Accessing Playbook Results from XSOAR
Cortex XSOAR provides security orchestration and automation features that align with the automation provided with Bolster playbooks. You can integrate Bolster playbooks with XSOAR playbooks by configuring access to the Bolster Latest-Results API.
Prerequisites
- Make sure you have access to Cortex XSOAR.
- Test the Bolster playbooks of interest to confirm they are ready to use.
- Download the following file and change the extension from TXT to YML.
Integration Steps in XSOAR
- Go to Settings > Integrations.
2. Click the Upload Integration button.
3. Select the file identified in the Prerequisites section above.
Once the file is uploaded, the following entry displays under Utilities.
4. Click the Add instance link.
5. Enter the Bolster API key and the Bolster playbook ID.
6. Click Save & Exit.
7. Test the instance from the war room in XSOAR.
!get-recent-playbook-results
Script Notes
There are 3 arguments that can be passed in via the API.
“test-module”
This will return “OK” if the txt file has been converted to yml and uploaded into the SOAR system. It is not a connectivity test. It does not indicate data from a playbook is properly being transmitted from Bolster to the system sending the API request. (i.e., Cortex XSOAR, Splunk, Tines or other SOAR/SIEM solution ….). It is purely a test to see if the file has been uploaded into the SOAR system.
“fetch-incidents”
This will not do anything as it is as written but provides a place for customers to add their own incidents. It is not needed for the most common Use Cases.
“get-recent-playbook-results”
This will return the values inside a playbook and is the command needed to transfer information from Bolster to a SOAR/SIEM system. It needs the API key and the Playbook ID. It assumes the Playbook is configured to extract the required data. Please see system on Playbooks to ensure the Playbook is configured correctly and is tested prior to calling the API.
