- First Fetch - Select how many preceding days worth of data to include in the initial fetch.

Click Test to verify your connection settings.
A success message appears.
Click Save and Exit.

Get started using the integration

Shortly after you set up and successfully test integration, Cortex XSOAR starts syncing with SecurityScorecard to fetch and display data.

Select Incidents in the left pane.

Note that score changes trigger the creation of incidents to investigate.

Create Playbooks

While this integration does not currently include Playbooks, you can create Playbooks based on data coming back from SecurityScorecard.

Select Playbooks in the left pane, and then select New Playbook.

See various commands available with the SecurityScorecard integration, including:

securityscorecard-alert-delete
securityscorecard-alert-grade-change-create
securityscorecard-alert-score-threshold-create
securityscorecard-alerts-list
securityscorecard-company-factor-score-get
securityscorecard-company-history-factor-score-get
securityscorecard-company-history-score-get
securityscorecard-company-score-get
securityscorecard-company-services-get
securityscorecard-portfolio-list-companies
securityscorecard-portfolios-list

Learn about these endpoints.

Use the Playbook editor to build workflows based on your needs.

Learn more

Get Help

If you need help or have questions about the integration, contact the Palo Alto Support team.