Set up IoT Security and XSOAR for SCCM Integration
Table of Contents
Set up IoT Security and XSOAR for SCCM Integration
Set up IoT Security and Cortex XSOAR to integrate with
Microsoft SCCM.
To set up IoT Security to integrate through
Cortex XSOAR with Microsoft SCCM, you must add a Cortex XSOAR engine to
your network.
You must also configure a Microsoft integration
instance and job in XSOAR for each site from which you want to gather
device data. To do this, you need the IP address and port number
of your Microsoft SCCM SQL server, the username and password of
the user account that the XSOAR engine will use when forming a secure
connection with the SQL server, and the name of the SQL database.
Cortex XSOAR Engine Installation
A Cortex XSOAR engine initiates connections
to the SCCM SQL server and to the Cortex cloud and provides the
means through which they communicate with each other. Although it's
possible to install an XSOAR engine on machines running Windows,
macOS, and Linux operating systems, only an engine on a Linux machine
supports IoT Security integrations. For more information about operating
system and hardware requirements, see the Cortex Administrator’s Guide.
We recommend downloading the Cortex XSOAR engine using the shell
installer script and installing it on a Linux machine. This simplifies the
deployment by automatically installing all required dependencies and also
enables remote engine upgrades.
When placing
an XSOAR engine on your network, make sure it can form a connection
to your SCCM SQL server on TCP port 1433 (default port) or whatever
custom port has been configured on the SQL server. The XSOAR engine
uses this port when authenticating with the SCCM SQL server and
exporting device attributes.
The on-premises firewall must allow the Cortex XSOAR engine to form
HTTPS connections on TCP port 443 to the Cortex cloud at
https://<your-domain>.iot.demisto.live/. You can see the URL of your Cortex XSOAR instance when you log in to the IoT Security portal
and click Integrations and then click Launch
Cortex XSOAR. It’s visible in the address bar
of the web page displaying the Cortex XSOAR interface.
To create an Cortex XSOAR engine, access the Cortex XSOAR
interface (from the IoT Security portal, click
Integrations and then click Launch
Cortex XSOAR). In the Cortex XSOAR UI,
click . Choose
Shell as the type.
For Cortex XSOAR engine installation instructions, see Engine Installation.
For help troubleshooting Cortex XSOAR engines, including installations,
upgrades, connectivity, and permissions, see Troubleshoot Engines and Troubleshoot Integrations Running on
Engines.
Configure IoT Security and Cortex XSOAR
In Cortex XSOAR, create an integration instance
that specifies connection, authentication, and SCCM database settings and
create a job that specifies which XSOAR playbook to use to import
device information and how often and when to run it. Add more instances and
jobs to import device data from multiple SCCM SQL databases.
- Log in to IoT Security and from there access Microsoft SCCM settings in Cortex XSOAR.
- Log in to IoT Security and then click Integrations.
![]()
IoT Security uses Cortex XSOAR to integrate with Microsoft SCCM, and the settings you must configure to integrate with it are in the XSOAR interface. - To access these settings, Launch Cortex XSOAR.The Cortex XSOAR interface opens in a new browser window.
- If necessary, click and search for sccm in the Settings section to locate it among other instances.
![]()
Configure the Microsoft SCCM integration instance.- Click Add instance to open the settings panel.
- Enter the following and leave the other settings at their default values:Name: Use the default name of the instance or enter a new one.SQL Server Host/IP: Enter the domain name or IP address of the SCCM SQL server.SQL Server Port: Enter the default TCP port number 1433 or, if a different port number is set on the SQL server, enter that.SQL Database: Enter the name of the database from which you want XSOAR to retrieve device information.Each integration instance can retrieve device information from a single database. If you want to retrieve device information from other databases, you must create additional integration instances for them.Username: Enter the name of the user account you previously configured in the SCCM SQL server.Password: Enter the password associated with the user account.Run on Single engine: Choose the XSOAR engine that you want to communicate with the SCCM SQL server.
![]()
- When finished, click Run test or Test.If the test is successful, a Success message appears. If not, check that the settings were entered correctly and then test the configuration again.
![]()
- After the test succeeds, click Save & exit to save your changes and close the settings panel.
To enable the Microsoft SCCM integration instance, click Enable.Create a job for XSOAR to retrieve information about devices in the SCCM database specified in the integration instance and then forward it to IoT Security.- Copy the name of the integration instance and open a duplicate browser window.
- Navigate to Jobs in the new window, and then click New Job at the top of the page.
- In the New Job panel that appears, enter the following and leave the other settings at their default values:Time triggered: (select)Recurring: Select this because you want to periodically import device information from SCCM.Every: Enter a number and set the interval value (Minutes, Hours, Days, or Weeks) and select the days and times on which to run the job. This determines how often and when XSOAR retrieves data from SCCM. Consider running the job every day or every other day at a time when network activity is light, such as late at night, to help reduce potential latency. As a general guideline, it takes approximately 20 minutes for XSOAR to import data for 10,000 devices into IoT Security. You can see the run status of a recurring job on the Jobs page and note how long it takes. When in progress, its status is Running. When done, its status changes to Completed.Name: Enter a name for the job.Playbook: Choose Import Microsoft SCCM devices to PANW IoT cloud.Integration Instance Name: Paste the name of the integration instance that you copied earlier.
![]()
(Optional) Create more integration instances and jobs to import device information from other SCCM databases into IoT Security.To create more integration instances, repeat the previous steps, entering unique names for each one and different settings as appropriate for your SCCM databases.For each additional integration instance, create a job for Cortex XSOAR to run, with a similar configuration as the one you initially created. However, as you add more jobs, consider staggering their run times so that the data retrievals are spread out.Run jobs.Run the job for each integration instance you create. The first time you run a job, it triggers XSOAR to report the integration instance that the job references to IoT Security, which then displays the instance on the Integrations page. The integration instance can be in one of the following four states as shown in the Status column on the Integrations page:An integration instance can be in one of the following four states, which IoT Security displays in the Status column on the Integrations page:- Disabled means that either the integration was configured but intentionally disabled or it was never configured and a job that references it is enabled and running.
- Error means that the integration was configured and enabled but is not functioning properly, possibly due to a configuration error or network condition.
- Inactive means that the integration was configured and enabled but no job has run for at least the past 60 minutes.
- Active means that the integration was configured and enabled and is functioning properly.
When you see that the status of an integration instance is Active, its setup is complete.
