Silverfort protects organizations from data breaches by delivering strong authentication across entire corporate networks and cloud environments, without requiring any modifications to endpoints or servers. Using patent-pending technology, Silverfort's agentless approach enables multi-factor authentication and AI-driven adaptive authentication even for systems that don’t support it today, including proprietary systems, critical infrastructure, shared folders, IoT devices, and more. Use Silverfort integration to get & update Silverfort risk severity. This integration was integrated and tested with Silverfort version 2.12.
SilverFort
Whenever Cortex XSOAR runs an investigation that entails a suspicion of compromised user account it leverages Silverfort’s visibility to gain wider context of the investigated user account and applies Silverfort’s proactive protection capabilities such as requiring MFA or blocking access altogether as part of Cortex playbooks.
What does this pack do?
Mutual data enrichment on user’s risk and triggering protective actions:
- Cortex XSOAR queries Silverfort whether an investigated user account is a service account or a human user
- Cortex XSOAR queries Silverfort’s risk score for investigates user accounts
- Cortex XSOAR actively updates users’ risk scores at Silverfort based on its automated investigation
- Silverfort blocks user access to resources or requires MFA based on Cortex playbook
Add helpful, relevant links below
SilverFort
This pack includes Cortex XSIAM content.
Configuration on Server Side
You need to configure SilverFort Unified Identity Protection to forward Syslog messages in CEF format.
Go to Setting > General > Syslog Servers, and follow the instructions under Add Server IP to set up the connection using the following guidelines:
- Set the Server IP with your syslog server IP.
- Set the Syslog port to 514 or your agent port.
- Set the Protocol to TCP
- Set Info to send for: All Authentication.
Collect Events from Vendor
In order to use the collector, use the Broker VM option.
Broker VM
To create or configure the Broker VM, use the information described here.
You can configure the specific vendor and product for this instance.
- Navigate to Settings → Configuration → Data Broker → Broker VMs.
- Go to the Apps column under the Brokers tab and add the Syslog Collector app for the relevant broker instance. If the app already exists, hover over it and click Configure.
- Click Add New for adding a new syslog data source.
- When configuring the new syslog data source, set the following values:
| Parameter | Value
| :--- | :---
| Vendor | Enter Silverfort.
| Product | Enter Admin_Console.
