BP-2274: Cortex XSOAR design document

[jeff-matthews]

Purpose

This pull request (PR) adds missing content required to complete the BloodHound Enterprise integration with Cortex XSOAR work.

Related to #138

Staging

https://specterops-bp-2274-cortext-design-doc.mintlify.app/integrations/cortex-xsoar/reference

Summary by CodeRabbit

• Documentation
  • Added a comprehensive reference for the BloodHound Enterprise Cortex XSOAR integration covering configuration options, HMAC SHA-256 authentication details, available commands and their outputs, supported API endpoints, object type specifications for Active Directory and Azure, error handling and retry policies, and the fetch-incidents workflow logic.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Added a new reference documentation page for the BloodHound Enterprise Cortex XSOAR integration and updated the docs index to include it; the new page documents authentication, configuration, API endpoints, commands, fetch-incidents workflow, and error handling.

Changes

Cohort / File(s)	Summary
Documentation index docs/docs.json	Added a new page entry integrations/cortex-xsoar/reference to the Cortex XSOAR group in the API & Integrations section.
Cortex XSOAR integration reference docs/integrations/cortex-xsoar/reference.mdx	Added a comprehensive technical reference covering purpose/use-cases, HMAC SHA-256 auth (token_id/token_key/headers), configuration parameters, command definitions and outputs (test-module, bhe-get-object-id, bhe-fetch-asset-info, bhe-does-path-exist, fetch-incidents), fetch-incidents logic (locking, filtering, per-domain/type tracking, incremental timestamps, pagination), API endpoints, supported AD/Azure object types, error mappings, retry policy, and memory-handling notes.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• BP-2274: Add Cortex XSOAR integration admin and user guides #138: Adds/updates Cortex XSOAR documentation pages and navigation entries affecting the same integration area.

Suggested reviewers

• StephenHinck
• zaton-netizen

Poem

🐰 I hopped through docs with careful cheer,

A new reference page appears here near.
Auth and endpoints all in a row,
Fetch logic, errors — now we know!
Pages ready, hop forth, let users go.

Pre-merge checks

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'BP-2274: Cortex XSOAR design document' directly and clearly describes the main change: adding a comprehensive design document for the Cortex XSOAR integration, which is confirmed by the new reference.mdx file and docs.json update.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

---

📜 Recent review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between af0d30f and c054a6e.

📒 Files selected for processing (1)

• docs/integrations/cortex-xsoar/reference.mdx

🚧 Files skipped from review as they are similar to previous changes (1)

• docs/integrations/cortex-xsoar/reference.mdx

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[zaton-netizen]

Looking good, ship it!

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

docs/integrations/cortex-xsoar/reference.mdx (1)

81-81: Consider hyphenating "Human readable output" for style consistency.

The static analysis tool suggests hyphenating compound adjectives: "Human-readable output" instead of "Human readable output". While both forms are acceptable in technical documentation, using hyphens when compound words modify a noun is the more precise style.

🔎 Proposed style improvement

-**Human readable output**:
+**Human-readable output**:

Apply this change at lines 81, 105, 134, and 164.

Also applies to: 105-105, 134-134, 164-164

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 1a016c4 and af0d30f.

📒 Files selected for processing (2)

• docs/docs.json
• docs/integrations/cortex-xsoar/reference.mdx

🧰 Additional context used

🧠 Learnings (2)

📓 Common learnings

Learnt from: StephenHinck
Repo: SpecterOps/bloodhound-docs PR: 67
File: docs/collect-data/enterprise-collection/privileged-collection.mdx:7-7
Timestamp: 2025-10-02T18:01:39.059Z
Learning: In the BloodHound documentation repository, "BloodHound" as a standalone name refers to the entire product family and is appropriate to use when content applies to all products in the family (Enterprise and Community Edition). "BloodHound Enterprise" should be used only when referring specifically to Enterprise-only features or capabilities.

📚 Learning: 2025-08-22T22:40:24.105Z

Learnt from: StephenHinck
Repo: SpecterOps/bloodhound-docs PR: 53
File: docs/analyze-data/posture-page.mdx:33-41
Timestamp: 2025-08-22T22:40:24.105Z
Learning: BloodHound Enterprise has exactly four severity levels for attack paths: CRITICAL (95%–100%), HIGH (80%–94%), MODERATE (40%–79%), and LOW (0%–39%). There is no "NONE" or similar severity level for 0% exposure.

Applied to files:

• docs/integrations/cortex-xsoar/reference.mdx

🪛 LanguageTool

docs/integrations/cortex-xsoar/reference.mdx

[grammar] ~81-~81: Use a hyphen to join words.
Context: ...None Context outputs: None Human readable output: - Success: "ok" - Fa...

(QB_NEW_EN_HYPHEN)

---

[grammar] ~105-~105: Use a hyphen to join words.
Context: ...jects with id, name, and type | Human readable output: Object ID Search Res...

(QB_NEW_EN_HYPHEN)

---

[grammar] ~134-~134: Use a hyphen to join words.
Context: ...ies and related entity counts | Human readable output: Asset Information |...

(QB_NEW_EN_HYPHEN)

---

[grammar] ~164-~164: Use a hyphen to join words.
Context: ...s of the path check operation | Human readable output: Path Existence Check...

(QB_NEW_EN_HYPHEN)

🔇 Additional comments (9)

docs/docs.json (1)

218-219: LGTM!

The addition of the reference page to the Cortex XSOAR group properly extends the integration documentation structure and follows the existing navigation patterns.

docs/integrations/cortex-xsoar/reference.mdx (8)

1-13: LGTM!

The front matter, enterprise badge, and introduction are well-structured. The document correctly uses "BloodHound Enterprise" throughout, which is appropriate for this Enterprise-only integration feature.

---

15-42: LGTM!

The use cases are clearly organized and comprehensive. Good use of the AccordionGroup component to present the information in a user-friendly, collapsible format.

---

44-52: LGTM!

The authentication process is clearly documented with all necessary details for implementing HMAC-based signature authentication.

---

54-69: LGTM!

The configuration parameters are thoroughly documented with clear types, requirements, and descriptions. The table is well-structured and provides all necessary information for integration setup.

---

71-220: Excellent documentation of commands and their outputs.

The command documentation is comprehensive and well-structured. Each command includes clear argument specifications, context output paths, and example outputs. The fetch-incidents logic (lines 211-219) is particularly well-documented with a detailed 9-step process description.

---

221-229: LGTM!

The API endpoints are clearly documented. The path template uses a general pattern that should be sufficient for reference purposes.

---

231-257: LGTM!

The supported object types are comprehensively documented with clear categorization between Active Directory and Azure types. The list includes both common and specialized object types.

---

259-281: LGTM!

The error handling documentation is comprehensive, covering exception types, HTTP status mappings, retry logic, and memory limitation scenarios. This provides clear guidance for troubleshooting integration issues.

[jeff-matthews]

Will do @zaton-netizen! I can create a new PR when we have a link to the demo video.