Cortex XDR applies machine learning at cloud scale to rich network, endpoint, and cloud data, so you can quickly find and stop targeted attacks, insider abuse, and compromised endpoints.
This document provides information about the Palo Alto Cortex XDR connector, which facilitates automated interactions with your Palo Alto Cortex XDR server using FortiSOAR™ playbooks. Add the Palo Alto Cortex XDR connector, as a step in FortiSOAR™ playbooks and perform automated operations such as retrieving a list of all your endpoints from Palo Alto Cortex XDR or isolating endpoints on Palo Alto Cortex XDR.
Connector Version: 1.0.0
Authored By: Community
Certified: No
From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum
command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root
user to install connectors:
yum install cyops-connector-paloalto-cortex-xdr
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, click the Palo Alto Cortex XDR connector row (if you are in the Grid view on the Connectors page), and in the Configurations tab enter the required configuration details.
Parameter | Description |
---|---|
Server URL | URL of the Palo Alto Cortex XDR server to which you will connect and perform the automated operations. |
API Key ID | ID of the API key configured for your account to access the Palo Alto Cortex XDR server to which you will connect and perform the automated operations. |
API Key | API key configured for your account to access the Palo Alto Cortex XDR server to which you will connect and perform the automated operations. Note: You require a "Standard" security level API key. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from version 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
Fetch Incidents | Retrieves incidents from Palo Alto Cortex XDR based on the input parameters specified. | fetch_incidents Investigation |
Get Incident Details | Retrieves details, including alert and key artifacts, for a specific incident from Palo Alto Cortex XDR based on the incident ID and other input parameters specified. | get_incident_details Investigation |
Update Incident | Updates incident fields like severity, status, etc. of a specific incident in Palo Alto Cortex XDR based on the incident ID and other input parameters specified. | update_incident Investigation |
Insert CEF Alerts | Upload alerts in the CEF format from external alert sources to Palo Alto Cortex XDR based on the list of alerts specified. After you have mapped the CEF alert fields to Cortex XDR fields, Cortex XDR displays the alerts in related incidents and views. |
insert_cef_alerts Investigation |
Insert Parsed Alerts | Uploads alerts in the Cortex XDR format from external alert sources to Palo Alto Cortex XDR based on the product, vendor, and other input parameters specified. Cortex XDR displays alerts that are parsed successfully in related incidents and views. |
insert_parsed_alerts Investigation |
Isolate Endpoints | Isolates one or more endpoints in a single request on Palo Alto Cortex XDR based on the endpoint ID and other input parameters specified. | isolate_endpoints Investigation |
Unisolate Endpoints | Unisolates one or more endpoints in a single request on Palo Alto Cortex XDR based on the endpoint ID and other input parameters specified. | unisolate_endpoints Investigation |
Get All Endpoints | Retrieves a list of all your endpoints from Palo Alto Cortex XDR. | get_all_endpoints Investigation |
Get Endpoints | Retrieves a list of filtered endpoints from Palo Alto Cortex XDR based on the input parameters specified. | get_endpoints Investigation |
Scan Endpoints | Runs a scan on specified endpoints on Palo Alto Cortex XDR based on the input parameters specified. | scan_endpoints Investigation |
Cancel Scan Endpoints | Cancels a scan on specified endpoints on Palo Alto Cortex XDR based on the input parameters specified. | cancel_scan_endpoints Investigation |
Delete Endpoints | Deletes specified endpoints from the Cortex XDR app based on the input parameters specified. Note: You can delete up to 100 endpoints. |
delete_endpoints Investigation |
Get Policy | Retrieves the policy for a specific endpoint from Palo Alto Cortex XDR based on the endpoint ID specified | get_policy Investigation |
Get Device Violations | Retrieves a list of filtered device violations from Palo Alto Cortex XDR based on the input parameters specified. | get_device_violations Investigation |
Get Distribution Version | Retrieves a list of all the agent versions that are used for creating a distribution list from Palo Alto Cortex XDR. | get_distribution_version Investigation |
Create Distributions | Creates an installation package on Palo Alto Cortex XDR based on the distribution name and package type specified. | create_distributions Investigation |
Get Distribution Status | Checks and retrieves the status of the installation package from Palo Alto Cortex XDR based on the distribution ID specified. | get_distribution_status Investigation |
Get Distribution URL | Retrieves the distribution URL for downloading the installation package from Palo Alto Cortex XDR based on the distribution ID and package type specified. | get_distribution_url Investigation |
Get Audit Management Logs | Retrieves audit management logs from Palo Alto Cortex XDR based on the input parameters specified. | get_audit_management_log Investigation |
Get Audit Agent Report | Retrieves agent event reports from Palo Alto Cortex XDR based on the input parameters specified. | get_audit_agent_report Investigation |
Blacklist Files | Blacklists the specified files that have not already been blacklisted on Palo Alto Cortex XDR based on the list of hash files specified. | blacklist_files Investigation |
Whitelist Files | Whitelists the specified files that have not already been whitelisted on Palo Alto Cortex XDR based on the list of hash files specified. | whitelist_files Investigation |
Quarantine Files | Quarantines files on specified endpoints on Palo Alto Cortex XDR based on the file path, file hash and other input parameters specified. | quarantine_files Investigation |
Get Quarantine Status | Retrieves the quarantine status for a specified file from Palo Alto Cortex XDR based on the endpoint ID, file path, and file hash specified. | get_quarantine_status Investigation |
Restore File | Restores a quarantined file on a specified endpoint on Palo Alto Cortex XDR based on the endpoint ID and file hash specified | restore_file Investigation |
Retrieve File | Retrieves a file from specified endpoints from Palo Alto Cortex XDR based on the file path and other input parameters specified. Note: You can retrieve up to 20 files from a maximum of 100 endpoints. |
retrieve_file Investigation |
Parameter | Description |
---|---|
Operator | String that identifies the comparison operator you want to use to filter incidents to be retrieved from Palo Alto Cortex XDR. You can choose from the following: In, Contains, Greater Than Equal To, or Less Than Equal To. If you choose the 'In' operator, then you can specify the following parameters:
|
Search From | Integer representing the starting offset within the query result set from which you want this operation to return incidents from Palo Alto Cortex XDR. |
Search To | Integer representing the end offset within the result set after which you do not want this operation to return incidents from Palo Alto Cortex XDR. |
Sort | Select this option if you want to sort the retrieved incidents by field and order the results. If you select this option, then you can specify the following parameters:
|
The output contains the following populated JSON schema:
{
"reply": {
"result_count": "",
"total_count": "",
"incidents": [
{
"assigned_user_pretty_name": "",
"user_count": "",
"creation_time": "",
"detection_time": "",
"manual_description": "",
"med_severity_alert_count": "",
"high_severity_alert_count": "",
"hosts": [],
"incident_id": "",
"incident_sources": [],
"xdr_url": "",
"assigned_user_mail": "",
"users": [],
"modification_time": "",
"low_severity_alert_count": "",
"severity": "",
"resolve_comment": "",
"host_count": "",
"manual_severity": "",
"starred": "",
"alert_count": "",
"description": "",
"status": "",
"notes": ""
}
]
}
}
Parameter | Description |
---|---|
Incident ID | ID of the incident for which you want to retrieve details including alerts and key artifacts from Palo Alto Cortex XDR. |
Alerts Limit | (Optional) Maximum number of alerts related to the specified incident you want to retrieve from Palo Alto Cortex XDR. By default, this is set to '1000'. |
The output contains the following populated JSON schema:
{
"reply": {
"alerts": {
"data": [
{
"source": "",
"starred": "",
"event_type": "",
"severity": "",
"host_name": "",
"host_ip": "",
"is_whitelisted": "",
"name": "",
"alert_id": "",
"actor_process_image_name": "",
nbsp; "category": "",
"action": "",
"detection_timestamp": "",
"actor_process_command_line": "",
"fw_app_id": "",
"action_pretty": "",
"user_name": "",
"description": "",
"endpoint_id": ""
}
],
"total_count": ""
},
"network_artifacts": {
"data": [
{
"network_country": "",
"is_manual": "",
"network_domain": "",
"network_remote_port": "",
"alert_count": "",
"type": "",
"network_remote_ip": ""
}
],
"total_count": ""
},
"file_artifacts": {
"data": [
{
"file_signature_status": "",
"is_manual": "",
"file_sha256": "",
"alert_count": "",
"is_malicious": "",
"type": "",
"is_process": "",
"file_signature_vendor_name": "",
"file_name": "",
"file_wildfire_verdict": ""
}
],
"total_count": ""
},
"incident": {
"assigned_user_pretty_name": "",
"user_count": "",
"creation_time": "",
"detection_time": "",
"manual_description": "",
"med_severity_alert_count": "",
"high_severity_alert_count": "",
"hosts": [],
"incident_id": "",
"xdr_url": "",
"assigned_user_mail": "",
"users": [],
"modification_time": "",
"low_severity_alert_count": "",
"severity": "",
"alert_sources": [],
"resolve_comment": "",
"host_count": "",
"manual_severity": "",
"starred": "",
"alert_count": "",
"description": "",
"status": "",
"notes": ""
}
}
}
Parameter | Description |
---|---|
Incident ID | ID of the incident that you want to update Palo Alto Cortex XDR. |
Assigned User Mail | (Optional) Email address of the incident assignee that you want to update in the specified incident in Palo Alto Cortex XDR. |
Assigned User Pretty Name | (Optional) Full name of the incident assignee that you want to update in the specified incident in Palo Alto Cortex XDR. |
Severity | (Optional) Severity level you want to update in the specified incident in Palo Alto Cortex XDR. You can choose from the following options: High, Medium, or Low. |
Status | (Optional) Full name of the incident assignee that you want to update in the specified incident in Palo Alto Cortex XDR. You can choose from the following options: New, Under Investigation, Resolved Threat Handled, Resolved Know Issue, Resolved Duplicate, Resolved False Positive, or Resolved Other. |
Resolve Comment | Descriptive comment that explains the updates made to the specified incident. |
The output contains the following populated JSON schema:
{
"message": "",
"status": ""
}
Parameter | Description |
---|---|
Alerts | Comma-separated list of alerts in the CEF format that you want to add to Palo Alto Cortex XDR. |
The output contains the following populated JSON schema:
{
"reply": ""
}
Parameter | Description |
---|---|
Product | String value that defines the product. For example, VPN & Firewall-1. |
Vendor | String value that defines the vendor. For example, Check Point. |
Local IP | String value for the source IP address. |
Local Port | Integer value for the source port. |
Remote IP | String value of the destination IP address. |
Remote Port | Integer value for the destination port. |
Event Timestamp | Time the alert occurred. |
Alert Name | String defining the name of the alert that you want to upload to Palo Alto Cortex XDR. |
Severity | (Optional) Choose the severity of the alert that you want to upload to Palo Alto Cortex XDR. You can choose from the following options: Informational, High, Medium, Low, or Unknown. |
Alert Description | (Optional) String defining the description of the alert that you want to upload to Palo Alto Cortex XDR. |
The output contains the following populated JSON schema:
{
"reply": ""
}
Parameter | Description |
---|---|
Isolate Endpoint | Choose whether you want to isolate a single endpoint or more than one endpoint on Palo Alto Cortex XDR. You can choose between Isolate One Endpoint or Isolate More Than One Endpoint. If you choose the 'Isolate One Endpoint' option, then you can specify the following parameters:
|
The output contains the following populated JSON schema:
{
"reply": {
"action_id": []
}
}
Parameter | Description |
---|---|
Unisolate Endpoint | Choose whether you want to unisolate a single endpoint or more than one endpoint on Palo Alto Cortex XDR. You can choose between unisolate One Endpoint or unisolate More Than One Endpoint. If you choose the 'Unisolate One Endpoint' option, then you can specify the following parameters:
|
The output contains the following populated JSON schema:
{
"reply": {
"action_id": []
}
}
None.
The output contains the following populated JSON schema:
{
"reply": [
{
"agent_type": "",
"agent_id": "",
"host_name": "",
"agent_status": "",
"ip": ""
}
]
}
Parameter | Description |
---|---|
Operator | String that identifies the comparison operator you want to use to filter endpoints to be retrieved from Palo Alto Cortex XDR. You can choose from the following: In, Greater Than Equal To, or Less Than Equal To.
|
Search From | Integer representing the starting offset within the query result set from which you want this operation to return incidents from Palo Alto Cortex XDR. |
Search To | Integer representing the end offset within the result set after which you do not want this operation to return incidents from Palo Alto Cortex XDR. |
Sort | Select this option if you want to sort the retrieved endpoints by field and order the results. If you select this option, then you can specify the following parameters:
|
The output contains the following populated JSON schema:
{
"reply": {
"result_count": "",
"endpoints": [
{
"is_isolated": "",
"last_seen": "",
"os_type": "",
"users": [
""
],
"install_date": "",
"active_directory": "",
"group_name": "",
"domain": "",
"installation_package": "",
"endpoint_name": "",
"endpoint_status": "",
"alias": "",
"ip": "",
"endpoint_type": "",
"first_seen": "",
"endpoint_id": "",
"endpoint_version": "",
"content_version": ""
}
]
}
}
Parameter | Description |
---|---|
Operator | String that identifies the comparison operator you want to use to filter endpoints to be scanned on Palo Alto Cortex XDR. You can choose from the following: In, Greater Than Equal To, or Less Than Equal To.
|
The output contains the following populated JSON schema:
{
"reply": {
"action_id": []
}
}
Parameter | Description |
---|---|
Operator | String that identifies the comparison operator you want to use to filter endpoints whose scans are to be canceled on Palo Alto Cortex XDR. You can choose from the following: In, Greater Than Equal To, or Less Than Equal To.
|
The output contains the following populated JSON schema:
{
"reply": ""
}
Parameter | Description |
---|---|
Operator | String that identifies the comparison operator you want to use to filter endpoints to be deleted from the Palo Alto Cortex XDR app. You can choose from the following: In, Greater Than Equal To, or Less Than Equal To.
|
The output contains the following populated JSON schema:
{
"reply": ""
}
Parameter | Description |
---|---|
Endpoint ID | String the represents the endpoint ID based on which you want to retrieve the policy from Palo Alto Cortex XDR. For example, 51588e4ce9214c63b39d054bd073b93a |
The output contains the following populated JSON schema:
{
"reply": {
"policy_name": ""
}
}
Parameter | Description |
---|---|
Operator | String that identifies the comparison operator you want to use to filter device violations to be retrieved from Palo Alto Cortex XDR. You can choose from the following: In, Greater Than Equal To, or Less Than Equal To.
|
Search From | Integer representing the starting offset within the query result set from which you want this operation to return incidents from Palo Alto Cortex XDR. |
Search To | Integer representing the end offset within the result set after which you do not want this operation to return incidents from Palo Alto Cortex XDR. |
Sort | Select this option if you want to sort the retrieved violations by field and order the results. If you select this option, then you can specify the following parameters:
|
The output contains the following populated JSON schema:
{
"reply": {
"violations": [
{
"violation_id": "",
"serial": "",
"timestamp": "",
"vendor_id": "",
"username": "",
"ip": "",
"hostname": "",
"product_id": "",
"vendor": "",
"type": "",
"endpoint_id": "",
"product": ""
}
],
"result_count": ""
}
}
None.
The output contains the following populated JSON schema:
{
"reply": {
"macos": [],
"linux": [],
"windows": []
}
}
Parameter | Description |
---|---|
Name | String representing the name of the installation package that you want to create on Palo Alto Cortex XDR. |
Package Type | String representing the type of installation package that you want to create on Palo Alto Cortex XDR. You can choose from the following types: Standalone or Upgrade. If you choose the 'Standalone' operator, then you can specify the following parameters:
|
Description | String containing descriptive information about the installation package. |
The output contains the following populated JSON schema:
{
"reply": {
"distribution_id": ""
}
}
Parameter | Description |
---|---|
Distribution ID | String representing the ID of the installation package whose status you want to retrieve from Palo Alto Cortex XDR. |
The output contains the following populated JSON schema:
{
"reply": {
"status": ""
}
}
Parameter | Description |
---|---|
Distribution ID | String representing the ID of the installation package whose distribution URL you want to retrieve from Palo Alto Cortex XDR. |
Package Type | String representing the type of installation package whose distribution URL you want to retrieve from Palo Alto Cortex XDR. You can choose from the following options: sh-For Linux, rpm-For Linux, deb-For Linux, pkg-For Mac, x86-For Windows, or x64-For Windows. |
The output contains the following populated JSON schema:
{
"reply": {
"distribution_url": ""
}
}
Parameter | Description |
---|---|
Operator | String that identifies the comparison operator you want to use to filter audit management logs to be retrieved from Palo Alto Cortex XDR. You can choose from the following: In, Greater Than Equal To, or Less Than Equal To.
|
Search From | An integer representing the starting offset within the query result set from which you want management logs returned. |
Search To | An integer representing the end offset within the result set after which you do not want management logs returned. |
Sort | Select this option if you want to sort the retrieved management logs by field and order the results. If you select this option, then you can specify the following parameters:
|
The output contains the following populated JSON schema:
{
"reply": {
"data": [
{
"AUDIT_DESCRIPTION": "",
"AUDIT_HOSTNAME": "",
"AUDIT_SESSION_ID": "",
"AUDIT_ASSET_JSON": "",
"AUDIT_REASON": "",
"AUDIT_RESULT": "",
"AUDIT_OWNER_EMAIL": "",
"AUDIT_ENTITY": "",
"AUDIT_ASSET_NAMES": "",
"AUDIT_ID": "",
"AUDIT_ENTITY_SUBTYPE": "",
"AUDIT_CASE_ID": "",
"AUDIT_OWNER_NAME": "",
"AUDIT_INSERT_TIME": ""
}
],
"result_count": ""
}
}
Parameter | Description |
---|---|
Operator | String that identifies the comparison operator you want to use to filter audit agent reports to be retrieved from Palo Alto Cortex XDR. You can choose from the following: In, Greater Than Equal To, or Less Than Equal To.
|
Search From | Integer representing the starting offset within the query result set from which you want this operation to return incidents from Palo Alto Cortex XDR. |
Search To | Integer representing the end offset within the result set after which you do not want this operation to return incidents from Palo Alto Cortex XDR. |
Sort | Select this option if you want to sort the retrieved audit agent reports by field and order the results. If you select this option, then you can specify the following parameters:
|
The output contains the following populated JSON schema:
{
"reply": {
"data": [
{
"RESULT": "",
"REASON": "",
"SUBTYPE": "",
"CATEGORY": "",
"DOMAIN": "",
"TRAPSVERSION": "",
"RECEIVEDTIME": "",
"TIMESTAMP": "",
"DESCRIPTION": "",
"ENDPOINTNAME": "",
"ENDPOINTID": "",
"TYPE": ""
}
],
"result_count": ""
}
}
Parameter | Description |
---|---|
Hash List | String that represents a list of hashed files you want to blacklist on Palo Alto Cortex XDR. Note: Hash must be a valid SHA256 value. |
Comment | String containing descriptive information about this action. |
The output contains the following populated JSON schema:
{
"reply": ""
}
Parameter | Description |
---|---|
Hash List | String that represents a list of hashed files you want to whitelist on Palo Alto Cortex XDR. Note: Hash must be a valid SHA256 value. |
Comment | String containing descriptive information about this action. |
The output contains the following populated JSON schema:
{
"reply": ""
}
Parameter | Description |
---|---|
Operator | String that identifies the comparison operator you want to use to filter endpoints on which you want to quarantine files on Palo Alto Cortex XDR. You can choose from the following: In, Greater Than Equal To, or Less Than Equal To.
|
File Path | String that represents the path of the file you want to quarantine on the specified endpoints on Palo Alto Cortex XDR. |
File Hash | String that represents the hash value of the file you want to quarantine on the specified endpoints on Palo Alto Cortex XDR.. The hash must be a valid SHA256 value. |
The output contains the following populated JSON schema:
{
"reply": {
"action_id": []
}
}
Parameter | Description |
---|---|
Endpoint ID | String that represents the endpoint ID whose associated files' quarantine status you want to retrieve from Palo Alto Cortex XDR. |
File Hash | String that represents the hash value of the file whose quarantine status you want to retrieve from Palo Alto Cortex XDR. The hash must be a valid SHA256 value. |
File Path | String that represents the path of the file whose quarantine status you want to retrieve from Palo Alto Cortex XD |
The output contains the following populated JSON schema:
{
"reply": [
{
"endpoint_id": "",
"file_path": "",
"file_hash": "",
"status": ""
}
]
}
Parameter | Description |
---|---|
File Hash | String that represents the hash value of the quarantined file that you want to restore on the specified endpoint on Palo Alto Cortex XDR. The hash must be a valid SHA256 value. |
Endpoint ID | String that represents the endpoint ID on which you want to restore the specified quarantined file. |
The output contains the following populated JSON schema:
{
"message": "",
"status": ""
}
Parameter | Description |
---|---|
Operator | String that identifies the comparison operator you want to use to filter files that you want to retrieve from Palo Alto Cortex XDR. You can choose from the following: In, Greater Than Equal To, or Less Than Equal To.
|
Files | Dictionary containing the type of operating system from which you want to retrieve files from Palo Alto Cortex XDR. You can choose between Windows, Linux, or Macos. |
File Path | String that represents the path of the file used to retrieve files from Palo Alto Cortex XDR. |
The output contains the following populated JSON schema:
{
"reply": {
"action_id": []
}
}
The Sample - Palo Alto Cortex XDR - 1.0.0
playbook collection comes bundled with the Palo Alto Cortex XDR connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in CyOPsTM after importing the Palo Alto Cortex XDR connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.
Cortex XDR applies machine learning at cloud scale to rich network, endpoint, and cloud data, so you can quickly find and stop targeted attacks, insider abuse, and compromised endpoints.
This document provides information about the Palo Alto Cortex XDR connector, which facilitates automated interactions with your Palo Alto Cortex XDR server using FortiSOAR™ playbooks. Add the Palo Alto Cortex XDR connector, as a step in FortiSOAR™ playbooks and perform automated operations such as retrieving a list of all your endpoints from Palo Alto Cortex XDR or isolating endpoints on Palo Alto Cortex XDR.
Connector Version: 1.0.0
Authored By: Community
Certified: No
From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum
command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root
user to install connectors:
yum install cyops-connector-paloalto-cortex-xdr
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, click the Palo Alto Cortex XDR connector row (if you are in the Grid view on the Connectors page), and in the Configurations tab enter the required configuration details.
Parameter | Description |
---|---|
Server URL | URL of the Palo Alto Cortex XDR server to which you will connect and perform the automated operations. |
API Key ID | ID of the API key configured for your account to access the Palo Alto Cortex XDR server to which you will connect and perform the automated operations. |
API Key | API key configured for your account to access the Palo Alto Cortex XDR server to which you will connect and perform the automated operations. Note: You require a "Standard" security level API key. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from version 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
Fetch Incidents | Retrieves incidents from Palo Alto Cortex XDR based on the input parameters specified. | fetch_incidents Investigation |
Get Incident Details | Retrieves details, including alert and key artifacts, for a specific incident from Palo Alto Cortex XDR based on the incident ID and other input parameters specified. | get_incident_details Investigation |
Update Incident | Updates incident fields like severity, status, etc. of a specific incident in Palo Alto Cortex XDR based on the incident ID and other input parameters specified. | update_incident Investigation |
Insert CEF Alerts | Upload alerts in the CEF format from external alert sources to Palo Alto Cortex XDR based on the list of alerts specified. After you have mapped the CEF alert fields to Cortex XDR fields, Cortex XDR displays the alerts in related incidents and views. |
insert_cef_alerts Investigation |
Insert Parsed Alerts | Uploads alerts in the Cortex XDR format from external alert sources to Palo Alto Cortex XDR based on the product, vendor, and other input parameters specified. Cortex XDR displays alerts that are parsed successfully in related incidents and views. |
insert_parsed_alerts Investigation |
Isolate Endpoints | Isolates one or more endpoints in a single request on Palo Alto Cortex XDR based on the endpoint ID and other input parameters specified. | isolate_endpoints Investigation |
Unisolate Endpoints | Unisolates one or more endpoints in a single request on Palo Alto Cortex XDR based on the endpoint ID and other input parameters specified. | unisolate_endpoints Investigation |
Get All Endpoints | Retrieves a list of all your endpoints from Palo Alto Cortex XDR. | get_all_endpoints Investigation |
Get Endpoints | Retrieves a list of filtered endpoints from Palo Alto Cortex XDR based on the input parameters specified. | get_endpoints Investigation |
Scan Endpoints | Runs a scan on specified endpoints on Palo Alto Cortex XDR based on the input parameters specified. | scan_endpoints Investigation |
Cancel Scan Endpoints | Cancels a scan on specified endpoints on Palo Alto Cortex XDR based on the input parameters specified. | cancel_scan_endpoints Investigation |
Delete Endpoints | Deletes specified endpoints from the Cortex XDR app based on the input parameters specified. Note: You can delete up to 100 endpoints. |
delete_endpoints Investigation |
Get Policy | Retrieves the policy for a specific endpoint from Palo Alto Cortex XDR based on the endpoint ID specified | get_policy Investigation |
Get Device Violations | Retrieves a list of filtered device violations from Palo Alto Cortex XDR based on the input parameters specified. | get_device_violations Investigation |
Get Distribution Version | Retrieves a list of all the agent versions that are used for creating a distribution list from Palo Alto Cortex XDR. | get_distribution_version Investigation |
Create Distributions | Creates an installation package on Palo Alto Cortex XDR based on the distribution name and package type specified. | create_distributions Investigation |
Get Distribution Status | Checks and retrieves the status of the installation package from Palo Alto Cortex XDR based on the distribution ID specified. | get_distribution_status Investigation |
Get Distribution URL | Retrieves the distribution URL for downloading the installation package from Palo Alto Cortex XDR based on the distribution ID and package type specified. | get_distribution_url Investigation |
Get Audit Management Logs | Retrieves audit management logs from Palo Alto Cortex XDR based on the input parameters specified. | get_audit_management_log Investigation |
Get Audit Agent Report | Retrieves agent event reports from Palo Alto Cortex XDR based on the input parameters specified. | get_audit_agent_report Investigation |
Blacklist Files | Blacklists the specified files that have not already been blacklisted on Palo Alto Cortex XDR based on the list of hash files specified. | blacklist_files Investigation |
Whitelist Files | Whitelists the specified files that have not already been whitelisted on Palo Alto Cortex XDR based on the list of hash files specified. | whitelist_files Investigation |
Quarantine Files | Quarantines files on specified endpoints on Palo Alto Cortex XDR based on the file path, file hash and other input parameters specified. | quarantine_files Investigation |
Get Quarantine Status | Retrieves the quarantine status for a specified file from Palo Alto Cortex XDR based on the endpoint ID, file path, and file hash specified. | get_quarantine_status Investigation |
Restore File | Restores a quarantined file on a specified endpoint on Palo Alto Cortex XDR based on the endpoint ID and file hash specified | restore_file Investigation |
Retrieve File | Retrieves a file from specified endpoints from Palo Alto Cortex XDR based on the file path and other input parameters specified. Note: You can retrieve up to 20 files from a maximum of 100 endpoints. |
retrieve_file Investigation |
Parameter | Description |
---|---|
Operator | String that identifies the comparison operator you want to use to filter incidents to be retrieved from Palo Alto Cortex XDR. You can choose from the following: In, Contains, Greater Than Equal To, or Less Than Equal To. If you choose the 'In' operator, then you can specify the following parameters:
|
Search From | Integer representing the starting offset within the query result set from which you want this operation to return incidents from Palo Alto Cortex XDR. |
Search To | Integer representing the end offset within the result set after which you do not want this operation to return incidents from Palo Alto Cortex XDR. |
Sort | Select this option if you want to sort the retrieved incidents by field and order the results. If you select this option, then you can specify the following parameters:
|
The output contains the following populated JSON schema:
{
"reply": {
"result_count": "",
"total_count": "",
"incidents": [
{
"assigned_user_pretty_name": "",
"user_count": "",
"creation_time": "",
"detection_time": "",
"manual_description": "",
"med_severity_alert_count": "",
"high_severity_alert_count": "",
"hosts": [],
"incident_id": "",
"incident_sources": [],
"xdr_url": "",
"assigned_user_mail": "",
"users": [],
"modification_time": "",
"low_severity_alert_count": "",
"severity": "",
"resolve_comment": "",
"host_count": "",
"manual_severity": "",
"starred": "",
"alert_count": "",
"description": "",
"status": "",
"notes": ""
}
]
}
}
Parameter | Description |
---|---|
Incident ID | ID of the incident for which you want to retrieve details including alerts and key artifacts from Palo Alto Cortex XDR. |
Alerts Limit | (Optional) Maximum number of alerts related to the specified incident you want to retrieve from Palo Alto Cortex XDR. By default, this is set to '1000'. |
The output contains the following populated JSON schema:
{
"reply": {
"alerts": {
"data": [
{
"source": "",
"starred": "",
"event_type": "",
"severity": "",
"host_name": "",
"host_ip": "",
"is_whitelisted": "",
"name": "",
"alert_id": "",
"actor_process_image_name": "",
nbsp; "category": "",
"action": "",
"detection_timestamp": "",
"actor_process_command_line": "",
"fw_app_id": "",
"action_pretty": "",
"user_name": "",
"description": "",
"endpoint_id": ""
}
],
"total_count": ""
},
"network_artifacts": {
"data": [
{
"network_country": "",
"is_manual": "",
"network_domain": "",
"network_remote_port": "",
"alert_count": "",
"type": "",
"network_remote_ip": ""
}
],
"total_count": ""
},
"file_artifacts": {
"data": [
{
"file_signature_status": "",
"is_manual": "",
"file_sha256": "",
"alert_count": "",
"is_malicious": "",
"type": "",
"is_process": "",
"file_signature_vendor_name": "",
"file_name": "",
"file_wildfire_verdict": ""
}
],
"total_count": ""
},
"incident": {
"assigned_user_pretty_name": "",
"user_count": "",
"creation_time": "",
"detection_time": "",
"manual_description": "",
"med_severity_alert_count": "",
"high_severity_alert_count": "",
"hosts": [],
"incident_id": "",
"xdr_url": "",
"assigned_user_mail": "",
"users": [],
"modification_time": "",
"low_severity_alert_count": "",
"severity": "",
"alert_sources": [],
"resolve_comment": "",
"host_count": "",
"manual_severity": "",
"starred": "",
"alert_count": "",
"description": "",
"status": "",
"notes": ""
}
}
}
Parameter | Description |
---|---|
Incident ID | ID of the incident that you want to update Palo Alto Cortex XDR. |
Assigned User Mail | (Optional) Email address of the incident assignee that you want to update in the specified incident in Palo Alto Cortex XDR. |
Assigned User Pretty Name | (Optional) Full name of the incident assignee that you want to update in the specified incident in Palo Alto Cortex XDR. |
Severity | (Optional) Severity level you want to update in the specified incident in Palo Alto Cortex XDR. You can choose from the following options: High, Medium, or Low. |
Status | (Optional) Full name of the incident assignee that you want to update in the specified incident in Palo Alto Cortex XDR. You can choose from the following options: New, Under Investigation, Resolved Threat Handled, Resolved Know Issue, Resolved Duplicate, Resolved False Positive, or Resolved Other. |
Resolve Comment | Descriptive comment that explains the updates made to the specified incident. |
The output contains the following populated JSON schema:
{
"message": "",
"status": ""
}
Parameter | Description |
---|---|
Alerts | Comma-separated list of alerts in the CEF format that you want to add to Palo Alto Cortex XDR. |
The output contains the following populated JSON schema:
{
"reply": ""
}
Parameter | Description |
---|---|
Product | String value that defines the product. For example, VPN & Firewall-1. |
Vendor | String value that defines the vendor. For example, Check Point. |
Local IP | String value for the source IP address. |
Local Port | Integer value for the source port. |
Remote IP | String value of the destination IP address. |
Remote Port | Integer value for the destination port. |
Event Timestamp | Time the alert occurred. |
Alert Name | String defining the name of the alert that you want to upload to Palo Alto Cortex XDR. |
Severity | (Optional) Choose the severity of the alert that you want to upload to Palo Alto Cortex XDR. You can choose from the following options: Informational, High, Medium, Low, or Unknown. |
Alert Description | (Optional) String defining the description of the alert that you want to upload to Palo Alto Cortex XDR. |
The output contains the following populated JSON schema:
{
"reply": ""
}
Parameter | Description |
---|---|
Isolate Endpoint | Choose whether you want to isolate a single endpoint or more than one endpoint on Palo Alto Cortex XDR. You can choose between Isolate One Endpoint or Isolate More Than One Endpoint. If you choose the 'Isolate One Endpoint' option, then you can specify the following parameters:
|
The output contains the following populated JSON schema:
{
"reply": {
"action_id": []
}
}
Parameter | Description |
---|---|
Unisolate Endpoint | Choose whether you want to unisolate a single endpoint or more than one endpoint on Palo Alto Cortex XDR. You can choose between unisolate One Endpoint or unisolate More Than One Endpoint. If you choose the 'Unisolate One Endpoint' option, then you can specify the following parameters:
|
The output contains the following populated JSON schema:
{
"reply": {
"action_id": []
}
}
None.
The output contains the following populated JSON schema:
{
"reply": [
{
"agent_type": "",
"agent_id": "",
"host_name": "",
"agent_status": "",
"ip": ""
}
]
}
Parameter | Description |
---|---|
Operator | String that identifies the comparison operator you want to use to filter endpoints to be retrieved from Palo Alto Cortex XDR. You can choose from the following: In, Greater Than Equal To, or Less Than Equal To.
|
Search From | Integer representing the starting offset within the query result set from which you want this operation to return incidents from Palo Alto Cortex XDR. |
Search To | Integer representing the end offset within the result set after which you do not want this operation to return incidents from Palo Alto Cortex XDR. |
Sort | Select this option if you want to sort the retrieved endpoints by field and order the results. If you select this option, then you can specify the following parameters:
|
The output contains the following populated JSON schema:
{
"reply": {
"result_count": "",
"endpoints": [
{
"is_isolated": "",
"last_seen": "",
"os_type": "",
"users": [
""
],
"install_date": "",
"active_directory": "",
"group_name": "",
"domain": "",
"installation_package": "",
"endpoint_name": "",
"endpoint_status": "",
"alias": "",
"ip": "",
"endpoint_type": "",
"first_seen": "",
"endpoint_id": "",
"endpoint_version": "",
"content_version": ""
}
]
}
}
Parameter | Description |
---|---|
Operator | String that identifies the comparison operator you want to use to filter endpoints to be scanned on Palo Alto Cortex XDR. You can choose from the following: In, Greater Than Equal To, or Less Than Equal To.
|
The output contains the following populated JSON schema:
{
"reply": {
"action_id": []
}
}
Parameter | Description |
---|---|
Operator | String that identifies the comparison operator you want to use to filter endpoints whose scans are to be canceled on Palo Alto Cortex XDR. You can choose from the following: In, Greater Than Equal To, or Less Than Equal To.
|
The output contains the following populated JSON schema:
{
"reply": ""
}
Parameter | Description |
---|---|
Operator | String that identifies the comparison operator you want to use to filter endpoints to be deleted from the Palo Alto Cortex XDR app. You can choose from the following: In, Greater Than Equal To, or Less Than Equal To.
|
The output contains the following populated JSON schema:
{
"reply": ""
}
Parameter | Description |
---|---|
Endpoint ID | String the represents the endpoint ID based on which you want to retrieve the policy from Palo Alto Cortex XDR. For example, 51588e4ce9214c63b39d054bd073b93a |
The output contains the following populated JSON schema:
{
"reply": {
"policy_name": ""
}
}
Parameter | Description |
---|---|
Operator | String that identifies the comparison operator you want to use to filter device violations to be retrieved from Palo Alto Cortex XDR. You can choose from the following: In, Greater Than Equal To, or Less Than Equal To.
|
Search From | Integer representing the starting offset within the query result set from which you want this operation to return incidents from Palo Alto Cortex XDR. |
Search To | Integer representing the end offset within the result set after which you do not want this operation to return incidents from Palo Alto Cortex XDR. |
Sort | Select this option if you want to sort the retrieved violations by field and order the results. If you select this option, then you can specify the following parameters:
|
The output contains the following populated JSON schema:
{
"reply": {
"violations": [
{
"violation_id": "",
"serial": "",
"timestamp": "",
"vendor_id": "",
"username": "",
"ip": "",
"hostname": "",
"product_id": "",
"vendor": "",
"type": "",
"endpoint_id": "",
"product": ""
}
],
"result_count": ""
}
}
None.
The output contains the following populated JSON schema:
{
"reply": {
"macos": [],
"linux": [],
"windows": []
}
}
Parameter | Description |
---|---|
Name | String representing the name of the installation package that you want to create on Palo Alto Cortex XDR. |
Package Type | String representing the type of installation package that you want to create on Palo Alto Cortex XDR. You can choose from the following types: Standalone or Upgrade. If you choose the 'Standalone' operator, then you can specify the following parameters:
|
Description | String containing descriptive information about the installation package. |
The output contains the following populated JSON schema:
{
"reply": {
"distribution_id": ""
}
}
Parameter | Description |
---|---|
Distribution ID | String representing the ID of the installation package whose status you want to retrieve from Palo Alto Cortex XDR. |
The output contains the following populated JSON schema:
{
"reply": {
"status": ""
}
}
Parameter | Description |
---|---|
Distribution ID | String representing the ID of the installation package whose distribution URL you want to retrieve from Palo Alto Cortex XDR. |
Package Type | String representing the type of installation package whose distribution URL you want to retrieve from Palo Alto Cortex XDR. You can choose from the following options: sh-For Linux, rpm-For Linux, deb-For Linux, pkg-For Mac, x86-For Windows, or x64-For Windows. |
The output contains the following populated JSON schema:
{
"reply": {
"distribution_url": ""
}
}
Parameter | Description |
---|---|
Operator | String that identifies the comparison operator you want to use to filter audit management logs to be retrieved from Palo Alto Cortex XDR. You can choose from the following: In, Greater Than Equal To, or Less Than Equal To.
|
Search From | An integer representing the starting offset within the query result set from which you want management logs returned. |
Search To | An integer representing the end offset within the result set after which you do not want management logs returned. |
Sort | Select this option if you want to sort the retrieved management logs by field and order the results. If you select this option, then you can specify the following parameters:
|
The output contains the following populated JSON schema:
{
"reply": {
"data": [
{
"AUDIT_DESCRIPTION": "",
"AUDIT_HOSTNAME": "",
"AUDIT_SESSION_ID": "",
"AUDIT_ASSET_JSON": "",
"AUDIT_REASON": "",
"AUDIT_RESULT": "",
"AUDIT_OWNER_EMAIL": "",
"AUDIT_ENTITY": "",
"AUDIT_ASSET_NAMES": "",
"AUDIT_ID": "",
"AUDIT_ENTITY_SUBTYPE": "",
"AUDIT_CASE_ID": "",
"AUDIT_OWNER_NAME": "",
"AUDIT_INSERT_TIME": ""
}
],
"result_count": ""
}
}
Parameter | Description |
---|---|
Operator | String that identifies the comparison operator you want to use to filter audit agent reports to be retrieved from Palo Alto Cortex XDR. You can choose from the following: In, Greater Than Equal To, or Less Than Equal To.
|
Search From | Integer representing the starting offset within the query result set from which you want this operation to return incidents from Palo Alto Cortex XDR. |
Search To | Integer representing the end offset within the result set after which you do not want this operation to return incidents from Palo Alto Cortex XDR. |
Sort | Select this option if you want to sort the retrieved audit agent reports by field and order the results. If you select this option, then you can specify the following parameters:
|
The output contains the following populated JSON schema:
{
"reply": {
"data": [
{
"RESULT": "",
"REASON": "",
"SUBTYPE": "",
"CATEGORY": "",
"DOMAIN": "",
"TRAPSVERSION": "",
"RECEIVEDTIME": "",
"TIMESTAMP": "",
"DESCRIPTION": "",
"ENDPOINTNAME": "",
"ENDPOINTID": "",
"TYPE": ""
}
],
"result_count": ""
}
}
Parameter | Description |
---|---|
Hash List | String that represents a list of hashed files you want to blacklist on Palo Alto Cortex XDR. Note: Hash must be a valid SHA256 value. |
Comment | String containing descriptive information about this action. |
The output contains the following populated JSON schema:
{
"reply": ""
}
Parameter | Description |
---|---|
Hash List | String that represents a list of hashed files you want to whitelist on Palo Alto Cortex XDR. Note: Hash must be a valid SHA256 value. |
Comment | String containing descriptive information about this action. |
The output contains the following populated JSON schema:
{
"reply": ""
}
Parameter | Description |
---|---|
Operator | String that identifies the comparison operator you want to use to filter endpoints on which you want to quarantine files on Palo Alto Cortex XDR. You can choose from the following: In, Greater Than Equal To, or Less Than Equal To.
|
File Path | String that represents the path of the file you want to quarantine on the specified endpoints on Palo Alto Cortex XDR. |
File Hash | String that represents the hash value of the file you want to quarantine on the specified endpoints on Palo Alto Cortex XDR.. The hash must be a valid SHA256 value. |
The output contains the following populated JSON schema:
{
"reply": {
"action_id": []
}
}
Parameter | Description |
---|---|
Endpoint ID | String that represents the endpoint ID whose associated files' quarantine status you want to retrieve from Palo Alto Cortex XDR. |
File Hash | String that represents the hash value of the file whose quarantine status you want to retrieve from Palo Alto Cortex XDR. The hash must be a valid SHA256 value. |
File Path | String that represents the path of the file whose quarantine status you want to retrieve from Palo Alto Cortex XD |
The output contains the following populated JSON schema:
{
"reply": [
{
"endpoint_id": "",
"file_path": "",
"file_hash": "",
"status": ""
}
]
}
Parameter | Description |
---|---|
File Hash | String that represents the hash value of the quarantined file that you want to restore on the specified endpoint on Palo Alto Cortex XDR. The hash must be a valid SHA256 value. |
Endpoint ID | String that represents the endpoint ID on which you want to restore the specified quarantined file. |
The output contains the following populated JSON schema:
{
"message": "",
"status": ""
}
Parameter | Description |
---|---|
Operator | String that identifies the comparison operator you want to use to filter files that you want to retrieve from Palo Alto Cortex XDR. You can choose from the following: In, Greater Than Equal To, or Less Than Equal To.
|
Files | Dictionary containing the type of operating system from which you want to retrieve files from Palo Alto Cortex XDR. You can choose between Windows, Linux, or Macos. |
File Path | String that represents the path of the file used to retrieve files from Palo Alto Cortex XDR. |
The output contains the following populated JSON schema:
{
"reply": {
"action_id": []
}
}
The Sample - Palo Alto Cortex XDR - 1.0.0
playbook collection comes bundled with the Palo Alto Cortex XDR connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in CyOPsTM after importing the Palo Alto Cortex XDR connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.