Fortinet Document Library

Version:


Table of Contents

Palo Alto Cortex XDR v1.0.0

1.0.0
Copy Link

About the connector

Cortex XDR applies machine learning at cloud scale to rich network, endpoint, and cloud data, so you can quickly find and stop targeted attacks, insider abuse, and compromised endpoints.

This document provides information about the Palo Alto Cortex XDR connector, which facilitates automated interactions with your Palo Alto Cortex XDR server using FortiSOAR™ playbooks. Add the Palo Alto Cortex XDR connector, as a step in FortiSOAR™ playbooks and perform automated operations such as retrieving a list of all your endpoints from Palo Alto Cortex XDR or isolating endpoints on Palo Alto Cortex XDR.

Version information

Connector Version: 1.0.0

Authored By: Community

Certified: No

Installing the connector

From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root user to install connectors:

yum install cyops-connector-paloalto-cortex-xdr

Prerequisites to configuring the connector

  • You must have the URL of Palo Alto Cortex XDR server to which you will connect and perform automated operations and credentials (API Key ID and API Key) to access that server.
  • To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

In FortiSOAR™, on the Connectors page, click the Palo Alto Cortex XDR connector row (if you are in the Grid view on the Connectors page), and in the Configurations tab enter the required configuration details.

Parameter Description
Server URL URL of the Palo Alto Cortex XDR server to which you will connect and perform the automated operations.
API Key ID ID of the API key configured for your account to access the Palo Alto Cortex XDR server to which you will connect and perform the automated operations.
API Key API key configured for your account to access the Palo Alto Cortex XDR server to which you will connect and perform the automated operations.
Note: You require a "Standard" security level API key.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations from version 4.10.0 onwards:

Function Description Annotation and Category
Fetch Incidents Retrieves incidents from Palo Alto Cortex XDR based on the input parameters specified. fetch_incidents
Investigation
Get Incident Details Retrieves details, including alert and key artifacts, for a specific incident from Palo Alto Cortex XDR based on the incident ID and other input parameters specified. get_incident_details
Investigation
Update Incident Updates incident fields like severity, status, etc. of a specific incident in Palo Alto Cortex XDR based on the incident ID and other input parameters specified. update_incident
Investigation
Insert CEF Alerts Upload alerts in the CEF format from external alert sources to Palo Alto Cortex XDR based on the list of alerts specified.
After you have mapped the CEF alert fields to Cortex XDR fields, Cortex XDR displays the alerts in related incidents and views.
insert_cef_alerts
Investigation
Insert Parsed Alerts Uploads alerts in the Cortex XDR format from external alert sources to Palo Alto Cortex XDR based on the product, vendor, and other input parameters specified.
Cortex XDR displays alerts that are parsed successfully in related incidents and views.
insert_parsed_alerts
Investigation
Isolate Endpoints Isolates one or more endpoints in a single request on Palo Alto Cortex XDR based on the endpoint ID and other input parameters specified. isolate_endpoints
Investigation
Unisolate Endpoints Unisolates one or more endpoints in a single request on Palo Alto Cortex XDR based on the endpoint ID and other input parameters specified. unisolate_endpoints
Investigation
Get All Endpoints Retrieves a list of all your endpoints from Palo Alto Cortex XDR. get_all_endpoints
Investigation
Get Endpoints Retrieves a list of filtered endpoints from Palo Alto Cortex XDR based on the input parameters specified. get_endpoints
Investigation
Scan Endpoints Runs a scan on specified endpoints on Palo Alto Cortex XDR based on the input parameters specified. scan_endpoints
Investigation
Cancel Scan Endpoints Cancels a scan on specified endpoints on Palo Alto Cortex XDR based on the input parameters specified. cancel_scan_endpoints
Investigation
Delete Endpoints Deletes specified endpoints from the Cortex XDR app based on the input parameters specified.
Note: You can delete up to 100 endpoints.
delete_endpoints
Investigation
Get Policy Retrieves the policy for a specific endpoint from Palo Alto Cortex XDR based on the endpoint ID specified get_policy
Investigation
Get Device Violations Retrieves a list of filtered device violations from Palo Alto Cortex XDR based on the input parameters specified. get_device_violations
Investigation
Get Distribution Version Retrieves a list of all the agent versions that are used for creating a distribution list from Palo Alto Cortex XDR. get_distribution_version
Investigation
Create Distributions Creates an installation package on Palo Alto Cortex XDR based on the distribution name and package type specified. create_distributions
Investigation
Get Distribution Status Checks and retrieves the status of the installation package from Palo Alto Cortex XDR based on the distribution ID specified. get_distribution_status
Investigation
Get Distribution URL Retrieves the distribution URL for downloading the installation package from Palo Alto Cortex XDR based on the distribution ID and package type specified. get_distribution_url
Investigation
Get Audit Management Logs Retrieves audit management logs from Palo Alto Cortex XDR based on the input parameters specified. get_audit_management_log
Investigation
Get Audit Agent Report Retrieves agent event reports from Palo Alto Cortex XDR based on the input parameters specified. get_audit_agent_report
Investigation
Blacklist Files Blacklists the specified files that have not already been blacklisted on Palo Alto Cortex XDR based on the list of hash files specified. blacklist_files
Investigation
Whitelist Files Whitelists the specified files that have not already been whitelisted on Palo Alto Cortex XDR based on the list of hash files specified. whitelist_files
Investigation
Quarantine Files Quarantines files on specified endpoints on Palo Alto Cortex XDR based on the file path, file hash and other input parameters specified. quarantine_files
Investigation
Get Quarantine Status Retrieves the quarantine status for a specified file from Palo Alto Cortex XDR based on the endpoint ID, file path, and file hash specified. get_quarantine_status
Investigation
Restore File Restores a quarantined file on a specified endpoint on Palo Alto Cortex XDR based on the endpoint ID and file hash specified restore_file
Investigation
Retrieve File Retrieves a file from specified endpoints from Palo Alto Cortex XDR based on the file path and other input parameters specified.
Note: You can retrieve up to 20 files from a maximum of 100 endpoints.
retrieve_file
Investigation

operation: Fetch Incidents

Input parameters

Parameter Description
Operator String that identifies the comparison operator you want to use to filter incidents to be retrieved from Palo Alto Cortex XDR. You can choose from the following: In, Contains, Greater Than Equal To, or Less Than Equal To.
If you choose the 'In' operator, then you can specify the following parameters:
  • Incident ID List: List of incident IDs based on which you want to retrieve incidents from Palo Alto Cortex XDR. Each item in the list must be an incident ID.
  • Alert Sources: Source which detected the alert whose associated incidents you want to retrieve from Palo Alto Cortex XDR.
  • Description: Description of the incident that you want to retrieve from Palo Alto Cortex XDR.
If you choose the 'Contains' operator, then you can specify the following parameters:
  • Description: Description of the incident that you want to retrieve from Palo Alto Cortex XDR.
If you choose the 'Greater Than Equal To' operator, then you can specify the following parameters:
  • Modification Time: Time the incident has been modified. This operator will retrieve all incidents that match the time specified or the time later than the time specified from Palo Alto Cortex XDR.
  • Creation Time: Time that the incident has been created. This operator will retrieve all incidents that match the time specified or the time later than the time specified from Palo Alto Cortex XDR.
If you choose the 'Less Than Equal To' operator, then you can specify the following parameters:
  • Modification Time: Time the incident has been modified. This operator will retrieve all incidents that match the time specified or the time earlier than the time specified from Palo Alto Cortex XDR.
  • Creation Time: Time that the incident has been created. This operator will retrieve all incidents that match the time specified or the time earlier than the time specified from Palo Alto Cortex XDR.
Search From Integer representing the starting offset within the query result set from which you want this operation to return incidents from Palo Alto Cortex XDR.
Search To Integer representing the end offset within the result set after which you do not want this operation to return incidents from Palo Alto Cortex XDR.
Sort Select this option if you want to sort the retrieved incidents by field and order the results. If you select this option, then you can specify the following parameters:
  • Sort by Field: Choose the field by which you want to sort the incidents. You can choose between Modification Time or Creation Time.
  • Sort by Order: Choose the order in which you want to sort the result. You can choose between Ascending or Descending.

Output

The output contains the following populated JSON schema:
{
     "reply": {
         "result_count": "",
         "total_count": "",
         "incidents": [
             {
                 "assigned_user_pretty_name": "",
                 "user_count": "",
                 "creation_time": "",
                 "detection_time": "",
                 "manual_description": "",
                 "med_severity_alert_count": "",
                 "high_severity_alert_count": "",
                 "hosts": [],
                 "incident_id": "",
                 "incident_sources": [],
                 "xdr_url": "",
                 "assigned_user_mail": "",
                 "users": [],
                 "modification_time": "",
                 "low_severity_alert_count": "",
                 "severity": "",
                 "resolve_comment": "",
                 "host_count": "",
                 "manual_severity": "",
                 "starred": "",
                 "alert_count": "",
                 "description": "",
                 "status": "",
                 "notes": ""
             }
         ]
     }
}

operation: Get Incident Details

Input parameters

Parameter Description
Incident ID ID of the incident for which you want to retrieve details including alerts and key artifacts from Palo Alto Cortex XDR.
Alerts Limit (Optional) Maximum number of alerts related to the specified incident you want to retrieve from Palo Alto Cortex XDR. By default, this is set to '1000'.

Output

The output contains the following populated JSON schema:
{
     "reply": {
         "alerts": {
             "data": [
                 {
                     "source": "",
                     "starred": "",
                     "event_type": "",
                     "severity": "",
                     "host_name": "",
                     "host_ip": "",
                     "is_whitelisted": "",
                     "name": "",
                     "alert_id": "",
                     "actor_process_image_name": "",
  nbsp;                   "category": "",
                     "action": "",
                     "detection_timestamp": "",
                     "actor_process_command_line": "",
                     "fw_app_id": "",
                     "action_pretty": "",
                     "user_name": "",
                     "description": "",
                     "endpoint_id": ""
                 }
             ],
             "total_count": ""
         },
         "network_artifacts": {
             "data": [
                 {
                     "network_country": "",
                     "is_manual": "",
                     "network_domain": "",
                     "network_remote_port": "",
                     "alert_count": "",
                     "type": "",
                     "network_remote_ip": ""
                 }
             ],
             "total_count": ""
         },
         "file_artifacts": {
             "data": [
                 {
                     "file_signature_status": "",
                     "is_manual": "",
                     "file_sha256": "",
                     "alert_count": "",
                     "is_malicious": "",
                     "type": "",
                     "is_process": "",
                     "file_signature_vendor_name": "",
                     "file_name": "",
                     "file_wildfire_verdict": ""
                 }
             ],
             "total_count": ""
         },
         "incident": {
             "assigned_user_pretty_name": "",
             "user_count": "",
             "creation_time": "",
             "detection_time": "",
             "manual_description": "",
             "med_severity_alert_count": "",
             "high_severity_alert_count": "",
             "hosts": [],
             "incident_id": "",
             "xdr_url": "",
             "assigned_user_mail": "",
             "users": [],
             "modification_time": "",
             "low_severity_alert_count": "",
             "severity": "",
             "alert_sources": [],
             "resolve_comment": "",
             "host_count": "",
             "manual_severity": "",
             "starred": "",
             "alert_count": "",
             "description": "",
             "status": "",
             "notes": ""
         }
     }
}

operation: Update Incident

Input parameters

Parameter Description
Incident ID ID of the incident that you want to update Palo Alto Cortex XDR.
Assigned User Mail (Optional) Email address of the incident assignee that you want to update in the specified incident in Palo Alto Cortex XDR.
Assigned User Pretty Name (Optional) Full name of the incident assignee that you want to update in the specified incident in Palo Alto Cortex XDR.  
Severity (Optional) Severity level you want to update in the specified incident in Palo Alto Cortex XDR. You can choose from the following options: High, Medium, or Low.
Status (Optional) Full name of the incident assignee that you want to update in the specified incident in Palo Alto Cortex XDR. You can choose from the following options: New, Under Investigation, Resolved Threat Handled, Resolved Know Issue, Resolved Duplicate, Resolved False Positive, or Resolved Other.
Resolve Comment Descriptive comment that explains the updates made to the specified incident.

Output

The output contains the following populated JSON schema:
{
     "message": "",
     "status": ""
}

operation: Insert CEF Alerts

Input parameters

Parameter Description
Alerts Comma-separated list of alerts in the CEF format that you want to add  to Palo Alto Cortex XDR.

Output

The output contains the following populated JSON schema:
{
     "reply": ""
}

operation: Insert Parsed Alerts

Input parameters
Note: Value that you specify in the following parameters will be used to upload alerts to Palo Alto Cortex XDR.

Parameter Description
Product String value that defines the product. For example, VPN & Firewall-1.
Vendor String value that defines the vendor. For example, Check Point.
Local IP String value for the source IP address.
Local Port Integer value for the source port.
Remote IP String value of the destination IP address.
Remote Port Integer value for the destination port.
Event Timestamp Time the alert occurred.
Alert Name String defining the name of the alert that you want to upload to Palo Alto Cortex XDR.
Severity (Optional) Choose the severity of the alert that you want to upload to Palo Alto Cortex XDR. You can choose from the following options: Informational, High, Medium, Low, or Unknown.
Alert Description (Optional) String defining the description of the alert that you want to upload to Palo Alto Cortex XDR.

Output

The output contains the following populated JSON schema:
{
     "reply": ""
}

operation: Isolate Endpoints

Input parameters

Parameter Description
Isolate Endpoint Choose whether you want to isolate a single endpoint or more than one endpoint on Palo Alto Cortex XDR. You can choose between Isolate One Endpoint or Isolate More Than One Endpoint.
If you choose the 'Isolate One Endpoint' option, then you can specify the following parameters:
  • Endpoint ID: ID of the endpoint that you want to isolate on Palo Alto Cortex XDR. 
If you choose the 'Isolate More Than One Endpoint' option, then you can specify the following parameters:
  • Operator: String that identifies the comparison operator you want to use to filter endpoint to be isolated on Palo Alto Cortex XDR. You can choose from the following: In, Greater Than Equal To, or Less Than Equal To.
    If you choose the 'In' operator, then you can specify the following parameters:
    • Endpoint ID List: List of endpoint IDs to isolate on Palo Alto Cortex XDR. 
    • Distribution Name: Name of the distribution list containing the endpoints to isolate on Palo Alto Cortex XDR.  
    • Group Name: Name of the group containing the endpoints to isolate on Palo Alto Cortex XDR. 
    • Alias: Alias of the endpoints to isolate on Palo Alto Cortex XDR.  
    • Hostname: Name of the host of the endpoints to isolate on Palo Alto Cortex XDR.  
    • IP list: List of IP addresses containing the endpoints to isolate on Palo Alto Cortex XDR.  
    • Platform: Type of operating system that contains the endpoints to isolate on Palo Alto Cortex XDR. You can choose between Windows, Linux, Macos, or Android.
    • Isolate: Select Isolated if the endpoints are isolated.
  • If you choose the 'Greater Than Equal To' operator, then you can specify the following parameters:
    • First Seen: Time when the endpoint was first seen. This operator will isolate all endpoints that match the time specified or the time later than the time specified on Palo Alto Cortex XDR.
    • Last Seen: Time when the endpoint was last seen. This operator will isolate all endpoints that match the time specified or the time later than the time specified on Palo Alto Cortex XDR.
  • If you choose the 'Less Than Equal To' operator, then you can specify the following parameters:
    • First Seen: Time when the endpoint was first seen. This operator will isolate all endpoints that match the time specified or the time earlier than the time specified on Palo Alto Cortex XDR.
    • Last Seen: Time that the incident was last seen. This operator will isolate all endpoints that match the time specified or the time earlier than the time specified on Palo Alto Cortex XDR.

Output

The output contains the following populated JSON schema:
{
     "reply": {
         "action_id": []
     }
}

operation: Unisolate Endpoints

Input parameters

Parameter Description
Unisolate Endpoint Choose whether you want to unisolate a single endpoint or more than one endpoint on Palo Alto Cortex XDR. You can choose between unisolate One Endpoint or unisolate More Than One Endpoint.
If you choose the 'Unisolate One Endpoint' option, then you can specify the following parameters:
  • Endpoint ID: ID of the endpoint that you want to unisolate on Palo Alto Cortex XDR. 
If you choose the 'Unisolate More Than One Endpoint' option, then you can specify the following parameters:
  • Operator: String that identifies the comparison operator you want to use to filter endpoint to be unisolated on Palo Alto Cortex XDR. You can choose from the following: In, Greater Than Equal To, or Less Than Equal To.
    If you choose the 'In' operator, then you can specify the following parameters:
    • Endpoint ID List: List of endpoint IDs to unisolate on Palo Alto Cortex XDR. 
    • Distribution Name: Name of the distribution list containing the endpoints to unisolate on Palo Alto Cortex XDR.  
    • Group Name: Name of the group containing the endpoints to unisolate on Palo Alto Cortex XDR. 
    • Alias: Alias of the endpoints to unisolate on Palo Alto Cortex XDR.  
    • Hostname: Name of the host of the endpoints to unisolate on Palo Alto Cortex XDR.  
    • IP list: List of IP addresses containing the endpoints to unisolate on Palo Alto Cortex XDR.  
    • Platform: Type of operating system that contains the endpoints to unisolate on Palo Alto Cortex XDR. You can choose between Windows, Linux, Macos, or Android.
    • Isolate: Select Unisolated if the endpoints are unisolated.
  • If you choose the 'Greater Than Equal To' operator, then you can specify the following parameters:
    • First Seen: Time when the endpoint was first seen. This operator will unisolate all endpoints that match the time specified or the time later than the time specified on Palo Alto Cortex XDR.
    • Last Seen: Time when the endpoint was last seen. This operator will unisolate all endpoints that match the time specified or the time later than the time specified on Palo Alto Cortex XDR.
  • If you choose the 'Less Than Equal To' operator, then you can specify the following parameters:
    • First Seen: Time when the endpoint was first seen. This operator will unisolate all endpoints that match the time specified or the time earlier than the time specified on Palo Alto Cortex XDR.
    • Last Seen: Time that the incident was last seen. This operator will unisolate all endpoints that match the time specified or the time earlier than the time specified on Palo Alto Cortex XDR.

Output

The output contains the following populated JSON schema:
{
     "reply": {
         "action_id": []
     }
}

operation: Get All Endpoints

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
     "reply": [
         {
             "agent_type": "",
             "agent_id": "",
              "host_name": "",
             "agent_status": "",
             "ip": ""
         }
     ]
}

operation: Get Endpoints

Input parameters

Parameter Description
Operator String that identifies the comparison operator you want to use to filter endpoints to be retrieved from Palo Alto Cortex XDR. You can choose from the following: In, Greater Than Equal To, or Less Than Equal To.
  • If you choose the 'In' operator, then you can specify the following parameters:
    • Endpoint ID List: List of endpoint IDs based on which you want to retrieve endpoints from Palo Alto Cortex XDR. 
    • Distribution Name: Name of the distribution list or installation package name containing the endpoints to be retrieved from Palo Alto Cortex XDR.  
    • Group Name: Name of the group containing the endpoints to be retrieved from Palo Alto Cortex XDR. 
    • Alias: Alias of the endpoints to be retrieved from Palo Alto Cortex XDR. 
    • Hostname: Name of the host of the endpoints to be retrieved from Palo Alto Cortex XDR. 
    • IP list: List of IP addresses containing the endpoints to be retrieved from Palo Alto Cortex XDR. 
    • Platform: Type of operating system that contains the endpoints to be retrieved from Palo Alto Cortex XDR. You can choose between Windows, Linux, Macos, or Android.
    • Isolate: Select Isolated if the endpoints have been isolated and Unisolated if the endpoints have been unisolated.
  • If you choose the 'Greater Than Equal To' operator, then you can specify the following parameters:
    • First Seen: Time when the endpoint was first seen. This operator will retrieve all endpoints that match the time specified or the time later than the time specified on Palo Alto Cortex XDR.
    • Last Seen: Time when the endpoint was last seen. This operator will retrieve all endpoints that match the time specified or the time later than the time specified on Palo Alto Cortex XDR.
  • If you choose the 'Less Than Equal To' operator, then you can specify the following parameters:
    • First Seen: Time when the endpoint was first seen. This operator will retrieve all endpoints that match the time specified or the time earlier than the time specified on Palo Alto Cortex XDR.
    • Last Seen: Time that the incident was last seen. This operator will retrieve all endpoints that match the time specified or the time earlier than the time specified on Palo Alto Cortex XDR.
Search From Integer representing the starting offset within the query result set from which you want this operation to return incidents from Palo Alto Cortex XDR.
Search To Integer representing the end offset within the result set after which you do not want this operation to return incidents from Palo Alto Cortex XDR.
Sort Select this option if you want to sort the retrieved endpoints by field and order the results. If you select this option, then you can specify the following parameters:
  • Sort by Field: Choose the field by which you want to sort the endpoints. You can choose between First Seen or Last Seen.
  • Sort by Order: Choose the order in which you want to sort the result. You can choose between Ascending or Descending.

Output

The output contains the following populated JSON schema:
{
     "reply": {
         "result_count": "",
         "endpoints": [
             {
                 "is_isolated": "",
                 "last_seen": "",
                 "os_type": "",
                 "users": [
                     ""
                 ],
                 "install_date": "",
                 "active_directory": "",
                 "group_name": "",
                 "domain": "",
                 "installation_package": "",
                 "endpoint_name": "",
                 "endpoint_status": "",
                 "alias": "",
                 "ip": "",
                 "endpoint_type": "",
                 "first_seen": "",
                 "endpoint_id": "",
                 "endpoint_version": "",
                 "content_version": ""
             }
         ]
     }
}

operation: Scan Endpoints

Input parameters

Parameter Description
Operator String that identifies the comparison operator you want to use to filter endpoints to be scanned on Palo Alto Cortex XDR. You can choose from the following: In, Greater Than Equal To, or Less Than Equal To.
  • If you choose the 'In' operator, then you can specify the following parameters:
    • Endpoint ID List: List of endpoint IDs that you want to scan on Palo Alto Cortex XDR. 
    • Distribution Name: Name of the distribution list containing the endpoints that you want to scan on Palo Alto Cortex XDR. 
    • Group Name: Name of the group containing the endpoints that you want to scan on Palo Alto Cortex XDR. 
    • Alias: Alias of the endpoints to be scanned on Palo Alto Cortex XDR. 
    • Hostname: Name of the host of the endpoints to be scanned on Palo Alto Cortex XDR. 
    • IP list: List of IP addresses containing the endpoints to be scanned on Palo Alto Cortex XDR.  
    • Platform: Type of operating system that contains the endpoints to be scanned on Palo Alto Cortex XDR. You can choose between Windows, Linux, Macos, or Android.
    • Isolate: Select Isolated if the endpoints have been isolated and Unisolated if the endpoints have been unisolated.
  • If you choose the 'Greater Than Equal To' operator, then you can specify the following parameters:
    • First Seen: Time when the endpoint was first seen. This operator will scan all endpoints that match the time specified or the time later than the time specified on Palo Alto Cortex XDR.
    • Last Seen: Time when the endpoint was last seen. This operator will scan all endpoints that match the time specified or the time later than the time specified on Palo Alto Cortex XDR.
  • If you choose the 'Less Than Equal To' operator, then you can specify the following parameters:
    • First Seen: Time when the endpoint was first seen. This operator will scan all endpoints that match the time specified or the time earlier than the time specified on Palo Alto Cortex XDR.
    • Last Seen: Time that the incident was last seen. This operator will scan all endpoints that match the time specified or the time earlier than the time specified on Palo Alto Cortex XDR.

Output

The output contains the following populated JSON schema:
{
     "reply": {
         "action_id": []
     }
}

operation: Cancel Scan Endpoints

Input parameters

Parameter Description
Operator String that identifies the comparison operator you want to use to filter endpoints whose scans are to be canceled on Palo Alto Cortex XDR. You can choose from the following: In, Greater Than Equal To, or Less Than Equal To.
  • If you choose the 'In' operator, then you can specify the following parameters:
    • Endpoint ID List: List of endpoint IDs whose scans you want to cancel on Palo Alto Cortex XDR. 
    • Distribution Name: Name of the distribution list containing the endpoints whose scans you want to cancel on Palo Alto Cortex XDR. 
    • Group Name: Name of the group containing the endpoints whose scans you want to cancel on Palo Alto Cortex XDR. 
    • Alias: Alias of the endpoints whose scans you want to cancel Palo Alto Cortex XDR. 
    • Hostname: Name of the host of the endpoints whose scans you want to cancel Palo Alto Cortex XDR. 
    • IP list: List of IP addresses containing the endpoints whose scans you want to cancel on Palo Alto Cortex XDR.  
    • Platform: Type of operating system that contains the endpoints whose scans you want to cancel on Palo Alto Cortex XDR. You can choose between Windows, Linux, Macos, or Android.
    • Isolate: Select Isolated if the endpoints have been isolated and Unisolated if the endpoints have been unisolated.
  • If you choose the 'Greater Than Equal To' operator, then you can specify the following parameters:
    • First Seen: Time when the endpoint was first seen. This operator will cancel the scans on all endpoints that match the time specified or the time later than the time specified on Palo Alto Cortex XDR.
    • Last Seen: Time when the endpoint was last seen. This operator will cancel the scans on all endpoints that match the time specified or the time later than the time specified on Palo Alto Cortex XDR.
  • If you choose the 'Less Than Equal To' operator, then you can specify the following parameters:
    • First Seen: Time when the endpoint was first seen. This operator will cancel the scans on all endpoints that match the time specified or the time earlier than the time specified on Palo Alto Cortex XDR.
    • Last Seen: Time that the incident was last seen. This operator will cancel the scans on all endpoints that match the time specified or the time earlier than the time specified on Palo Alto Cortex XDR.

Output

The output contains the following populated JSON schema:
{
     "reply": ""
}

operation: Delete Endpoints

Input parameters

Parameter Description
Operator String that identifies the comparison operator you want to use to filter endpoints to be deleted from the Palo Alto Cortex XDR app. You can choose from the following: In, Greater Than Equal To, or Less Than Equal To.
  • If you choose the 'In' operator, then you can specify the following parameters:
    • Endpoint ID List: List of endpoint IDs that you want to delete from the Palo Alto Cortex XDR app. 
    • Distribution Name: Name of the distribution list containing the endpoints that you want to delete from the Palo Alto Cortex XDR app. 
    • Group Name: Name of the group containing the endpoints that you want to delete from the Palo Alto Cortex XDR app. 
    • Alias: Alias of the endpoints to be deleted from the Palo Alto Cortex XDR app.
    • Hostname: Name of the host of the endpoints to be deleted from the Palo Alto Cortex XDR app. 
    • IP list: List of IP addresses containing the endpoints to be deleted from the Palo Alto Cortex XDR app.  
    • Platform: Type of operating system that contains the endpoints to be deleted from the Palo Alto Cortex XDR app. You can choose between Windows, Linux, Macos, or Android.
    • Isolate: Select Isolated if the endpoints have been isolated and Unisolated if the endpoints have been unisolated.
  • If you choose the 'Greater Than Equal To' operator, then you can specify the following parameters:
    • First Seen: Time when the endpoint was first seen. This operator will delete all endpoints that match the time specified or the time later than the time specified on Palo Alto Cortex XDR.
    • Last Seen: Time when the endpoint was last seen. This operator will delete all endpoints that match the time specified or the time later than the time specified on Palo Alto Cortex XDR.
  • If you choose the 'Less Than Equal To' operator, then you can specify the following parameters:
    • First Seen: Time when the endpoint was first seen. This operator will delete all endpoints that match the time specified or the time earlier than the time specified on Palo Alto Cortex XDR.
    • Last Seen: Time that the incident was last seen. This operator will delete all endpoints that match the time specified or the time earlier than the time specified on Palo Alto Cortex XDR.

Output

The output contains the following populated JSON schema:
{
     "reply": ""
}

operation: Get Policy

Input parameters

Parameter Description
Endpoint ID String the represents the endpoint ID based on which you want to retrieve the policy from Palo Alto Cortex XDR. For example, 51588e4ce9214c63b39d054bd073b93a

Output

The output contains the following populated JSON schema:
{
     "reply": {
         "policy_name": ""
     }
}

operation: Get Device Violations

Input parameters

Parameter Description
Operator String that identifies the comparison operator you want to use to filter device violations to be retrieved from Palo Alto Cortex XDR. You can choose from the following: In, Greater Than Equal To, or Less Than Equal To.
  • If you choose the 'In' operator, then you can specify the following parameters:
    • Endpoint ID List: List of endpoint IDs based on which you want to retrieve violations from Palo Alto Cortex XDR. 
    • Vendor: String value that defines the vendor whose associated violations are to be retrieved from Palo Alto Cortex XDR. For example, Check Point. 
    • Vendor ID: String value that defines the vendor ID whose associated violations are to be retrieved from Palo Alto Cortex XDR. For example, 0x0999.
    • Product: String value that defines the product whose associated violations are to be retrieved from Palo Alto Cortex XDR. For example, VPN & Firewall-1.
    • Product ID: String value that defines the product ID whose associated violations are to be retrieved from Palo Alto Cortex XDR. For example, 0x10036.
    • Serial: String value that defines the serial number whose associated violations are to be retrieved from Palo Alto Cortex XDR. For example, 8888889.
    • Hostname: Name of the host whose associated violations are to be retrieved from Palo Alto Cortex XDR.
    • Username: Name of the user whose associated violations are to be retrieved from Palo Alto Cortex XDR.
    • Type: Type of violations that are to be retrieved from Palo Alto Cortex XDR. You can choose between CS ROM, Disk Drive, Floppy Disk, or Portable Device.
    • IP list: List of IP addresses whose associated violations are to be retrieved from Palo Alto Cortex XDR.
    • Violations ID List: List of violations IDs based on which you want to retrieve violations from Palo Alto Cortex XDR.
  • If you choose the 'Greater Than Equal To' operator, then you can specify the following parameters:
    • Timestamp: Datetime till when you want to retrieve violations from Palo Alto Cortex XDR. This operator will retrieve all violations that match the time specified or the time later than the time specified on Palo Alto Cortex XDR.
  • If you choose the 'Less Than Equal To' operator, then you can specify the following parameters:
    • Timestamp: Datetime from when you want to retrieve violations from Palo Alto Cortex XDR. This operator will retrieve all violations that match the time specified or the time earlier than the time specified on Palo Alto Cortex XDR.
Search From Integer representing the starting offset within the query result set from which you want this operation to return incidents from Palo Alto Cortex XDR.
Search To Integer representing the end offset within the result set after which you do not want this operation to return incidents from Palo Alto Cortex XDR.
Sort Select this option if you want to sort the retrieved violations by field and order the results. If you select this option, then you can specify the following parameters:
  • Sort by Field: Choose the field by which you want to sort the violations. You can choose between First Seen or Last Seen.
  • Sort by Order: Choose the order in which you want to sort the result. You can choose between Ascending or Descending.

Output

The output contains the following populated JSON schema:
{
     "reply": {
         "violations": [
             {
                 "violation_id": "",
                 "serial": "",
                 "timestamp": "",
                 "vendor_id": "",
                 "username": "",
                 "ip": "",
                 "hostname": "",
                 "product_id": "",
                 "vendor": "",
                 "type": "",
                 "endpoint_id": "",
                 "product": ""
             }
         ],
         "result_count": ""
     }
}

operation: Get Distribution Version

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
     "reply": {
         "macos": [],
         "linux": [],
         "windows": []
     }
}

operation: Create Distributions

Input parameters

Parameter Description
Name String representing the name of the installation package that you want to create on Palo Alto Cortex XDR.
Package Type String representing the type of installation package that you want to create on Palo Alto Cortex XDR. You can choose from the following types: Standalone or Upgrade.
If you choose the 'Standalone' operator, then you can specify the following parameters:
  • Platform: Platform on which you want to create the installation package. You can choose the following: Windows, Linux, Macos, or Android.
    • If you choose 'Windows', then in the Agent Version field, enter the version of the agent. For example, 5.0.7.16157.
    • If you choose 'Macos', then in the Agent Version field, enter the version of the agent. For example, 5.0.7.16157.
    • If you choose 'Linux', then in the Agent Version field, enter the version of the agent. For example, 5.0.7.16157.
If you choose the 'Upgrade' operator, then you can specify the following parameters:
  • Upgrade: Specify the version of an agent from ESM to be upgraded. You can specify the following values: windows_version, linux_version, or macos_version.
Description String containing descriptive information about the installation package.

Output

The output contains the following populated JSON schema:
{
     "reply": {
         "distribution_id": ""
     }
}

operation: Get Distribution Status

Input parameters

Parameter Description
Distribution ID String representing the ID of the installation package whose status you want to retrieve from Palo Alto Cortex XDR. 

Output

The output contains the following populated JSON schema:
{
     "reply": {
         "status": ""
     }
}

operation: Get Distribution URL

Input parameters

Parameter Description
Distribution ID String representing the ID of the installation package whose distribution URL you want to retrieve from Palo Alto Cortex XDR. 
Package Type String representing the type of installation package whose distribution URL you want to retrieve from Palo Alto Cortex XDR. You can choose from the following options: sh-For Linux, rpm-For Linux, deb-For Linux, pkg-For Mac, x86-For Windows, or x64-For Windows.

Output

The output contains the following populated JSON schema:
{
     "reply": {
         "distribution_url": ""
     }
}

operation: Get Audit Management Logs

Input parameters

Parameter Description
Operator String that identifies the comparison operator you want to use to filter audit management logs to be retrieved from Palo Alto Cortex XDR. You can choose from the following: In, Greater Than Equal To, or Less Than Equal To.
  • If you choose the 'In' operator, then you can specify the following parameters:
    • Email: Email address of the user whose audit management logs you want to retrieve from Palo Alto Cortex XDR. 
    • Type: Type of the audit management logs you want to retrieve from Palo Alto Cortex XDR. 
    • Sub Type: Subtype of the audit management logs you want to retrieve from Palo Alto Cortex XDR. 
    • Result: Filter audit log management logs you want to retrieve from Palo Alto Cortex XDR based on the result of the audit log. For example, SUCCESS.
  • If you choose the 'Greater Than Equal To' operator, then you can specify the following parameters:
    • Timestamp: Datetime of the log till when you want to retrieve audit management logs from Palo Alto Cortex XDR. This operator will retrieve all audit management logs whose timestamp matches the time specified or the time later than the time specified on Palo Alto Cortex XDR.
  • If you choose the 'Less Than Equal To' operator, then you can specify the following parameters:
    • Timestamp: Datetime of the log from when you want to retrieve audit management logs from Palo Alto Cortex XDR. This operator will retrieve all audit management logs whose timestamp matches the time specified or the time earlier than the time specified on Palo Alto Cortex XDR.
Search From An integer representing the starting offset within the query result set from which you want management logs returned.
Search To An integer representing the end offset within the result set after which you do not want management logs returned.
Sort Select this option if you want to sort the retrieved management logs by field and order the results. If you select this option, then you can specify the following parameters:
  • Sort by Field: Choose the field by which you want to sort the management logs. For example, timestamp.
  • Sort by Order: Choose the order in which you want to sort the result. You can choose between Ascending or Descending.

Output

The output contains the following populated JSON schema:
{
     "reply": {
         "data": [
             {
                 "AUDIT_DESCRIPTION": "",
                 "AUDIT_HOSTNAME": "",
                 "AUDIT_SESSION_ID": "",
                 "AUDIT_ASSET_JSON": "",
                 "AUDIT_REASON": "",
                 "AUDIT_RESULT": "",
                 "AUDIT_OWNER_EMAIL": "",
                 "AUDIT_ENTITY": "",
                 "AUDIT_ASSET_NAMES": "",
                 "AUDIT_ID": "",
                 "AUDIT_ENTITY_SUBTYPE": "",
                 "AUDIT_CASE_ID": "",
                 "AUDIT_OWNER_NAME": "",
                 "AUDIT_INSERT_TIME": ""
             }
         ],
         "result_count": ""
     }
}

operation: Get Audit Agent Report

Input parameters

Parameter Description
Operator String that identifies the comparison operator you want to use to filter audit agent reports to be retrieved from Palo Alto Cortex XDR. You can choose from the following: In, Greater Than Equal To, or Less Than Equal To.
  • If you choose the 'In' operator, then you can specify the following parameters:
    • Endpoint ID: String representing the ID of the endpoint whose associated audit agent reports you want to retrieve from Palo Alto Cortex XDR. 
    • Endpoint Name: String representing the name of the endpoint whose associated audit agent reports you want to retrieve from Palo Alto Cortex XDR. 
    • Type: Type of the audit agent reports you want to retrieve from Palo Alto Cortex XDR. For example, Agent Status.
    • Sub Type: Subtype of the audit agent reports you want to retrieve from Palo Alto Cortex XDR. For example, Fully Protected.
    • Result: Filter audit agent reports you want to retrieve from Palo Alto Cortex XDR based on the result of the agent report. For example, SUCCESS.
    • Domain: Domain of the agent whose audit agent reports you want to retrieve from Palo Alto Cortex XDR. For example, WORKGROUP.
    • xdr_version: XDR version for which you want to retrieve audit agent reports from Palo Alto Cortex XDR. 
    • Category: Type of event category whose audit agent reports you want to retrieve from Palo Alto Cortex XDR. You can choose from the following options: Status, Audit, or Monitoring.
  • If you choose the 'Greater Than Equal To' operator, then you can specify the following parameters:
    • Timestamp: Datetime of the report till when you want to retrieve audit management logs from Palo Alto Cortex XDR. This operator will retrieve all audit agent reports whose timestamp matches the time specified or the time later than the time specified on Palo Alto Cortex XDR.
  • If you choose the 'Less Than Equal To' operator, then you can specify the following parameters:
    • Timestamp: Datetime of the report from when you want to retrieve audit management logs from Palo Alto Cortex XDR. This operator will retrieve all audit agent reports whose timestamp matches the time specified or the time earlier than the time specified on Palo Alto Cortex XDR.
Search From Integer representing the starting offset within the query result set from which you want this operation to return incidents from Palo Alto Cortex XDR.
Search To Integer representing the end offset within the result set after which you do not want this operation to return incidents from Palo Alto Cortex XDR.
Sort Select this option if you want to sort the retrieved audit agent reports by field and order the results. If you select this option, then you can specify the following parameters:
  • Sort by Field: Choose the field by which you want to sort the audit agent reports. You can choose from the following options: Type, Category, Trapsversion, Timestamp, or Domaintimestamp.
  • Sort by Order: Choose the order in which you want to sort the result. You can choose between Ascending or Descending.

Output

The output contains the following populated JSON schema:
{
     "reply": {
         "data": [
             {
                 "RESULT": "",
                 "REASON": "",
                 "SUBTYPE": "",
                 "CATEGORY": "",
                 "DOMAIN": "",
                 "TRAPSVERSION": "",
                 "RECEIVEDTIME": "",
                 "TIMESTAMP": "",
                 "DESCRIPTION": "",
                 "ENDPOINTNAME": "",
                 "ENDPOINTID": "",
                 "TYPE": ""
             }
         ],
         "result_count": ""
     }
}

operation: Blacklist Files

Input parameters

Parameter Description
Hash List String that represents a list of hashed files you want to blacklist on Palo Alto Cortex XDR.
Note: Hash must be a valid SHA256 value.
Comment String containing descriptive information about this action.

Output

The output contains the following populated JSON schema:
{
     "reply": ""
}

operation: Whitelist Files

Input parameters

Parameter Description
Hash List String that represents a list of hashed files you want to whitelist on Palo Alto Cortex XDR.
Note: Hash must be a valid SHA256 value.
Comment String containing descriptive information about this action.

Output

The output contains the following populated JSON schema:
{
     "reply": ""
}

operation: Quarantine Files

Input parameters

Parameter Description
Operator String that identifies the comparison operator you want to use to filter endpoints on which you want to quarantine files on Palo Alto Cortex XDR. You can choose from the following: In, Greater Than Equal To, or Less Than Equal To.
  • If you choose the 'In' operator, then you can specify the following parameters:
    • Endpoint ID List: List of endpoint IDs on which you want to quarantine files on Palo Alto Cortex XDR.
    • Distribution Name: Name of the distribution list containing the endpoints on which you want to quarantine files on Palo Alto Cortex XDR
    • Group Name: Name of the group containing the endpoints on which you want to quarantine files on Palo Alto Cortex XDR.
    • Alias: Alias of the endpoints on which you want to quarantine files on Palo Alto Cortex XDR.
    • Hostname: Name of the host of the endpoints on which you want to quarantine files on Palo Alto Cortex XDR.
    • IP list: List of IP addresses containing the endpoints on which you want to quarantine files on Palo Alto Cortex XDR.
    • Platform: Type of operating system that contains the endpoints on which you want to quarantine files on Palo Alto Cortex XDR. You can choose between Windows, Linux, Macos, or Android.
    • Isolate: Select Isolated if the endpoints have been isolated and Unisolated if the endpoints have been unisolated.
  • If you choose the 'Greater Than Equal To' operator, then you can specify the following parameters:
    • First Seen: Time when the endpoint was first seen. This operator will quarantine files on all endpoints that match the time specified or the time later than the time specified on Palo Alto Cortex XDR.
    • Last Seen: Time when the endpoint was last seen. This operator will quarantine files on all endpoints that match the time specified or the time later than the time specified on Palo Alto Cortex XDR.
  • If you choose the 'Less Than Equal To' operator, then you can specify the following parameters:
    • First Seen: Time when the endpoint was first seen. This operator will quarantine files on all endpoints that match the time specified or the time earlier than the time specified on Palo Alto Cortex XDR.
    • Last Seen: Time that the incident was last seen. This operator will quarantine files on all endpoints that match the time specified or the time earlier than the time specified on Palo Alto Cortex XDR.
File Path String that represents the path of the file you want to quarantine on the specified endpoints on Palo Alto Cortex XDR.
File Hash String that represents the hash value of the file you want to quarantine on the specified endpoints on Palo Alto Cortex XDR.. The hash must be a valid SHA256 value.

Output

The output contains the following populated JSON schema:
{
     "reply": {
         "action_id": []
     }
}

operation: Get Quarantine Status

Input parameters

Parameter Description
Endpoint ID String that represents the endpoint ID whose associated files' quarantine status you want to retrieve from Palo Alto Cortex XDR.
File Hash String that represents the hash value of the file whose quarantine status you want to retrieve from Palo Alto Cortex XDR. The hash must be a valid SHA256 value.
File Path String that represents the path of the file whose quarantine status you want to retrieve from Palo Alto Cortex XD

Output

The output contains the following populated JSON schema:
{
     "reply": [
         {
             "endpoint_id": "",
             "file_path": "",
             "file_hash": "",
             "status": ""
         }
     ]
}

operation: Restore File

Input parameters

Parameter Description
File Hash String that represents the hash value of the quarantined file that you want to restore on the specified endpoint on Palo Alto Cortex XDR. The hash must be a valid SHA256 value.
Endpoint ID String that represents the endpoint ID on which you want to restore the specified quarantined file.

Output

The output contains the following populated JSON schema:
{
     "message": "",
     "status": ""
}

operation: Retrieve File

Input parameters

Parameter Description
Operator String that identifies the comparison operator you want to use to filter files that you want to retrieve from Palo Alto Cortex XDR. You can choose from the following: In, Greater Than Equal To, or Less Than Equal To.
  • If you choose the 'In' operator, then you can specify the following parameters:
    • Endpoint ID List: List of endpoint IDs whose associated files you want to retrieve from Palo Alto Cortex XDR
    • Distribution Name: Name of the distribution list containing the files you want to retrieve from Palo Alto Cortex XDR
    • Group Name: Name of the endpoint group containing the files you want to retrieve from Palo Alto Cortex XDR
    • Alias: Alias of the endpoints whose associated files you want to retrieve from Palo Alto Cortex XDR.
    • Hostname: Name of the host of the endpoints whose associated files you want to retrieve from Palo Alto Cortex XDR.
    • IP list: List of IP addresses containing the endpoints whose associated files you want to retrieve from Palo Alto Cortex XDR.
    • Platform: Type of operating system that contains the endpoints whose associated files you want to retrieve from Palo Alto Cortex XDR. You can choose between Windows, Linux, Macos, or Android.
    • Isolate: Select Isolated if the endpoints have been isolated and Unisolated if the endpoints have been unisolated.
  • If you choose the 'Greater Than Equal To' operator, then you can specify the following parameters:
    • First Seen: Time when the endpoint was first seen. This operator will retrieve files on all endpoints that match the time specified or the time later than the time specified on Palo Alto Cortex XDR.
    • Last Seen: Time when the endpoint was last seen. This operator will retrieve files on all endpoints that match the time specified or the time later than the time specified on Palo Alto Cortex XDR.
  • If you choose the 'Less Than Equal To' operator, then you can specify the following parameters:
    • First Seen: Time when the endpoint was first seen. This operator will retrieve files on all endpoints that match the time specified or the time earlier than the time specified on Palo Alto Cortex XDR.
    • Last Seen: Time that the incident was last seen. This operator will retrieve files on all endpoints that match the time specified or the time earlier than the time specified on Palo Alto Cortex XDR.
Files Dictionary containing the type of operating system from which you want to retrieve files from Palo Alto Cortex XDR. You can choose between Windows, Linux, or Macos.
File Path String that represents the path of the file used to retrieve files from Palo Alto Cortex XDR.

Output

The output contains the following populated JSON schema:
{
     "reply": {
         "action_id": []
     }
}

Included playbooks

The Sample - Palo Alto Cortex XDR - 1.0.0 playbook collection comes bundled with the Palo Alto Cortex XDR connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in CyOPsTM after importing the Palo Alto Cortex XDR connector.

  • Blacklist Files
  • Cancel Scan Endpoints
  • Create Distributions
  • Delete Endpoints
  • Fetch Incidents
  • Get All Endpoints
  • Get Audit Agent Report
  • Get Audit Management Logs
  • Get Device Violations
  • Get Distribution Status
  • Get Distribution URL
  • Get Distribution Version
  • Get Endpoints
  • Get Incident Details
  • Get Policy
  • Get Quarantine Status
  • Insert CEF Alerts
  • Insert Parsed Alerts
  • Isolate Endpoints
  • Quarantine Files
  • Restore File
  • Retrieve File
  • Scan Endpoints
  • Unisolate Endpoints
  • Update Incident
  • Whitelist Files

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.

About the connector

Cortex XDR applies machine learning at cloud scale to rich network, endpoint, and cloud data, so you can quickly find and stop targeted attacks, insider abuse, and compromised endpoints.

This document provides information about the Palo Alto Cortex XDR connector, which facilitates automated interactions with your Palo Alto Cortex XDR server using FortiSOAR™ playbooks. Add the Palo Alto Cortex XDR connector, as a step in FortiSOAR™ playbooks and perform automated operations such as retrieving a list of all your endpoints from Palo Alto Cortex XDR or isolating endpoints on Palo Alto Cortex XDR.

Version information

Connector Version: 1.0.0

Authored By: Community

Certified: No

Installing the connector

From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root user to install connectors:

yum install cyops-connector-paloalto-cortex-xdr

Prerequisites to configuring the connector

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

In FortiSOAR™, on the Connectors page, click the Palo Alto Cortex XDR connector row (if you are in the Grid view on the Connectors page), and in the Configurations tab enter the required configuration details.

Parameter Description
Server URL URL of the Palo Alto Cortex XDR server to which you will connect and perform the automated operations.
API Key ID ID of the API key configured for your account to access the Palo Alto Cortex XDR server to which you will connect and perform the automated operations.
API Key API key configured for your account to access the Palo Alto Cortex XDR server to which you will connect and perform the automated operations.
Note: You require a "Standard" security level API key.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations from version 4.10.0 onwards:

Function Description Annotation and Category
Fetch Incidents Retrieves incidents from Palo Alto Cortex XDR based on the input parameters specified. fetch_incidents
Investigation
Get Incident Details Retrieves details, including alert and key artifacts, for a specific incident from Palo Alto Cortex XDR based on the incident ID and other input parameters specified. get_incident_details
Investigation
Update Incident Updates incident fields like severity, status, etc. of a specific incident in Palo Alto Cortex XDR based on the incident ID and other input parameters specified. update_incident
Investigation
Insert CEF Alerts Upload alerts in the CEF format from external alert sources to Palo Alto Cortex XDR based on the list of alerts specified.
After you have mapped the CEF alert fields to Cortex XDR fields, Cortex XDR displays the alerts in related incidents and views.
insert_cef_alerts
Investigation
Insert Parsed Alerts Uploads alerts in the Cortex XDR format from external alert sources to Palo Alto Cortex XDR based on the product, vendor, and other input parameters specified.
Cortex XDR displays alerts that are parsed successfully in related incidents and views.
insert_parsed_alerts
Investigation
Isolate Endpoints Isolates one or more endpoints in a single request on Palo Alto Cortex XDR based on the endpoint ID and other input parameters specified. isolate_endpoints
Investigation
Unisolate Endpoints Unisolates one or more endpoints in a single request on Palo Alto Cortex XDR based on the endpoint ID and other input parameters specified. unisolate_endpoints
Investigation
Get All Endpoints Retrieves a list of all your endpoints from Palo Alto Cortex XDR. get_all_endpoints
Investigation
Get Endpoints Retrieves a list of filtered endpoints from Palo Alto Cortex XDR based on the input parameters specified. get_endpoints
Investigation
Scan Endpoints Runs a scan on specified endpoints on Palo Alto Cortex XDR based on the input parameters specified. scan_endpoints
Investigation
Cancel Scan Endpoints Cancels a scan on specified endpoints on Palo Alto Cortex XDR based on the input parameters specified. cancel_scan_endpoints
Investigation
Delete Endpoints Deletes specified endpoints from the Cortex XDR app based on the input parameters specified.
Note: You can delete up to 100 endpoints.
delete_endpoints
Investigation
Get Policy Retrieves the policy for a specific endpoint from Palo Alto Cortex XDR based on the endpoint ID specified get_policy
Investigation
Get Device Violations Retrieves a list of filtered device violations from Palo Alto Cortex XDR based on the input parameters specified. get_device_violations
Investigation
Get Distribution Version Retrieves a list of all the agent versions that are used for creating a distribution list from Palo Alto Cortex XDR. get_distribution_version
Investigation
Create Distributions Creates an installation package on Palo Alto Cortex XDR based on the distribution name and package type specified. create_distributions
Investigation
Get Distribution Status Checks and retrieves the status of the installation package from Palo Alto Cortex XDR based on the distribution ID specified. get_distribution_status
Investigation
Get Distribution URL Retrieves the distribution URL for downloading the installation package from Palo Alto Cortex XDR based on the distribution ID and package type specified. get_distribution_url
Investigation
Get Audit Management Logs Retrieves audit management logs from Palo Alto Cortex XDR based on the input parameters specified. get_audit_management_log
Investigation
Get Audit Agent Report Retrieves agent event reports from Palo Alto Cortex XDR based on the input parameters specified. get_audit_agent_report
Investigation
Blacklist Files Blacklists the specified files that have not already been blacklisted on Palo Alto Cortex XDR based on the list of hash files specified. blacklist_files
Investigation
Whitelist Files Whitelists the specified files that have not already been whitelisted on Palo Alto Cortex XDR based on the list of hash files specified. whitelist_files
Investigation
Quarantine Files Quarantines files on specified endpoints on Palo Alto Cortex XDR based on the file path, file hash and other input parameters specified. quarantine_files
Investigation
Get Quarantine Status Retrieves the quarantine status for a specified file from Palo Alto Cortex XDR based on the endpoint ID, file path, and file hash specified. get_quarantine_status
Investigation
Restore File Restores a quarantined file on a specified endpoint on Palo Alto Cortex XDR based on the endpoint ID and file hash specified restore_file
Investigation
Retrieve File Retrieves a file from specified endpoints from Palo Alto Cortex XDR based on the file path and other input parameters specified.
Note: You can retrieve up to 20 files from a maximum of 100 endpoints.
retrieve_file
Investigation

operation: Fetch Incidents

Input parameters

Parameter Description
Operator String that identifies the comparison operator you want to use to filter incidents to be retrieved from Palo Alto Cortex XDR. You can choose from the following: In, Contains, Greater Than Equal To, or Less Than Equal To.
If you choose the 'In' operator, then you can specify the following parameters:
  • Incident ID List: List of incident IDs based on which you want to retrieve incidents from Palo Alto Cortex XDR. Each item in the list must be an incident ID.
  • Alert Sources: Source which detected the alert whose associated incidents you want to retrieve from Palo Alto Cortex XDR.
  • Description: Description of the incident that you want to retrieve from Palo Alto Cortex XDR.
If you choose the 'Contains' operator, then you can specify the following parameters:
  • Description: Description of the incident that you want to retrieve from Palo Alto Cortex XDR.
If you choose the 'Greater Than Equal To' operator, then you can specify the following parameters:
  • Modification Time: Time the incident has been modified. This operator will retrieve all incidents that match the time specified or the time later than the time specified from Palo Alto Cortex XDR.
  • Creation Time: Time that the incident has been created. This operator will retrieve all incidents that match the time specified or the time later than the time specified from Palo Alto Cortex XDR.
If you choose the 'Less Than Equal To' operator, then you can specify the following parameters:
  • Modification Time: Time the incident has been modified. This operator will retrieve all incidents that match the time specified or the time earlier than the time specified from Palo Alto Cortex XDR.
  • Creation Time: Time that the incident has been created. This operator will retrieve all incidents that match the time specified or the time earlier than the time specified from Palo Alto Cortex XDR.
Search From Integer representing the starting offset within the query result set from which you want this operation to return incidents from Palo Alto Cortex XDR.
Search To Integer representing the end offset within the result set after which you do not want this operation to return incidents from Palo Alto Cortex XDR.
Sort Select this option if you want to sort the retrieved incidents by field and order the results. If you select this option, then you can specify the following parameters:
  • Sort by Field: Choose the field by which you want to sort the incidents. You can choose between Modification Time or Creation Time.
  • Sort by Order: Choose the order in which you want to sort the result. You can choose between Ascending or Descending.

Output

The output contains the following populated JSON schema:
{
     "reply": {
         "result_count": "",
         "total_count": "",
         "incidents": [
             {
                 "assigned_user_pretty_name": "",
                 "user_count": "",
                 "creation_time": "",
                 "detection_time": "",
                 "manual_description": "",
                 "med_severity_alert_count": "",
                 "high_severity_alert_count": "",
                 "hosts": [],
                 "incident_id": "",
                 "incident_sources": [],
                 "xdr_url": "",
                 "assigned_user_mail": "",
                 "users": [],
                 "modification_time": "",
                 "low_severity_alert_count": "",
                 "severity": "",
                 "resolve_comment": "",
                 "host_count": "",
                 "manual_severity": "",
                 "starred": "",
                 "alert_count": "",
                 "description": "",
                 "status": "",
                 "notes": ""
             }
         ]
     }
}

operation: Get Incident Details

Input parameters

Parameter Description
Incident ID ID of the incident for which you want to retrieve details including alerts and key artifacts from Palo Alto Cortex XDR.
Alerts Limit (Optional) Maximum number of alerts related to the specified incident you want to retrieve from Palo Alto Cortex XDR. By default, this is set to '1000'.

Output

The output contains the following populated JSON schema:
{
     "reply": {
         "alerts": {
             "data": [
                 {
                     "source": "",
                     "starred": "",
                     "event_type": "",
                     "severity": "",
                     "host_name": "",
                     "host_ip": "",
                     "is_whitelisted": "",
                     "name": "",
                     "alert_id": "",
                     "actor_process_image_name": "",
  nbsp;                   "category": "",
                     "action": "",
                     "detection_timestamp": "",
                     "actor_process_command_line": "",
                     "fw_app_id": "",
                     "action_pretty": "",
                     "user_name": "",
                     "description": "",
                     "endpoint_id": ""
                 }
             ],
             "total_count": ""
         },
         "network_artifacts": {
             "data": [
                 {
                     "network_country": "",
                     "is_manual": "",
                     "network_domain": "",
                     "network_remote_port": "",
                     "alert_count": "",
                     "type": "",
                     "network_remote_ip": ""
                 }
             ],
             "total_count": ""
         },
         "file_artifacts": {
             "data": [
                 {
                     "file_signature_status": "",
                     "is_manual": "",
                     "file_sha256": "",
                     "alert_count": "",
                     "is_malicious": "",
                     "type": "",
                     "is_process": "",
                     "file_signature_vendor_name": "",
                     "file_name": "",
                     "file_wildfire_verdict": ""
                 }
             ],
             "total_count": ""
         },
         "incident": {
             "assigned_user_pretty_name": "",
             "user_count": "",
             "creation_time": "",
             "detection_time": "",
             "manual_description": "",
             "med_severity_alert_count": "",
             "high_severity_alert_count": "",
             "hosts": [],
             "incident_id": "",
             "xdr_url": "",
             "assigned_user_mail": "",
             "users": [],
             "modification_time": "",
             "low_severity_alert_count": "",
             "severity": "",
             "alert_sources": [],
             "resolve_comment": "",
             "host_count": "",
             "manual_severity": "",
             "starred": "",
             "alert_count": "",
             "description": "",
             "status": "",
             "notes": ""
         }
     }
}

operation: Update Incident

Input parameters

Parameter Description
Incident ID ID of the incident that you want to update Palo Alto Cortex XDR.
Assigned User Mail (Optional) Email address of the incident assignee that you want to update in the specified incident in Palo Alto Cortex XDR.
Assigned User Pretty Name (Optional) Full name of the incident assignee that you want to update in the specified incident in Palo Alto Cortex XDR.  
Severity (Optional) Severity level you want to update in the specified incident in Palo Alto Cortex XDR. You can choose from the following options: High, Medium, or Low.
Status (Optional) Full name of the incident assignee that you want to update in the specified incident in Palo Alto Cortex XDR. You can choose from the following options: New, Under Investigation, Resolved Threat Handled, Resolved Know Issue, Resolved Duplicate, Resolved False Positive, or Resolved Other.
Resolve Comment Descriptive comment that explains the updates made to the specified incident.

Output

The output contains the following populated JSON schema:
{
     "message": "",
     "status": ""
}

operation: Insert CEF Alerts

Input parameters

Parameter Description
Alerts Comma-separated list of alerts in the CEF format that you want to add  to Palo Alto Cortex XDR.

Output

The output contains the following populated JSON schema:
{
     "reply": ""
}

operation: Insert Parsed Alerts

Input parameters
Note: Value that you specify in the following parameters will be used to upload alerts to Palo Alto Cortex XDR.

Parameter Description
Product String value that defines the product. For example, VPN & Firewall-1.
Vendor String value that defines the vendor. For example, Check Point.
Local IP String value for the source IP address.
Local Port Integer value for the source port.
Remote IP String value of the destination IP address.
Remote Port Integer value for the destination port.
Event Timestamp Time the alert occurred.
Alert Name String defining the name of the alert that you want to upload to Palo Alto Cortex XDR.
Severity (Optional) Choose the severity of the alert that you want to upload to Palo Alto Cortex XDR. You can choose from the following options: Informational, High, Medium, Low, or Unknown.
Alert Description (Optional) String defining the description of the alert that you want to upload to Palo Alto Cortex XDR.

Output

The output contains the following populated JSON schema:
{
     "reply": ""
}

operation: Isolate Endpoints

Input parameters

Parameter Description
Isolate Endpoint Choose whether you want to isolate a single endpoint or more than one endpoint on Palo Alto Cortex XDR. You can choose between Isolate One Endpoint or Isolate More Than One Endpoint.
If you choose the 'Isolate One Endpoint' option, then you can specify the following parameters:
  • Endpoint ID: ID of the endpoint that you want to isolate on Palo Alto Cortex XDR. 
If you choose the 'Isolate More Than One Endpoint' option, then you can specify the following parameters:
  • Operator: String that identifies the comparison operator you want to use to filter endpoint to be isolated on Palo Alto Cortex XDR. You can choose from the following: In, Greater Than Equal To, or Less Than Equal To.
    If you choose the 'In' operator, then you can specify the following parameters:
    • Endpoint ID List: List of endpoint IDs to isolate on Palo Alto Cortex XDR. 
    • Distribution Name: Name of the distribution list containing the endpoints to isolate on Palo Alto Cortex XDR.  
    • Group Name: Name of the group containing the endpoints to isolate on Palo Alto Cortex XDR. 
    • Alias: Alias of the endpoints to isolate on Palo Alto Cortex XDR.  
    • Hostname: Name of the host of the endpoints to isolate on Palo Alto Cortex XDR.  
    • IP list: List of IP addresses containing the endpoints to isolate on Palo Alto Cortex XDR.  
    • Platform: Type of operating system that contains the endpoints to isolate on Palo Alto Cortex XDR. You can choose between Windows, Linux, Macos, or Android.
    • Isolate: Select Isolated if the endpoints are isolated.
  • If you choose the 'Greater Than Equal To' operator, then you can specify the following parameters:
    • First Seen: Time when the endpoint was first seen. This operator will isolate all endpoints that match the time specified or the time later than the time specified on Palo Alto Cortex XDR.
    • Last Seen: Time when the endpoint was last seen. This operator will isolate all endpoints that match the time specified or the time later than the time specified on Palo Alto Cortex XDR.
  • If you choose the 'Less Than Equal To' operator, then you can specify the following parameters:
    • First Seen: Time when the endpoint was first seen. This operator will isolate all endpoints that match the time specified or the time earlier than the time specified on Palo Alto Cortex XDR.
    • Last Seen: Time that the incident was last seen. This operator will isolate all endpoints that match the time specified or the time earlier than the time specified on Palo Alto Cortex XDR.

Output

The output contains the following populated JSON schema:
{
     "reply": {
         "action_id": []
     }
}

operation: Unisolate Endpoints

Input parameters

Parameter Description
Unisolate Endpoint Choose whether you want to unisolate a single endpoint or more than one endpoint on Palo Alto Cortex XDR. You can choose between unisolate One Endpoint or unisolate More Than One Endpoint.
If you choose the 'Unisolate One Endpoint' option, then you can specify the following parameters:
  • Endpoint ID: ID of the endpoint that you want to unisolate on Palo Alto Cortex XDR. 
If you choose the 'Unisolate More Than One Endpoint' option, then you can specify the following parameters:
  • Operator: String that identifies the comparison operator you want to use to filter endpoint to be unisolated on Palo Alto Cortex XDR. You can choose from the following: In, Greater Than Equal To, or Less Than Equal To.
    If you choose the 'In' operator, then you can specify the following parameters:
    • Endpoint ID List: List of endpoint IDs to unisolate on Palo Alto Cortex XDR. 
    • Distribution Name: Name of the distribution list containing the endpoints to unisolate on Palo Alto Cortex XDR.  
    • Group Name: Name of the group containing the endpoints to unisolate on Palo Alto Cortex XDR. 
    • Alias: Alias of the endpoints to unisolate on Palo Alto Cortex XDR.  
    • Hostname: Name of the host of the endpoints to unisolate on Palo Alto Cortex XDR.  
    • IP list: List of IP addresses containing the endpoints to unisolate on Palo Alto Cortex XDR.  
    • Platform: Type of operating system that contains the endpoints to unisolate on Palo Alto Cortex XDR. You can choose between Windows, Linux, Macos, or Android.
    • Isolate: Select Unisolated if the endpoints are unisolated.
  • If you choose the 'Greater Than Equal To' operator, then you can specify the following parameters:
    • First Seen: Time when the endpoint was first seen. This operator will unisolate all endpoints that match the time specified or the time later than the time specified on Palo Alto Cortex XDR.
    • Last Seen: Time when the endpoint was last seen. This operator will unisolate all endpoints that match the time specified or the time later than the time specified on Palo Alto Cortex XDR.
  • If you choose the 'Less Than Equal To' operator, then you can specify the following parameters:
    • First Seen: Time when the endpoint was first seen. This operator will unisolate all endpoints that match the time specified or the time earlier than the time specified on Palo Alto Cortex XDR.
    • Last Seen: Time that the incident was last seen. This operator will unisolate all endpoints that match the time specified or the time earlier than the time specified on Palo Alto Cortex XDR.

Output

The output contains the following populated JSON schema:
{
     "reply": {
         "action_id": []
     }
}

operation: Get All Endpoints

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
     "reply": [
         {
             "agent_type": "",
             "agent_id": "",
              "host_name": "",
             "agent_status": "",
             "ip": ""
         }
     ]
}

operation: Get Endpoints

Input parameters

Parameter Description
Operator String that identifies the comparison operator you want to use to filter endpoints to be retrieved from Palo Alto Cortex XDR. You can choose from the following: In, Greater Than Equal To, or Less Than Equal To.
  • If you choose the 'In' operator, then you can specify the following parameters:
    • Endpoint ID List: List of endpoint IDs based on which you want to retrieve endpoints from Palo Alto Cortex XDR. 
    • Distribution Name: Name of the distribution list or installation package name containing the endpoints to be retrieved from Palo Alto Cortex XDR.  
    • Group Name: Name of the group containing the endpoints to be retrieved from Palo Alto Cortex XDR. 
    • Alias: Alias of the endpoints to be retrieved from Palo Alto Cortex XDR. 
    • Hostname: Name of the host of the endpoints to be retrieved from Palo Alto Cortex XDR. 
    • IP list: List of IP addresses containing the endpoints to be retrieved from Palo Alto Cortex XDR. 
    • Platform: Type of operating system that contains the endpoints to be retrieved from Palo Alto Cortex XDR. You can choose between Windows, Linux, Macos, or Android.
    • Isolate: Select Isolated if the endpoints have been isolated and Unisolated if the endpoints have been unisolated.
  • If you choose the 'Greater Than Equal To' operator, then you can specify the following parameters:
    • First Seen: Time when the endpoint was first seen. This operator will retrieve all endpoints that match the time specified or the time later than the time specified on Palo Alto Cortex XDR.
    • Last Seen: Time when the endpoint was last seen. This operator will retrieve all endpoints that match the time specified or the time later than the time specified on Palo Alto Cortex XDR.
  • If you choose the 'Less Than Equal To' operator, then you can specify the following parameters:
    • First Seen: Time when the endpoint was first seen. This operator will retrieve all endpoints that match the time specified or the time earlier than the time specified on Palo Alto Cortex XDR.
    • Last Seen: Time that the incident was last seen. This operator will retrieve all endpoints that match the time specified or the time earlier than the time specified on Palo Alto Cortex XDR.
Search From Integer representing the starting offset within the query result set from which you want this operation to return incidents from Palo Alto Cortex XDR.
Search To Integer representing the end offset within the result set after which you do not want this operation to return incidents from Palo Alto Cortex XDR.
Sort Select this option if you want to sort the retrieved endpoints by field and order the results. If you select this option, then you can specify the following parameters:
  • Sort by Field: Choose the field by which you want to sort the endpoints. You can choose between First Seen or Last Seen.
  • Sort by Order: Choose the order in which you want to sort the result. You can choose between Ascending or Descending.

Output

The output contains the following populated JSON schema:
{
     "reply": {
         "result_count": "",
         "endpoints": [
             {
                 "is_isolated": "",
                 "last_seen": "",
                 "os_type": "",
                 "users": [
                     ""
                 ],
                 "install_date": "",
                 "active_directory": "",
                 "group_name": "",
                 "domain": "",
                 "installation_package": "",
                 "endpoint_name": "",
                 "endpoint_status": "",
                 "alias": "",
                 "ip": "",
                 "endpoint_type": "",
                 "first_seen": "",
                 "endpoint_id": "",
                 "endpoint_version": "",
                 "content_version": ""
             }
         ]
     }
}

operation: Scan Endpoints

Input parameters

Parameter Description
Operator String that identifies the comparison operator you want to use to filter endpoints to be scanned on Palo Alto Cortex XDR. You can choose from the following: In, Greater Than Equal To, or Less Than Equal To.
  • If you choose the 'In' operator, then you can specify the following parameters:
    • Endpoint ID List: List of endpoint IDs that you want to scan on Palo Alto Cortex XDR. 
    • Distribution Name: Name of the distribution list containing the endpoints that you want to scan on Palo Alto Cortex XDR. 
    • Group Name: Name of the group containing the endpoints that you want to scan on Palo Alto Cortex XDR. 
    • Alias: Alias of the endpoints to be scanned on Palo Alto Cortex XDR. 
    • Hostname: Name of the host of the endpoints to be scanned on Palo Alto Cortex XDR. 
    • IP list: List of IP addresses containing the endpoints to be scanned on Palo Alto Cortex XDR.  
    • Platform: Type of operating system that contains the endpoints to be scanned on Palo Alto Cortex XDR. You can choose between Windows, Linux, Macos, or Android.
    • Isolate: Select Isolated if the endpoints have been isolated and Unisolated if the endpoints have been unisolated.
  • If you choose the 'Greater Than Equal To' operator, then you can specify the following parameters:
    • First Seen: Time when the endpoint was first seen. This operator will scan all endpoints that match the time specified or the time later than the time specified on Palo Alto Cortex XDR.
    • Last Seen: Time when the endpoint was last seen. This operator will scan all endpoints that match the time specified or the time later than the time specified on Palo Alto Cortex XDR.
  • If you choose the 'Less Than Equal To' operator, then you can specify the following parameters:
    • First Seen: Time when the endpoint was first seen. This operator will scan all endpoints that match the time specified or the time earlier than the time specified on Palo Alto Cortex XDR.
    • Last Seen: Time that the incident was last seen. This operator will scan all endpoints that match the time specified or the time earlier than the time specified on Palo Alto Cortex XDR.

Output

The output contains the following populated JSON schema:
{
     "reply": {
         "action_id": []
     }
}

operation: Cancel Scan Endpoints

Input parameters

Parameter Description
Operator String that identifies the comparison operator you want to use to filter endpoints whose scans are to be canceled on Palo Alto Cortex XDR. You can choose from the following: In, Greater Than Equal To, or Less Than Equal To.
  • If you choose the 'In' operator, then you can specify the following parameters:
    • Endpoint ID List: List of endpoint IDs whose scans you want to cancel on Palo Alto Cortex XDR. 
    • Distribution Name: Name of the distribution list containing the endpoints whose scans you want to cancel on Palo Alto Cortex XDR. 
    • Group Name: Name of the group containing the endpoints whose scans you want to cancel on Palo Alto Cortex XDR. 
    • Alias: Alias of the endpoints whose scans you want to cancel Palo Alto Cortex XDR. 
    • Hostname: Name of the host of the endpoints whose scans you want to cancel Palo Alto Cortex XDR. 
    • IP list: List of IP addresses containing the endpoints whose scans you want to cancel on Palo Alto Cortex XDR.  
    • Platform: Type of operating system that contains the endpoints whose scans you want to cancel on Palo Alto Cortex XDR. You can choose between Windows, Linux, Macos, or Android.
    • Isolate: Select Isolated if the endpoints have been isolated and Unisolated if the endpoints have been unisolated.
  • If you choose the 'Greater Than Equal To' operator, then you can specify the following parameters:
    • First Seen: Time when the endpoint was first seen. This operator will cancel the scans on all endpoints that match the time specified or the time later than the time specified on Palo Alto Cortex XDR.
    • Last Seen: Time when the endpoint was last seen. This operator will cancel the scans on all endpoints that match the time specified or the time later than the time specified on Palo Alto Cortex XDR.
  • If you choose the 'Less Than Equal To' operator, then you can specify the following parameters:
    • First Seen: Time when the endpoint was first seen. This operator will cancel the scans on all endpoints that match the time specified or the time earlier than the time specified on Palo Alto Cortex XDR.
    • Last Seen: Time that the incident was last seen. This operator will cancel the scans on all endpoints that match the time specified or the time earlier than the time specified on Palo Alto Cortex XDR.

Output

The output contains the following populated JSON schema:
{
     "reply": ""
}

operation: Delete Endpoints

Input parameters

Parameter Description
Operator String that identifies the comparison operator you want to use to filter endpoints to be deleted from the Palo Alto Cortex XDR app. You can choose from the following: In, Greater Than Equal To, or Less Than Equal To.
  • If you choose the 'In' operator, then you can specify the following parameters:
    • Endpoint ID List: List of endpoint IDs that you want to delete from the Palo Alto Cortex XDR app. 
    • Distribution Name: Name of the distribution list containing the endpoints that you want to delete from the Palo Alto Cortex XDR app. 
    • Group Name: Name of the group containing the endpoints that you want to delete from the Palo Alto Cortex XDR app. 
    • Alias: Alias of the endpoints to be deleted from the Palo Alto Cortex XDR app.
    • Hostname: Name of the host of the endpoints to be deleted from the Palo Alto Cortex XDR app. 
    • IP list: List of IP addresses containing the endpoints to be deleted from the Palo Alto Cortex XDR app.  
    • Platform: Type of operating system that contains the endpoints to be deleted from the Palo Alto Cortex XDR app. You can choose between Windows, Linux, Macos, or Android.
    • Isolate: Select Isolated if the endpoints have been isolated and Unisolated if the endpoints have been unisolated.
  • If you choose the 'Greater Than Equal To' operator, then you can specify the following parameters:
    • First Seen: Time when the endpoint was first seen. This operator will delete all endpoints that match the time specified or the time later than the time specified on Palo Alto Cortex XDR.
    • Last Seen: Time when the endpoint was last seen. This operator will delete all endpoints that match the time specified or the time later than the time specified on Palo Alto Cortex XDR.
  • If you choose the 'Less Than Equal To' operator, then you can specify the following parameters:
    • First Seen: Time when the endpoint was first seen. This operator will delete all endpoints that match the time specified or the time earlier than the time specified on Palo Alto Cortex XDR.
    • Last Seen: Time that the incident was last seen. This operator will delete all endpoints that match the time specified or the time earlier than the time specified on Palo Alto Cortex XDR.

Output

The output contains the following populated JSON schema:
{
     "reply": ""
}

operation: Get Policy

Input parameters

Parameter Description
Endpoint ID String the represents the endpoint ID based on which you want to retrieve the policy from Palo Alto Cortex XDR. For example, 51588e4ce9214c63b39d054bd073b93a

Output

The output contains the following populated JSON schema:
{
     "reply": {
         "policy_name": ""
     }
}

operation: Get Device Violations

Input parameters

Parameter Description
Operator String that identifies the comparison operator you want to use to filter device violations to be retrieved from Palo Alto Cortex XDR. You can choose from the following: In, Greater Than Equal To, or Less Than Equal To.
  • If you choose the 'In' operator, then you can specify the following parameters:
    • Endpoint ID List: List of endpoint IDs based on which you want to retrieve violations from Palo Alto Cortex XDR. 
    • Vendor: String value that defines the vendor whose associated violations are to be retrieved from Palo Alto Cortex XDR. For example, Check Point. 
    • Vendor ID: String value that defines the vendor ID whose associated violations are to be retrieved from Palo Alto Cortex XDR. For example, 0x0999.
    • Product: String value that defines the product whose associated violations are to be retrieved from Palo Alto Cortex XDR. For example, VPN & Firewall-1.
    • Product ID: String value that defines the product ID whose associated violations are to be retrieved from Palo Alto Cortex XDR. For example, 0x10036.
    • Serial: String value that defines the serial number whose associated violations are to be retrieved from Palo Alto Cortex XDR. For example, 8888889.
    • Hostname: Name of the host whose associated violations are to be retrieved from Palo Alto Cortex XDR.
    • Username: Name of the user whose associated violations are to be retrieved from Palo Alto Cortex XDR.
    • Type: Type of violations that are to be retrieved from Palo Alto Cortex XDR. You can choose between CS ROM, Disk Drive, Floppy Disk, or Portable Device.
    • IP list: List of IP addresses whose associated violations are to be retrieved from Palo Alto Cortex XDR.
    • Violations ID List: List of violations IDs based on which you want to retrieve violations from Palo Alto Cortex XDR.
  • If you choose the 'Greater Than Equal To' operator, then you can specify the following parameters:
    • Timestamp: Datetime till when you want to retrieve violations from Palo Alto Cortex XDR. This operator will retrieve all violations that match the time specified or the time later than the time specified on Palo Alto Cortex XDR.
  • If you choose the 'Less Than Equal To' operator, then you can specify the following parameters:
    • Timestamp: Datetime from when you want to retrieve violations from Palo Alto Cortex XDR. This operator will retrieve all violations that match the time specified or the time earlier than the time specified on Palo Alto Cortex XDR.
Search From Integer representing the starting offset within the query result set from which you want this operation to return incidents from Palo Alto Cortex XDR.
Search To Integer representing the end offset within the result set after which you do not want this operation to return incidents from Palo Alto Cortex XDR.
Sort Select this option if you want to sort the retrieved violations by field and order the results. If you select this option, then you can specify the following parameters:
  • Sort by Field: Choose the field by which you want to sort the violations. You can choose between First Seen or Last Seen.
  • Sort by Order: Choose the order in which you want to sort the result. You can choose between Ascending or Descending.

Output

The output contains the following populated JSON schema:
{
     "reply": {
         "violations": [
             {
                 "violation_id": "",
                 "serial": "",
                 "timestamp": "",
                 "vendor_id": "",
                 "username": "",
                 "ip": "",
                 "hostname": "",
                 "product_id": "",
                 "vendor": "",
                 "type": "",
                 "endpoint_id": "",
                 "product": ""
             }
         ],
         "result_count": ""
     }
}

operation: Get Distribution Version

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
     "reply": {
         "macos": [],
         "linux": [],
         "windows": []
     }
}

operation: Create Distributions

Input parameters

Parameter Description
Name String representing the name of the installation package that you want to create on Palo Alto Cortex XDR.
Package Type String representing the type of installation package that you want to create on Palo Alto Cortex XDR. You can choose from the following types: Standalone or Upgrade.
If you choose the 'Standalone' operator, then you can specify the following parameters:
  • Platform: Platform on which you want to create the installation package. You can choose the following: Windows, Linux, Macos, or Android.
    • If you choose 'Windows', then in the Agent Version field, enter the version of the agent. For example, 5.0.7.16157.
    • If you choose 'Macos', then in the Agent Version field, enter the version of the agent. For example, 5.0.7.16157.
    • If you choose 'Linux', then in the Agent Version field, enter the version of the agent. For example, 5.0.7.16157.
If you choose the 'Upgrade' operator, then you can specify the following parameters:
  • Upgrade: Specify the version of an agent from ESM to be upgraded. You can specify the following values: windows_version, linux_version, or macos_version.
Description String containing descriptive information about the installation package.

Output

The output contains the following populated JSON schema:
{
     "reply": {
         "distribution_id": ""
     }
}

operation: Get Distribution Status

Input parameters

Parameter Description
Distribution ID String representing the ID of the installation package whose status you want to retrieve from Palo Alto Cortex XDR. 

Output

The output contains the following populated JSON schema:
{
     "reply": {
         "status": ""
     }
}

operation: Get Distribution URL

Input parameters

Parameter Description
Distribution ID String representing the ID of the installation package whose distribution URL you want to retrieve from Palo Alto Cortex XDR. 
Package Type String representing the type of installation package whose distribution URL you want to retrieve from Palo Alto Cortex XDR. You can choose from the following options: sh-For Linux, rpm-For Linux, deb-For Linux, pkg-For Mac, x86-For Windows, or x64-For Windows.

Output

The output contains the following populated JSON schema:
{
     "reply": {
         "distribution_url": ""
     }
}

operation: Get Audit Management Logs

Input parameters

Parameter Description
Operator String that identifies the comparison operator you want to use to filter audit management logs to be retrieved from Palo Alto Cortex XDR. You can choose from the following: In, Greater Than Equal To, or Less Than Equal To.
  • If you choose the 'In' operator, then you can specify the following parameters:
    • Email: Email address of the user whose audit management logs you want to retrieve from Palo Alto Cortex XDR. 
    • Type: Type of the audit management logs you want to retrieve from Palo Alto Cortex XDR. 
    • Sub Type: Subtype of the audit management logs you want to retrieve from Palo Alto Cortex XDR. 
    • Result: Filter audit log management logs you want to retrieve from Palo Alto Cortex XDR based on the result of the audit log. For example, SUCCESS.
  • If you choose the 'Greater Than Equal To' operator, then you can specify the following parameters:
    • Timestamp: Datetime of the log till when you want to retrieve audit management logs from Palo Alto Cortex XDR. This operator will retrieve all audit management logs whose timestamp matches the time specified or the time later than the time specified on Palo Alto Cortex XDR.
  • If you choose the 'Less Than Equal To' operator, then you can specify the following parameters:
    • Timestamp: Datetime of the log from when you want to retrieve audit management logs from Palo Alto Cortex XDR. This operator will retrieve all audit management logs whose timestamp matches the time specified or the time earlier than the time specified on Palo Alto Cortex XDR.
Search From An integer representing the starting offset within the query result set from which you want management logs returned.
Search To An integer representing the end offset within the result set after which you do not want management logs returned.
Sort Select this option if you want to sort the retrieved management logs by field and order the results. If you select this option, then you can specify the following parameters:
  • Sort by Field: Choose the field by which you want to sort the management logs. For example, timestamp.
  • Sort by Order: Choose the order in which you want to sort the result. You can choose between Ascending or Descending.

Output

The output contains the following populated JSON schema:
{
     "reply": {
         "data": [
             {
                 "AUDIT_DESCRIPTION": "",
                 "AUDIT_HOSTNAME": "",
                 "AUDIT_SESSION_ID": "",
                 "AUDIT_ASSET_JSON": "",
                 "AUDIT_REASON": "",
                 "AUDIT_RESULT": "",
                 "AUDIT_OWNER_EMAIL": "",
                 "AUDIT_ENTITY": "",
                 "AUDIT_ASSET_NAMES": "",
                 "AUDIT_ID": "",
                 "AUDIT_ENTITY_SUBTYPE": "",
                 "AUDIT_CASE_ID": "",
                 "AUDIT_OWNER_NAME": "",
                 "AUDIT_INSERT_TIME": ""
             }
         ],
         "result_count": ""
     }
}

operation: Get Audit Agent Report

Input parameters

Parameter Description
Operator String that identifies the comparison operator you want to use to filter audit agent reports to be retrieved from Palo Alto Cortex XDR. You can choose from the following: In, Greater Than Equal To, or Less Than Equal To.
  • If you choose the 'In' operator, then you can specify the following parameters:
    • Endpoint ID: String representing the ID of the endpoint whose associated audit agent reports you want to retrieve from Palo Alto Cortex XDR. 
    • Endpoint Name: String representing the name of the endpoint whose associated audit agent reports you want to retrieve from Palo Alto Cortex XDR. 
    • Type: Type of the audit agent reports you want to retrieve from Palo Alto Cortex XDR. For example, Agent Status.
    • Sub Type: Subtype of the audit agent reports you want to retrieve from Palo Alto Cortex XDR. For example, Fully Protected.
    • Result: Filter audit agent reports you want to retrieve from Palo Alto Cortex XDR based on the result of the agent report. For example, SUCCESS.
    • Domain: Domain of the agent whose audit agent reports you want to retrieve from Palo Alto Cortex XDR. For example, WORKGROUP.
    • xdr_version: XDR version for which you want to retrieve audit agent reports from Palo Alto Cortex XDR. 
    • Category: Type of event category whose audit agent reports you want to retrieve from Palo Alto Cortex XDR. You can choose from the following options: Status, Audit, or Monitoring.
  • If you choose the 'Greater Than Equal To' operator, then you can specify the following parameters:
    • Timestamp: Datetime of the report till when you want to retrieve audit management logs from Palo Alto Cortex XDR. This operator will retrieve all audit agent reports whose timestamp matches the time specified or the time later than the time specified on Palo Alto Cortex XDR.
  • If you choose the 'Less Than Equal To' operator, then you can specify the following parameters:
    • Timestamp: Datetime of the report from when you want to retrieve audit management logs from Palo Alto Cortex XDR. This operator will retrieve all audit agent reports whose timestamp matches the time specified or the time earlier than the time specified on Palo Alto Cortex XDR.
Search From Integer representing the starting offset within the query result set from which you want this operation to return incidents from Palo Alto Cortex XDR.
Search To Integer representing the end offset within the result set after which you do not want this operation to return incidents from Palo Alto Cortex XDR.
Sort Select this option if you want to sort the retrieved audit agent reports by field and order the results. If you select this option, then you can specify the following parameters:
  • Sort by Field: Choose the field by which you want to sort the audit agent reports. You can choose from the following options: Type, Category, Trapsversion, Timestamp, or Domaintimestamp.
  • Sort by Order: Choose the order in which you want to sort the result. You can choose between Ascending or Descending.

Output

The output contains the following populated JSON schema:
{
     "reply": {
         "data": [
             {
                 "RESULT": "",
                 "REASON": "",
                 "SUBTYPE": "",
                 "CATEGORY": "",
                 "DOMAIN": "",
                 "TRAPSVERSION": "",
                 "RECEIVEDTIME": "",
                 "TIMESTAMP": "",
                 "DESCRIPTION": "",
                 "ENDPOINTNAME": "",
                 "ENDPOINTID": "",
                 "TYPE": ""
             }
         ],
         "result_count": ""
     }
}

operation: Blacklist Files

Input parameters

Parameter Description
Hash List String that represents a list of hashed files you want to blacklist on Palo Alto Cortex XDR.
Note: Hash must be a valid SHA256 value.
Comment String containing descriptive information about this action.

Output

The output contains the following populated JSON schema:
{
     "reply": ""
}

operation: Whitelist Files

Input parameters

Parameter Description
Hash List String that represents a list of hashed files you want to whitelist on Palo Alto Cortex XDR.
Note: Hash must be a valid SHA256 value.
Comment String containing descriptive information about this action.

Output

The output contains the following populated JSON schema:
{
     "reply": ""
}

operation: Quarantine Files

Input parameters

Parameter Description
Operator String that identifies the comparison operator you want to use to filter endpoints on which you want to quarantine files on Palo Alto Cortex XDR. You can choose from the following: In, Greater Than Equal To, or Less Than Equal To.
  • If you choose the 'In' operator, then you can specify the following parameters:
    • Endpoint ID List: List of endpoint IDs on which you want to quarantine files on Palo Alto Cortex XDR.
    • Distribution Name: Name of the distribution list containing the endpoints on which you want to quarantine files on Palo Alto Cortex XDR
    • Group Name: Name of the group containing the endpoints on which you want to quarantine files on Palo Alto Cortex XDR.
    • Alias: Alias of the endpoints on which you want to quarantine files on Palo Alto Cortex XDR.
    • Hostname: Name of the host of the endpoints on which you want to quarantine files on Palo Alto Cortex XDR.
    • IP list: List of IP addresses containing the endpoints on which you want to quarantine files on Palo Alto Cortex XDR.
    • Platform: Type of operating system that contains the endpoints on which you want to quarantine files on Palo Alto Cortex XDR. You can choose between Windows, Linux, Macos, or Android.
    • Isolate: Select Isolated if the endpoints have been isolated and Unisolated if the endpoints have been unisolated.
  • If you choose the 'Greater Than Equal To' operator, then you can specify the following parameters:
    • First Seen: Time when the endpoint was first seen. This operator will quarantine files on all endpoints that match the time specified or the time later than the time specified on Palo Alto Cortex XDR.
    • Last Seen: Time when the endpoint was last seen. This operator will quarantine files on all endpoints that match the time specified or the time later than the time specified on Palo Alto Cortex XDR.
  • If you choose the 'Less Than Equal To' operator, then you can specify the following parameters:
    • First Seen: Time when the endpoint was first seen. This operator will quarantine files on all endpoints that match the time specified or the time earlier than the time specified on Palo Alto Cortex XDR.
    • Last Seen: Time that the incident was last seen. This operator will quarantine files on all endpoints that match the time specified or the time earlier than the time specified on Palo Alto Cortex XDR.
File Path String that represents the path of the file you want to quarantine on the specified endpoints on Palo Alto Cortex XDR.
File Hash String that represents the hash value of the file you want to quarantine on the specified endpoints on Palo Alto Cortex XDR.. The hash must be a valid SHA256 value.

Output

The output contains the following populated JSON schema:
{
     "reply": {
         "action_id": []
     }
}

operation: Get Quarantine Status

Input parameters

Parameter Description
Endpoint ID String that represents the endpoint ID whose associated files' quarantine status you want to retrieve from Palo Alto Cortex XDR.
File Hash String that represents the hash value of the file whose quarantine status you want to retrieve from Palo Alto Cortex XDR. The hash must be a valid SHA256 value.
File Path String that represents the path of the file whose quarantine status you want to retrieve from Palo Alto Cortex XD

Output

The output contains the following populated JSON schema:
{
     "reply": [
         {
             "endpoint_id": "",
             "file_path": "",
             "file_hash": "",
             "status": ""
         }
     ]
}

operation: Restore File

Input parameters

Parameter Description
File Hash String that represents the hash value of the quarantined file that you want to restore on the specified endpoint on Palo Alto Cortex XDR. The hash must be a valid SHA256 value.
Endpoint ID String that represents the endpoint ID on which you want to restore the specified quarantined file.

Output

The output contains the following populated JSON schema:
{
     "message": "",
     "status": ""
}

operation: Retrieve File

Input parameters

Parameter Description
Operator String that identifies the comparison operator you want to use to filter files that you want to retrieve from Palo Alto Cortex XDR. You can choose from the following: In, Greater Than Equal To, or Less Than Equal To.
  • If you choose the 'In' operator, then you can specify the following parameters:
    • Endpoint ID List: List of endpoint IDs whose associated files you want to retrieve from Palo Alto Cortex XDR
    • Distribution Name: Name of the distribution list containing the files you want to retrieve from Palo Alto Cortex XDR
    • Group Name: Name of the endpoint group containing the files you want to retrieve from Palo Alto Cortex XDR
    • Alias: Alias of the endpoints whose associated files you want to retrieve from Palo Alto Cortex XDR.
    • Hostname: Name of the host of the endpoints whose associated files you want to retrieve from Palo Alto Cortex XDR.
    • IP list: List of IP addresses containing the endpoints whose associated files you want to retrieve from Palo Alto Cortex XDR.
    • Platform: Type of operating system that contains the endpoints whose associated files you want to retrieve from Palo Alto Cortex XDR. You can choose between Windows, Linux, Macos, or Android.
    • Isolate: Select Isolated if the endpoints have been isolated and Unisolated if the endpoints have been unisolated.
  • If you choose the 'Greater Than Equal To' operator, then you can specify the following parameters:
    • First Seen: Time when the endpoint was first seen. This operator will retrieve files on all endpoints that match the time specified or the time later than the time specified on Palo Alto Cortex XDR.
    • Last Seen: Time when the endpoint was last seen. This operator will retrieve files on all endpoints that match the time specified or the time later than the time specified on Palo Alto Cortex XDR.
  • If you choose the 'Less Than Equal To' operator, then you can specify the following parameters:
    • First Seen: Time when the endpoint was first seen. This operator will retrieve files on all endpoints that match the time specified or the time earlier than the time specified on Palo Alto Cortex XDR.
    • Last Seen: Time that the incident was last seen. This operator will retrieve files on all endpoints that match the time specified or the time earlier than the time specified on Palo Alto Cortex XDR.
Files Dictionary containing the type of operating system from which you want to retrieve files from Palo Alto Cortex XDR. You can choose between Windows, Linux, or Macos.
File Path String that represents the path of the file used to retrieve files from Palo Alto Cortex XDR.

Output

The output contains the following populated JSON schema:
{
     "reply": {
         "action_id": []
     }
}

Included playbooks

The Sample - Palo Alto Cortex XDR - 1.0.0 playbook collection comes bundled with the Palo Alto Cortex XDR connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in CyOPsTM after importing the Palo Alto Cortex XDR connector.

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.