Nebula integrates with Palo Alto Networks Cortex™ XSOAR to allow you to scan and remediate endpoints in your business environment. Cortex XSOAR uses Nebula API calls to initiate commands and receive Nebula event data. To use the integration, you first configure both apps to communicate with each other.
When configuring, you customize the kind of events you want Cortex XSOAR to receive in the form of incidents. This article describes how to configure the Nebula and Cortex XSOAR integration.
Configure Nebula with Cortex XSOAR
The following steps show how to add and configure the Nebula integration with your Cortex XSOAR environment. You can configure the integration to fetch incidents for Nebula Real-Time Protection (RTP) Detections and/or Suspicious Activity events. These event sources must be configured one at a time.
If you have Endpoint Protection, then follow these steps once, choosing RTP Detections.
If you have Endpoint Detection and Response and want to receive incidents from both RTP Detections and Suspicious Activity, you need to create an integration for each event.
- Log into your Cortex XSOAR console.
- From the navigation pane, go to Settings > Integrations tab > Servers & Services tab.
- In the Search integration... search bar, search for Malwarebytes. The Nebula integration appears in your search results. If it does not appear, update your Cortex XSOAR content to the latest version.
- To the right of the integration, click Add instance. This brings up a window to create and configure a new integration instance.
- In the configuration window:
- In the Name field, enter a unique name for the integration instance.
- Check the radio button for Fetches incidents.
- In the Account ID field, enter your Nebula Account ID.
- Log into the Nebula platform.
- In the browser's address bar, copy your Account ID.
Your Account ID is the string of alphanumeric characters and dashes.
https://cloud.malwarebytes.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/dashboard - In Cortex XSOAR, paste the copied characters into the Account ID field.
- To get your Client ID and Client Secret:
- Click this Nebula authorization link.
- Click Add, then provide the Application name and select the required access, then Save.
- Copy the generated Client ID.
- In Cortex XSOAR, paste the Client ID in the Client ID field.
- Return to Nebula, copy the generated Client Secret.
- In Cortex XSOAR, paste the Client Secret in the Client Secret field.
- From the Fetch Event List drop down, either Suspicious Activity (EDR) or RTP Detections (EP).
- If you selected Suspicious Activity (EDR), choose one or more Suspicious Activity Severity levels:
- High
- Medium
- Low
- If you selected RTP Detections (EP), choose one or more RTP Detections Threat Category threat types:
- Malware
- PUP
- PUM
- Exploit
- Ransomware
- Website
- If you selected Suspicious Activity (EDR), choose one or more Suspicious Activity Severity levels:
- If you use a proxy server, check the box next to Use system proxy settings.
- Click Test to confirm the connectivity with your Nebula instance. You should see Success appear above the Test button. If you see an error, verify your Account ID, Client ID, and Client Secret are correct.
- Click Done once you have successfully tested the integration instance.
Return to the table of contents.