We have palo cortex xdr as an event source coming into the siem.
Alerts (or issues as they call it now) in the cortex portal trigger an investigation in the siem.
I was looking to see if I could automate the closing of the alert in the cortex portal when we have finished investigating and close the investigation on the R7 side.
I can only see triggers for new alert or new investigation in the insightidr extn.
I havent seen anything that handles an investigation state change.
Is there possible please?
If someone could point me in the right direction that would be appreciated.
I’ve done this with Defender by using a Basic Detection log pattern rule. I exclude my InsightConnect account because I don’t want investigations resolved by my automation workflows to close third party alerts (since usually the same workflow will close that alert). I also exclude any user with the rapid7[.]com domain for managed services, though I will say that’s a personal preference depending on which service you’re using.
"action" = "ALERT_CLOSED" AND NOT ("request.user.email" ICONTAINS-ANY ["insightconnect","rapid7.com"])
You can then just create a workflow using this basic detection rule as the trigger, and then pull the service_info.investigation_rrn value to get your investigation. From there it’s up to you how you want to convert SIEM values to your third party.