Palo Alto Cortex XDR v1.0.0

Palo Alto Cortex XDR v1.0.0

Home FortiSOAR Connectors Palo Alto Cortex XDR v1.0.0

1.0.0

Palo Alto Cortex XDR v1.0.0

About the connector

Cortex XDR applies machine learning at cloud scale to rich network, endpoint, and cloud data, so you can quickly find and stop targeted attacks, insider abuse, and compromised endpoints.

This document provides information about the Palo Alto Cortex XDR connector, which facilitates automated interactions with your Palo Alto Cortex XDR server using FortiSOAR™ playbooks. Add the Palo Alto Cortex XDR connector, as a step in FortiSOAR™ playbooks and perform automated operations such as retrieving a list of all your endpoints from Palo Alto Cortex XDR or isolating endpoints on Palo Alto Cortex XDR.

Version information

Connector Version: 1.0.0

Authored By: Community

Certified: No

Installing the connector

From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root user to install connectors:

yum install cyops-connector-paloalto-cortex-xdr

Prerequisites to configuring the connector

You must have the URL of Palo Alto Cortex XDR server to which you will connect and perform automated operations and credentials (API Key ID and API Key) to access that server.
To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

In FortiSOAR™, on the Connectors page, click the Palo Alto Cortex XDR connector row (if you are in the Grid view on the Connectors page), and in the Configurations tab enter the required configuration details.

Parameter	Description
Server URL	URL of the Palo Alto Cortex XDR server to which you will connect and perform the automated operations.
API Key ID	ID of the API key configured for your account to access the Palo Alto Cortex XDR server to which you will connect and perform the automated operations.
API Key	API key configured for your account to access the Palo Alto Cortex XDR server to which you will connect and perform the automated operations. Note: You require a "Standard" security level API key.
Verify SSL	Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations from version 4.10.0 onwards:

Function	Description	Annotation and Category
Fetch Incidents	Retrieves incidents from Palo Alto Cortex XDR based on the input parameters specified.	fetch_incidents Investigation
Get Incident Details	Retrieves details, including alert and key artifacts, for a specific incident from Palo Alto Cortex XDR based on the incident ID and other input parameters specified.	get_incident_details Investigation
Update Incident	Updates incident fields like severity, status, etc. of a specific incident in Palo Alto Cortex XDR based on the incident ID and other input parameters specified.	update_incident Investigation
Insert CEF Alerts	Upload alerts in the CEF format from external alert sources to Palo Alto Cortex XDR based on the list of alerts specified. After you have mapped the CEF alert fields to Cortex XDR fields, Cortex XDR displays the alerts in related incidents and views.	insert_cef_alerts Investigation
Insert Parsed Alerts	Uploads alerts in the Cortex XDR format from external alert sources to Palo Alto Cortex XDR based on the product, vendor, and other input parameters specified. Cortex XDR displays alerts that are parsed successfully in related incidents and views.	insert_parsed_alerts Investigation
Isolate Endpoints	Isolates one or more endpoints in a single request on Palo Alto Cortex XDR based on the endpoint ID and other input parameters specified.	isolate_endpoints Investigation
Unisolate Endpoints	Unisolates one or more endpoints in a single request on Palo Alto Cortex XDR based on the endpoint ID and other input parameters specified.	unisolate_endpoints Investigation
Get All Endpoints	Retrieves a list of all your endpoints from Palo Alto Cortex XDR.	get_all_endpoints Investigation
Get Endpoints	Retrieves a list of filtered endpoints from Palo Alto Cortex XDR based on the input parameters specified.	get_endpoints Investigation
Scan Endpoints	Runs a scan on specified endpoints on Palo Alto Cortex XDR based on the input parameters specified.	scan_endpoints Investigation
Cancel Scan Endpoints	Cancels a scan on specified endpoints on Palo Alto Cortex XDR based on the input parameters specified.	cancel_scan_endpoints Investigation
Delete Endpoints	Deletes specified endpoints from the Cortex XDR app based on the input parameters specified. Note: You can delete up to 100 endpoints.	delete_endpoints Investigation
Get Policy	Retrieves the policy for a specific endpoint from Palo Alto Cortex XDR based on the endpoint ID specified	get_policy Investigation
Get Device Violations	Retrieves a list of filtered device violations from Palo Alto Cortex XDR based on the input parameters specified.	get_device_violations Investigation
Get Distribution Version	Retrieves a list of all the agent versions that are used for creating a distribution list from Palo Alto Cortex XDR.	get_distribution_version Investigation
Create Distributions	Creates an installation package on Palo Alto Cortex XDR based on the distribution name and package type specified.	create_distributions Investigation
Get Distribution Status	Checks and retrieves the status of the installation package from Palo Alto Cortex XDR based on the distribution ID specified.	get_distribution_status Investigation
Get Distribution URL	Retrieves the distribution URL for downloading the installation package from Palo Alto Cortex XDR based on the distribution ID and package type specified.	get_distribution_url Investigation
Get Audit Management Logs	Retrieves audit management logs from Palo Alto Cortex XDR based on the input parameters specified.	get_audit_management_log Investigation
Get Audit Agent Report	Retrieves agent event reports from Palo Alto Cortex XDR based on the input parameters specified.	get_audit_agent_report Investigation
Blacklist Files	Blacklists the specified files that have not already been blacklisted on Palo Alto Cortex XDR based on the list of hash files specified.	blacklist_files Investigation
Whitelist Files	Whitelists the specified files that have not already been whitelisted on Palo Alto Cortex XDR based on the list of hash files specified.	whitelist_files Investigation
Quarantine Files	Quarantines files on specified endpoints on Palo Alto Cortex XDR based on the file path, file hash and other input parameters specified.	quarantine_files Investigation
Get Quarantine Status	Retrieves the quarantine status for a specified file from Palo Alto Cortex XDR based on the endpoint ID, file path, and file hash specified.	get_quarantine_status Investigation
Restore File	Restores a quarantined file on a specified endpoint on Palo Alto Cortex XDR based on the endpoint ID and file hash specified	restore_file Investigation
Retrieve File	Retrieves a file from specified endpoints from Palo Alto Cortex XDR based on the file path and other input parameters specified. Note: You can retrieve up to 20 files from a maximum of 100 endpoints.	retrieve_file Investigation

operation: Fetch Incidents

Input parameters

Parameter	Description
Operator	String that identifies the comparison operator you want to use to filter incidents to be retrieved from Palo Alto Cortex XDR. You can choose from the following: In, Contains, Greater Than Equal To, or Less Than Equal To. If you choose the 'In' operator, then you can specify the following parameters: Incident ID List: List of incident IDs based on which you want to retrieve incidents from Palo Alto Cortex XDR. Each item in the list must be an incident ID. Alert Sources: Source which detected the alert whose associated incidents you want to retrieve from Palo Alto Cortex XDR. Description: Description of the incident that you want to retrieve from Palo Alto Cortex XDR. If you choose the 'Contains' operator, then you can specify the following parameters: Description: Description of the incident that you want to retrieve from Palo Alto Cortex XDR. If you choose the 'Greater Than Equal To' operator, then you can specify the following parameters: Modification Time: Time the incident has been modified. This operator will retrieve all incidents that match the time specified or the time later than the time specified from Palo Alto Cortex XDR. Creation Time: Time that the incident has been created. This operator will retrieve all incidents that match the time specified or the time later than the time specified from Palo Alto Cortex XDR. If you choose the 'Less Than Equal To' operator, then you can specify the following parameters: Modification Time: Time the incident has been modified. This operator will retrieve all incidents that match the time specified or the time earlier than the time specified from Palo Alto Cortex XDR. Creation Time: Time that the incident has been created. This operator will retrieve all incidents that match the time specified or the time earlier than the time specified from Palo Alto Cortex XDR.
Search From	Integer representing the starting offset within the query result set from which you want this operation to return incidents from Palo Alto Cortex XDR.
Search To	Integer representing the end offset within the result set after which you do not want this operation to return incidents from Palo Alto Cortex XDR.
Sort	Select this option if you want to sort the retrieved incidents by field and order the results. If you select this option, then you can specify the following parameters: Sort by Field: Choose the field by which you want to sort the incidents. You can choose between Modification Time or Creation Time. Sort by Order: Choose the order in which you want to sort the result. You can choose between Ascending or Descending.

Output

The output contains the following populated JSON schema:
{
"reply": {
"result_count": "",
"total_count": "",
"incidents": [
{
"assigned_user_pretty_name": "",
"user_count": "",
"creation_time": "",
"detection_time": "",
"manual_description": "",
"med_severity_alert_count": "",
"high_severity_alert_count": "",
"hosts": [],
"incident_id": "",
"incident_sources": [],
"xdr_url": "",
"assigned_user_mail": "",
"users": [],
"modification_time": "",
"low_severity_alert_count": "",
"severity": "",
"resolve_comment": "",
"host_count": "",
"manual_severity": "",
"starred": "",
"alert_count": "",
"description": "",
"status": "",
"notes": ""
}
]
}
}

operation: Get Incident Details

Input parameters

Parameter	Description
Incident ID	ID of the incident for which you want to retrieve details including alerts and key artifacts from Palo Alto Cortex XDR.
Alerts Limit	(Optional) Maximum number of alerts related to the specified incident you want to retrieve from Palo Alto Cortex XDR. By default, this is set to '1000'.

Output

The output contains the following populated JSON schema:
{
"reply": {
"alerts": {
"data": [
{
"source": "",
"starred": "",
"event_type": "",
"severity": "",
"host_name": "",
"host_ip": "",
"is_whitelisted": "",
"name": "",
"alert_id": "",
"actor_process_image_name": "",
nbsp; "category": "",
"action": "",
"detection_timestamp": "",
"actor_process_command_line": "",
"fw_app_id": "",
"action_pretty": "",
"user_name": "",
"description": "",
"endpoint_id": ""
}
],
"total_count": ""
},
"network_artifacts": {
"data": [
{
"network_country": "",
"is_manual": "",
"network_domain": "",
"network_remote_port": "",
"alert_count": "",
"type": "",
"network_remote_ip": ""
}
],
"total_count": ""
},
"file_artifacts": {
"data": [
{
"file_signature_status": "",
"is_manual": "",
"file_sha256": "",
"alert_count": "",
"is_malicious": "",
"type": "",
"is_process": "",
"file_signature_vendor_name": "",
"file_name": "",
"file_wildfire_verdict": ""
}
],
"total_count": ""
},
"incident": {
"assigned_user_pretty_name": "",
"user_count": "",
"creation_time": "",
"detection_time": "",
"manual_description": "",
"med_severity_alert_count": "",
"high_severity_alert_count": "",
"hosts": [],
"incident_id": "",
"xdr_url": "",
"assigned_user_mail": "",
"users": [],
"modification_time": "",
"low_severity_alert_count": "",
"severity": "",
"alert_sources": [],
"resolve_comment": "",
"host_count": "",
"manual_severity": "",
"starred": "",
"alert_count": "",
"description": "",
"status": "",
"notes": ""
}
}
}

operation: Update Incident

Input parameters

Parameter	Description
Incident ID	ID of the incident that you want to update Palo Alto Cortex XDR.
Assigned User Mail	(Optional) Email address of the incident assignee that you want to update in the specified incident in Palo Alto Cortex XDR.
Assigned User Pretty Name	(Optional) Full name of the incident assignee that you want to update in the specified incident in Palo Alto Cortex XDR.
Severity	(Optional) Severity level you want to update in the specified incident in Palo Alto Cortex XDR. You can choose from the following options: High, Medium, or Low.
Status	(Optional) Full name of the incident assignee that you want to update in the specified incident in Palo Alto Cortex XDR. You can choose from the following options: New, Under Investigation, Resolved Threat Handled, Resolved Know Issue, Resolved Duplicate, Resolved False Positive, or Resolved Other.
Resolve Comment	Descriptive comment that explains the updates made to the specified incident.

Output

The output contains the following populated JSON schema:
{
"message": "",
"status": ""
}

operation: Insert CEF Alerts

Input parameters

Parameter	Description
Alerts	Comma-separated list of alerts in the CEF format that you want to add to Palo Alto Cortex XDR.

Output

The output contains the following populated JSON schema:
{
"reply": ""
}

operation: Insert Parsed Alerts

Input parameters
Note: Value that you specify in the following parameters will be used to upload alerts to Palo Alto Cortex XDR.

Parameter	Description
Product	String value that defines the product. For example, VPN & Firewall-1.
Vendor	String value that defines the vendor. For example, Check Point.
Local IP	String value for the source IP address.
Local Port	Integer value for the source port.
Remote IP	String value of the destination IP address.
Remote Port	Integer value for the destination port.
Event Timestamp	Time the alert occurred.
Alert Name	String defining the name of the alert that you want to upload to Palo Alto Cortex XDR.
Severity	(Optional) Choose the severity of the alert that you want to upload to Palo Alto Cortex XDR. You can choose from the following options: Informational, High, Medium, Low, or Unknown.
Alert Description	(Optional) String defining the description of the alert that you want to upload to Palo Alto Cortex XDR.

Output

The output contains the following populated JSON schema:
{
"reply": ""
}

operation: Isolate Endpoints

Input parameters

Parameter	Description
Isolate Endpoint	Choose whether you want to isolate a single endpoint or more than one endpoint on Palo Alto Cortex XDR. You can choose between Isolate One Endpoint or Isolate More Than One Endpoint. If you choose the 'Isolate One Endpoint' option, then you can specify the following parameters: Endpoint ID: ID of the endpoint that you want to isolate on Palo Alto Cortex XDR. If you choose the 'Isolate More Than One Endpoint' option, then you can specify the following parameters: Operator: String that identifies the comparison operator you want to use to filter endpoint to be isolated on Palo Alto Cortex XDR. You can choose from the following: In, Greater Than Equal To, or Less Than Equal To. If you choose the 'In' operator, then you can specify the following parameters: Endpoint ID List: List of endpoint IDs to isolate on Palo Alto Cortex XDR. Distribution Name: Name of the distribution list containing the endpoints to isolate on Palo Alto Cortex XDR. Group Name: Name of the group containing the endpoints to isolate on Palo Alto Cortex XDR. Alias: Alias of the endpoints to isolate on Palo Alto Cortex XDR. Hostname: Name of the host of the endpoints to isolate on Palo Alto Cortex XDR. IP list: List of IP addresses containing the endpoints to isolate on Palo Alto Cortex XDR. Platform: Type of operating system that contains the endpoints to isolate on Palo Alto Cortex XDR. You can choose between Windows, Linux, Macos, or Android. Isolate: Select Isolated if the endpoints are isolated. If you choose the 'Greater Than Equal To' operator, then you can specify the following parameters: First Seen: Time when the endpoint was first seen. This operator will isolate all endpoints that match the time specified or the time later than the time specified on Palo Alto Cortex XDR. Last Seen: Time when the endpoint was last seen. This operator will isolate all endpoints that match the time specified or the time later than the time specified on Palo Alto Cortex XDR. If you choose the 'Less Than Equal To' operator, then you can specify the following parameters: First Seen: Time when the endpoint was first seen. This operator will isolate all endpoints that match the time specified or the time earlier than the time specified on Palo Alto Cortex XDR. Last Seen: Time that the incident was last seen. This operator will isolate all endpoints that match the time specified or the time earlier than the time specified on Palo Alto Cortex XDR.

Parameter

Description

Isolate Endpoint

Choose whether you want to isolate a single endpoint or more than one endpoint on Palo Alto Cortex XDR. You can choose between Isolate One Endpoint or Isolate More Than One Endpoint.
If you choose the 'Isolate One Endpoint' option, then you can specify the following parameters:

Endpoint ID: ID of the endpoint that you want to isolate on Palo Alto Cortex XDR.

If you choose the 'Isolate More Than One Endpoint' option, then you can specify the following parameters:

Operator: String that identifies the comparison operator you want to use to filter endpoint to be isolated on Palo Alto Cortex XDR. You can choose from the following: In, Greater Than Equal To, or Less Than Equal To.
If you choose the 'In' operator, then you can specify the following parameters:
- Endpoint ID List: List of endpoint IDs to isolate on Palo Alto Cortex XDR.
- Distribution Name: Name of the distribution list containing the endpoints to isolate on Palo Alto Cortex XDR.
- Group Name: Name of the group containing the endpoints to isolate on Palo Alto Cortex XDR.
- Alias: Alias of the endpoints to isolate on Palo Alto Cortex XDR.
- Hostname: Name of the host of the endpoints to isolate on Palo Alto Cortex XDR.
- IP list: List of IP addresses containing the endpoints to isolate on Palo Alto Cortex XDR.
- Platform: Type of operating system that contains the endpoints to isolate on Palo Alto Cortex XDR. You can choose between Windows, Linux, Macos, or Android.
- Isolate: Select Isolated if the endpoints are isolated.
If you choose the 'Greater Than Equal To' operator, then you can specify the following parameters:
- First Seen: Time when the endpoint was first seen. This operator will isolate all endpoints that match the time specified or the time later than the time specified on Palo Alto Cortex XDR.
- Last Seen: Time when the endpoint was last seen. This operator will isolate all endpoints that match the time specified or the time later than the time specified on Palo Alto Cortex XDR.
If you choose the 'Less Than Equal To' operator, then you can specify the following parameters:
- First Seen: Time when the endpoint was first seen. This operator will isolate all endpoints that match the time specified or the time earlier than the time specified on Palo Alto Cortex XDR.
- Last Seen: Time that the incident was last seen. This operator will isolate all endpoints that match the time specified or the time earlier than the time specified on Palo Alto Cortex XDR.

Output

The output contains the following populated JSON schema:
{
"reply": {
"action_id": []
}
}

operation: Unisolate Endpoints

Input parameters

Parameter	Description
Unisolate Endpoint	Choose whether you want to unisolate a single endpoint or more than one endpoint on Palo Alto Cortex XDR. You can choose between unisolate One Endpoint or unisolate More Than One Endpoint. If you choose the 'Unisolate One Endpoint' option, then you can specify the following parameters: Endpoint ID: ID of the endpoint that you want to unisolate on Palo Alto Cortex XDR. If you choose the 'Unisolate More Than One Endpoint' option, then you can specify the following parameters: Operator: String that identifies the comparison operator you want to use to filter endpoint to be unisolated on Palo Alto Cortex XDR. You can choose from the following: In, Greater Than Equal To, or Less Than Equal To. If you choose the 'In' operator, then you can specify the following parameters: Endpoint ID List: List of endpoint IDs to unisolate on Palo Alto Cortex XDR. Distribution Name: Name of the distribution list containing the endpoints to unisolate on Palo Alto Cortex XDR. Group Name: Name of the group containing the endpoints to unisolate on Palo Alto Cortex XDR. Alias: Alias of the endpoints to unisolate on Palo Alto Cortex XDR. Hostname: Name of the host of the endpoints to unisolate on Palo Alto Cortex XDR. IP list: List of IP addresses containing the endpoints to unisolate on Palo Alto Cortex XDR. Platform: Type of operating system that contains the endpoints to unisolate on Palo Alto Cortex XDR. You can choose between Windows, Linux, Macos, or Android. Isolate: Select Unisolated if the endpoints are unisolated. If you choose the 'Greater Than Equal To' operator, then you can specify the following parameters: First Seen: Time when the endpoint was first seen. This operator will unisolate all endpoints that match the time specified or the time later than the time specified on Palo Alto Cortex XDR. Last Seen: Time when the endpoint was last seen. This operator will unisolate all endpoints that match the time specified or the time later than the time specified on Palo Alto Cortex XDR. If you choose the 'Less Than Equal To' operator, then you can specify the following parameters: First Seen: Time when the endpoint was first seen. This operator will unisolate all endpoints that match the time specified or the time earlier than the time specified on Palo Alto Cortex XDR. Last Seen: Time that the incident was last seen. This operator will unisolate all endpoints that match the time specified or the time earlier than the time specified on Palo Alto Cortex XDR.

Parameter

Description

Unisolate Endpoint

Choose whether you want to unisolate a single endpoint or more than one endpoint on Palo Alto Cortex XDR. You can choose between unisolate One Endpoint or unisolate More Than One Endpoint.
If you choose the 'Unisolate One Endpoint' option, then you can specify the following parameters:

Endpoint ID: ID of the endpoint that you want to unisolate on Palo Alto Cortex XDR.

If you choose the 'Unisolate More Than One Endpoint' option, then you can specify the following parameters:

Operator: String that identifies the comparison operator you want to use to filter endpoint to be unisolated on Palo Alto Cortex XDR. You can choose from the following: In, Greater Than Equal To, or Less Than Equal To.
If you choose the 'In' operator, then you can specify the following parameters:
- Endpoint ID List: List of endpoint IDs to unisolate on Palo Alto Cortex XDR.
- Distribution Name: Name of the distribution list containing the endpoints to unisolate on Palo Alto Cortex XDR.
- Group Name: Name of the group containing the endpoints to unisolate on Palo Alto Cortex XDR.
- Alias: Alias of the endpoints to unisolate on Palo Alto Cortex XDR.
- Hostname: Name of the host of the endpoints to unisolate on Palo Alto Cortex XDR.
- IP list: List of IP addresses containing the endpoints to unisolate on Palo Alto Cortex XDR.
- Platform: Type of operating system that contains the endpoints to unisolate on Palo Alto Cortex XDR. You can choose between Windows, Linux, Macos, or Android.
- Isolate: Select Unisolated if the endpoints are unisolated.
If you choose the 'Greater Than Equal To' operator, then you can specify the following parameters:
- First Seen: Time when the endpoint was first seen. This operator will unisolate all endpoints that match the time specified or the time later than the time specified on Palo Alto Cortex XDR.
- Last Seen: Time when the endpoint was last seen. This operator will unisolate all endpoints that match the time specified or the time later than the time specified on Palo Alto Cortex XDR.
If you choose the 'Less Than Equal To' operator, then you can specify the following parameters:
- First Seen: Time when the endpoint was first seen. This operator will unisolate all endpoints that match the time specified or the time earlier than the time specified on Palo Alto Cortex XDR.
- Last Seen: Time that the incident was last seen. This operator will unisolate all endpoints that match the time specified or the time earlier than the time specified on Palo Alto Cortex XDR.

Output

The output contains the following populated JSON schema:
{
"reply": {
"action_id": []
}
}

operation: Get All Endpoints

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
"reply": [
{
"agent_type": "",
"agent_id": "",
"host_name": "",
"agent_status": "",
"ip": ""
}
]
}

operation: Get Endpoints

Input parameters

Parameter	Description
Operator	String that identifies the comparison operator you want to use to filter endpoints to be retrieved from Palo Alto Cortex XDR. You can choose from the following: In, Greater Than Equal To, or Less Than Equal To. If you choose the 'In' operator, then you can specify the following parameters: Endpoint ID List: List of endpoint IDs based on which you want to retrieve endpoints from Palo Alto Cortex XDR. Distribution Name: Name of the distribution list or installation package name containing the endpoints to be retrieved from Palo Alto Cortex XDR. Group Name: Name of the group containing the endpoints to be retrieved from Palo Alto Cortex XDR. Alias: Alias of the endpoints to be retrieved from Palo Alto Cortex XDR. Hostname: Name of the host of the endpoints to be retrieved from Palo Alto Cortex XDR. IP list: List of IP addresses containing the endpoints to be retrieved from Palo Alto Cortex XDR. Platform: Type of operating system that contains the endpoints to be retrieved from Palo Alto Cortex XDR. You can choose between Windows, Linux, Macos, or Android. Isolate: Select Isolated if the endpoints have been isolated and Unisolated if the endpoints have been unisolated. If you choose the 'Greater Than Equal To' operator, then you can specify the following parameters: First Seen: Time when the endpoint was first seen. This operator will retrieve all endpoints that match the time specified or the time later than the time specified on Palo Alto Cortex XDR. Last Seen: Time when the endpoint was last seen. This operator will retrieve all endpoints that match the time specified or the time later than the time specified on Palo Alto Cortex XDR. If you choose the 'Less Than Equal To' operator, then you can specify the following parameters: First Seen: Time when the endpoint was first seen. This operator will retrieve all endpoints that match the time specified or the time earlier than the time specified on Palo Alto Cortex XDR. Last Seen: Time that the incident was last seen. This operator will retrieve all endpoints that match the time specified or the time earlier than the time specified on Palo Alto Cortex XDR.
Search From	Integer representing the starting offset within the query result set from which you want this operation to return incidents from Palo Alto Cortex XDR.
Search To	Integer representing the end offset within the result set after which you do not want this operation to return incidents from Palo Alto Cortex XDR.
Sort	Select this option if you want to sort the retrieved endpoints by field and order the results. If you select this option, then you can specify the following parameters: Sort by Field: Choose the field by which you want to sort the endpoints. You can choose between First Seen or Last Seen. Sort by Order: Choose the order in which you want to sort the result. You can choose between Ascending or Descending.

Output

The output contains the following populated JSON schema:
{
"reply": {
"result_count": "",
"endpoints": [
{
"is_isolated": "",
"last_seen": "",
"os_type": "",
"users": [
""
],
"install_date": "",
"active_directory": "",
"group_name": "",
"domain": "",
"installation_package": "",
"endpoint_name": "",
"endpoint_status": "",
"alias": "",
"ip": "",
"endpoint_type": "",
"first_seen": "",
"endpoint_id": "",
"endpoint_version": "",
"content_version": ""
}
]
}
}

operation: Scan Endpoints

Input parameters

Parameter	Description
Operator	String that identifies the comparison operator you want to use to filter endpoints to be scanned on Palo Alto Cortex XDR. You can choose from the following: In, Greater Than Equal To, or Less Than Equal To. If you choose the 'In' operator, then you can specify the following parameters: Endpoint ID List: List of endpoint IDs that you want to scan on Palo Alto Cortex XDR. Distribution Name: Name of the distribution list containing the endpoints that you want to scan on Palo Alto Cortex XDR. Group Name: Name of the group containing the endpoints that you want to scan on Palo Alto Cortex XDR. Alias: Alias of the endpoints to be scanned on Palo Alto Cortex XDR. Hostname: Name of the host of the endpoints to be scanned on Palo Alto Cortex XDR. IP list: List of IP addresses containing the endpoints to be scanned on Palo Alto Cortex XDR. Platform: Type of operating system that contains the endpoints to be scanned on Palo Alto Cortex XDR. You can choose between Windows, Linux, Macos, or Android. Isolate: Select Isolated if the endpoints have been isolated and Unisolated if the endpoints have been unisolated. If you choose the 'Greater Than Equal To' operator, then you can specify the following parameters: First Seen: Time when the endpoint was first seen. This operator will scan all endpoints that match the time specified or the time later than the time specified on Palo Alto Cortex XDR. Last Seen: Time when the endpoint was last seen. This operator will scan all endpoints that match the time specified or the time later than the time specified on Palo Alto Cortex XDR. If you choose the 'Less Than Equal To' operator, then you can specify the following parameters: First Seen: Time when the endpoint was first seen. This operator will scan all endpoints that match the time specified or the time earlier than the time specified on Palo Alto Cortex XDR. Last Seen: Time that the incident was last seen. This operator will scan all endpoints that match the time specified or the time earlier than the time specified on Palo Alto Cortex XDR.

Parameter

Description

Operator

String that identifies the comparison operator you want to use to filter endpoints to be scanned on Palo Alto Cortex XDR. You can choose from the following: In, Greater Than Equal To, or Less Than Equal To.

If you choose the 'In' operator, then you can specify the following parameters:
- Endpoint ID List: List of endpoint IDs that you want to scan on Palo Alto Cortex XDR.
- Distribution Name: Name of the distribution list containing the endpoints that you want to scan on Palo Alto Cortex XDR.
- Group Name: Name of the group containing the endpoints that you want to scan on Palo Alto Cortex XDR.
- Alias: Alias of the endpoints to be scanned on Palo Alto Cortex XDR.
- Hostname: Name of the host of the endpoints to be scanned on Palo Alto Cortex XDR.
- IP list: List of IP addresses containing the endpoints to be scanned on Palo Alto Cortex XDR.
- Platform: Type of operating system that contains the endpoints to be scanned on Palo Alto Cortex XDR. You can choose between Windows, Linux, Macos, or Android.
- Isolate: Select Isolated if the endpoints have been isolated and Unisolated if the endpoints have been unisolated.
If you choose the 'Greater Than Equal To' operator, then you can specify the following parameters:
- First Seen: Time when the endpoint was first seen. This operator will scan all endpoints that match the time specified or the time later than the time specified on Palo Alto Cortex XDR.
- Last Seen: Time when the endpoint was last seen. This operator will scan all endpoints that match the time specified or the time later than the time specified on Palo Alto Cortex XDR.
If you choose the 'Less Than Equal To' operator, then you can specify the following parameters:
- First Seen: Time when the endpoint was first seen. This operator will scan all endpoints that match the time specified or the time earlier than the time specified on Palo Alto Cortex XDR.
- Last Seen: Time that the incident was last seen. This operator will scan all endpoints that match the time specified or the time earlier than the time specified on Palo Alto Cortex XDR.

Output

The output contains the following populated JSON schema:
{
"reply": {
"action_id": []
}
}

operation: Cancel Scan Endpoints

Input parameters

Parameter	Description
Operator	String that identifies the comparison operator you want to use to filter endpoints whose scans are to be canceled on Palo Alto Cortex XDR. You can choose from the following: In, Greater Than Equal To, or Less Than Equal To. If you choose the 'In' operator, then you can specify the following parameters: Endpoint ID List: List of endpoint IDs whose scans you want to cancel on Palo Alto Cortex XDR. Distribution Name: Name of the distribution list containing the endpoints whose scans you want to cancel on Palo Alto Cortex XDR. Group Name: Name of the group containing the endpoints whose scans you want to cancel on Palo Alto Cortex XDR. Alias: Alias of the endpoints whose scans you want to cancel Palo Alto Cortex XDR. Hostname: Name of the host of the endpoints whose scans you want to cancel Palo Alto Cortex XDR. IP list: List of IP addresses containing the endpoints whose scans you want to cancel on Palo Alto Cortex XDR. Platform: Type of operating system that contains the endpoints whose scans you want to cancel on Palo Alto Cortex XDR. You can choose between Windows, Linux, Macos, or Android. Isolate: Select Isolated if the endpoints have been isolated and Unisolated if the endpoints have been unisolated. If you choose the 'Greater Than Equal To' operator, then you can specify the following parameters: First Seen: Time when the endpoint was first seen. This operator will cancel the scans on all endpoints that match the time specified or the time later than the time specified on Palo Alto Cortex XDR. Last Seen: Time when the endpoint was last seen. This operator will cancel the scans on all endpoints that match the time specified or the time later than the time specified on Palo Alto Cortex XDR. If you choose the 'Less Than Equal To' operator, then you can specify the following parameters: First Seen: Time when the endpoint was first seen. This operator will cancel the scans on all endpoints that match the time specified or the time earlier than the time specified on Palo Alto Cortex XDR. Last Seen: Time that the incident was last seen. This operator will cancel the scans on all endpoints that match the time specified or the time earlier than the time specified on Palo Alto Cortex XDR.

Parameter

Description

Operator

String that identifies the comparison operator you want to use to filter endpoints whose scans are to be canceled on Palo Alto Cortex XDR. You can choose from the following: In, Greater Than Equal To, or Less Than Equal To.

If you choose the 'In' operator, then you can specify the following parameters:
- Endpoint ID List: List of endpoint IDs whose scans you want to cancel on Palo Alto Cortex XDR.
- Distribution Name: Name of the distribution list containing the endpoints whose scans you want to cancel on Palo Alto Cortex XDR.
- Group Name: Name of the group containing the endpoints whose scans you want to cancel on Palo Alto Cortex XDR.
- Alias: Alias of the endpoints whose scans you want to cancel Palo Alto Cortex XDR.
- Hostname: Name of the host of the endpoints whose scans you want to cancel Palo Alto Cortex XDR.
- IP list: List of IP addresses containing the endpoints whose scans you want to cancel on Palo Alto Cortex XDR.
- Platform: Type of operating system that contains the endpoints whose scans you want to cancel on Palo Alto Cortex XDR. You can choose between Windows, Linux, Macos, or Android.
- Isolate: Select Isolated if the endpoints have been isolated and Unisolated if the endpoints have been unisolated.
If you choose the 'Greater Than Equal To' operator, then you can specify the following parameters:
- First Seen: Time when the endpoint was first seen. This operator will cancel the scans on all endpoints that match the time specified or the time later than the time specified on Palo Alto Cortex XDR.
- Last Seen: Time when the endpoint was last seen. This operator will cancel the scans on all endpoints that match the time specified or the time later than the time specified on Palo Alto Cortex XDR.
If you choose the 'Less Than Equal To' operator, then you can specify the following parameters:
- First Seen: Time when the endpoint was first seen. This operator will cancel the scans on all endpoints that match the time specified or the time earlier than the time specified on Palo Alto Cortex XDR.
- Last Seen: Time that the incident was last seen. This operator will cancel the scans on all endpoints that match the time specified or the time earlier than the time specified on Palo Alto Cortex XDR.

Output

The output contains the following populated JSON schema:
{
"reply": ""
}

operation: Delete Endpoints

Input parameters

Parameter	Description
Operator	String that identifies the comparison operator you want to use to filter endpoints to be deleted from the Palo Alto Cortex XDR app. You can choose from the following: In, Greater Than Equal To, or Less Than Equal To. If you choose the 'In' operator, then you can specify the following parameters: Endpoint ID List: List of endpoint IDs that you want to delete from the Palo Alto Cortex XDR app. Distribution Name: Name of the distribution list containing the endpoints that you want to delete from the Palo Alto Cortex XDR app. Group Name: Name of the group containing the endpoints that you want to delete from the Palo Alto Cortex XDR app. Alias: Alias of the endpoints to be deleted from the Palo Alto Cortex XDR app. Hostname: Name of the host of the endpoints to be deleted from the Palo Alto Cortex XDR app. IP list: List of IP addresses containing the endpoints to be deleted from the Palo Alto Cortex XDR app. Platform: Type of operating system that contains the endpoints to be deleted from the Palo Alto Cortex XDR app. You can choose between Windows, Linux, Macos, or Android. Isolate: Select Isolated if the endpoints have been isolated and Unisolated if the endpoints have been unisolated. If you choose the 'Greater Than Equal To' operator, then you can specify the following parameters: First Seen: Time when the endpoint was first seen. This operator will delete all endpoints that match the time specified or the time later than the time specified on Palo Alto Cortex XDR. Last Seen: Time when the endpoint was last seen. This operator will delete all endpoints that match the time specified or the time later than the time specified on Palo Alto Cortex XDR. If you choose the 'Less Than Equal To' operator, then you can specify the following parameters: First Seen: Time when the endpoint was first seen. This operator will delete all endpoints that match the time specified or the time earlier than the time specified on Palo Alto Cortex XDR. Last Seen: Time that the incident was last seen. This operator will delete all endpoints that match the time specified or the time earlier than the time specified on Palo Alto Cortex XDR.

Parameter

Description

Operator

String that identifies the comparison operator you want to use to filter endpoints to be deleted from the Palo Alto Cortex XDR app. You can choose from the following: In, Greater Than Equal To, or Less Than Equal To.

If you choose the 'In' operator, then you can specify the following parameters:
- Endpoint ID List: List of endpoint IDs that you want to delete from the Palo Alto Cortex XDR app.
- Distribution Name: Name of the distribution list containing the endpoints that you want to delete from the Palo Alto Cortex XDR app.
- Group Name: Name of the group containing the endpoints that you want to delete from the Palo Alto Cortex XDR app.
- Alias: Alias of the endpoints to be deleted from the Palo Alto Cortex XDR app.
- Hostname: Name of the host of the endpoints to be deleted from the Palo Alto Cortex XDR app.
- IP list: List of IP addresses containing the endpoints to be deleted from the Palo Alto Cortex XDR app.
- Platform: Type of operating system that contains the endpoints to be deleted from the Palo Alto Cortex XDR app. You can choose between Windows, Linux, Macos, or Android.
- Isolate: Select Isolated if the endpoints have been isolated and Unisolated if the endpoints have been unisolated.
If you choose the 'Greater Than Equal To' operator, then you can specify the following parameters:
- First Seen: Time when the endpoint was first seen. This operator will delete all endpoints that match the time specified or the time later than the time specified on Palo Alto Cortex XDR.
- Last Seen: Time when the endpoint was last seen. This operator will delete all endpoints that match the time specified or the time later than the time specified on Palo Alto Cortex XDR.
If you choose the 'Less Than Equal To' operator, then you can specify the following parameters:
- First Seen: Time when the endpoint was first seen. This operator will delete all endpoints that match the time specified or the time earlier than the time specified on Palo Alto Cortex XDR.
- Last Seen: Time that the incident was last seen. This operator will delete all endpoints that match the time specified or the time earlier than the time specified on Palo Alto Cortex XDR.

Output

The output contains the following populated JSON schema:
{
"reply": ""
}

operation: Get Policy

Input parameters

Parameter	Description
Endpoint ID	String the represents the endpoint ID based on which you want to retrieve the policy from Palo Alto Cortex XDR. For example, 51588e4ce9214c63b39d054bd073b93a

Output

The output contains the following populated JSON schema:
{
"reply": {
"policy_name": ""
}
}

operation: Get Device Violations

Input parameters

Parameter	Description
Operator	String that identifies the comparison operator you want to use to filter device violations to be retrieved from Palo Alto Cortex XDR. You can choose from the following: In, Greater Than Equal To, or Less Than Equal To. If you choose the 'In' operator, then you can specify the following parameters: Endpoint ID List: List of endpoint IDs based on which you want to retrieve violations from Palo Alto Cortex XDR. Vendor: String value that defines the vendor whose associated violations are to be retrieved from Palo Alto Cortex XDR. For example, Check Point. Vendor ID: String value that defines the vendor ID whose associated violations are to be retrieved from Palo Alto Cortex XDR. For example, 0x0999. Product: String value that defines the product whose associated violations are to be retrieved from Palo Alto Cortex XDR. For example, VPN & Firewall-1. Product ID: String value that defines the product ID whose associated violations are to be retrieved from Palo Alto Cortex XDR. For example, 0x10036. Serial: String value that defines the serial number whose associated violations are to be retrieved from Palo Alto Cortex XDR. For example, 8888889. Hostname: Name of the host whose associated violations are to be retrieved from Palo Alto Cortex XDR. Username: Name of the user whose associated violations are to be retrieved from Palo Alto Cortex XDR. Type: Type of violations that are to be retrieved from Palo Alto Cortex XDR. You can choose between CS ROM, Disk Drive, Floppy Disk, or Portable Device. IP list: List of IP addresses whose associated violations are to be retrieved from Palo Alto Cortex XDR. Violations ID List: List of violations IDs based on which you want to retrieve violations from Palo Alto Cortex XDR. If you choose the 'Greater Than Equal To' operator, then you can specify the following parameters: Timestamp: Datetime till when you want to retrieve violations from Palo Alto Cortex XDR. This operator will retrieve all violations that match the time specified or the time later than the time specified on Palo Alto Cortex XDR. If you choose the 'Less Than Equal To' operator, then you can specify the following parameters: Timestamp: Datetime from when you want to retrieve violations from Palo Alto Cortex XDR. This operator will retrieve all violations that match the time specified or the time earlier than the time specified on Palo Alto Cortex XDR.
Search From	Integer representing the starting offset within the query result set from which you want this operation to return incidents from Palo Alto Cortex XDR.
Search To	Integer representing the end offset within the result set after which you do not want this operation to return incidents from Palo Alto Cortex XDR.
Sort	Select this option if you want to sort the retrieved violations by field and order the results. If you select this option, then you can specify the following parameters: Sort by Field: Choose the field by which you want to sort the violations. You can choose between First Seen or Last Seen. Sort by Order: Choose the order in which you want to sort the result. You can choose between Ascending or Descending.

Output

The output contains the following populated JSON schema:
{
"reply": {
"violations": [
{
"violation_id": "",
"serial": "",
"timestamp": "",
"vendor_id": "",
"username": "",
"ip": "",
"hostname": "",
"product_id": "",
"vendor": "",
"type": "",
"endpoint_id": "",
"product": ""
}
],
"result_count": ""
}
}

operation: Get Distribution Version

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
"reply": {
"macos": [],
"linux": [],
"windows": []
}
}

operation: Create Distributions

Input parameters

Parameter	Description
Name	String representing the name of the installation package that you want to create on Palo Alto Cortex XDR.
Package Type	String representing the type of installation package that you want to create on Palo Alto Cortex XDR. You can choose from the following types: Standalone or Upgrade. If you choose the 'Standalone' operator, then you can specify the following parameters: Platform: Platform on which you want to create the installation package. You can choose the following: Windows, Linux, Macos, or Android. If you choose 'Windows', then in the Agent Version field, enter the version of the agent. For example, 5.0.7.16157. If you choose 'Macos', then in the Agent Version field, enter the version of the agent. For example, 5.0.7.16157. If you choose 'Linux', then in the Agent Version field, enter the version of the agent. For example, 5.0.7.16157. If you choose the 'Upgrade' operator, then you can specify the following parameters: Upgrade: Specify the version of an agent from ESM to be upgraded. You can specify the following values: windows_version, linux_version, or macos_version.
Description	String containing descriptive information about the installation package.

Parameter

Description

Name

String representing the name of the installation package that you want to create on Palo Alto Cortex XDR.

Package Type

String representing the type of installation package that you want to create on Palo Alto Cortex XDR. You can choose from the following types: Standalone or Upgrade.
If you choose the 'Standalone' operator, then you can specify the following parameters:

Platform: Platform on which you want to create the installation package. You can choose the following: Windows, Linux, Macos, or Android.
- If you choose 'Windows', then in the Agent Version field, enter the version of the agent. For example, 5.0.7.16157.
- If you choose 'Macos', then in the Agent Version field, enter the version of the agent. For example, 5.0.7.16157.
- If you choose 'Linux', then in the Agent Version field, enter the version of the agent. For example, 5.0.7.16157.

If you choose the 'Upgrade' operator, then you can specify the following parameters:

Upgrade: Specify the version of an agent from ESM to be upgraded. You can specify the following values: windows_version, linux_version, or macos_version.

Description

String containing descriptive information about the installation package.

Output

The output contains the following populated JSON schema:
{
"reply": {
"distribution_id": ""
}
}

operation: Get Distribution Status

Input parameters

Parameter	Description
Distribution ID	String representing the ID of the installation package whose status you want to retrieve from Palo Alto Cortex XDR.

Output

The output contains the following populated JSON schema:
{
"reply": {
"status": ""
}
}

operation: Get Distribution URL

Input parameters

Parameter	Description
Distribution ID	String representing the ID of the installation package whose distribution URL you want to retrieve from Palo Alto Cortex XDR.
Package Type	String representing the type of installation package whose distribution URL you want to retrieve from Palo Alto Cortex XDR. You can choose from the following options: sh-For Linux, rpm-For Linux, deb-For Linux, pkg-For Mac, x86-For Windows, or x64-For Windows.

Output

The output contains the following populated JSON schema:
{
"reply": {
"distribution_url": ""
}
}

operation: Get Audit Management Logs

Input parameters

Parameter	Description
Operator	String that identifies the comparison operator you want to use to filter audit management logs to be retrieved from Palo Alto Cortex XDR. You can choose from the following: In, Greater Than Equal To, or Less Than Equal To. If you choose the 'In' operator, then you can specify the following parameters: Email: Email address of the user whose audit management logs you want to retrieve from Palo Alto Cortex XDR. Type: Type of the audit management logs you want to retrieve from Palo Alto Cortex XDR. Sub Type: Subtype of the audit management logs you want to retrieve from Palo Alto Cortex XDR. Result: Filter audit log management logs you want to retrieve from Palo Alto Cortex XDR based on the result of the audit log. For example, SUCCESS. If you choose the 'Greater Than Equal To' operator, then you can specify the following parameters: Timestamp: Datetime of the log till when you want to retrieve audit management logs from Palo Alto Cortex XDR. This operator will retrieve all audit management logs whose timestamp matches the time specified or the time later than the time specified on Palo Alto Cortex XDR. If you choose the 'Less Than Equal To' operator, then you can specify the following parameters: Timestamp: Datetime of the log from when you want to retrieve audit management logs from Palo Alto Cortex XDR. This operator will retrieve all audit management logs whose timestamp matches the time specified or the time earlier than the time specified on Palo Alto Cortex XDR.
Search From	An integer representing the starting offset within the query result set from which you want management logs returned.
Search To	An integer representing the end offset within the result set after which you do not want management logs returned.
Sort	Select this option if you want to sort the retrieved management logs by field and order the results. If you select this option, then you can specify the following parameters: Sort by Field: Choose the field by which you want to sort the management logs. For example, timestamp. Sort by Order: Choose the order in which you want to sort the result. You can choose between Ascending or Descending.

Output

The output contains the following populated JSON schema:
{
"reply": {
"data": [
{
"AUDIT_DESCRIPTION": "",
"AUDIT_HOSTNAME": "",
"AUDIT_SESSION_ID": "",
"AUDIT_ASSET_JSON": "",
"AUDIT_REASON": "",
"AUDIT_RESULT": "",
"AUDIT_OWNER_EMAIL": "",
"AUDIT_ENTITY": "",
"AUDIT_ASSET_NAMES": "",
"AUDIT_ID": "",
"AUDIT_ENTITY_SUBTYPE": "",
"AUDIT_CASE_ID": "",
"AUDIT_OWNER_NAME": "",
"AUDIT_INSERT_TIME": ""
}
],
"result_count": ""
}
}

operation: Get Audit Agent Report

Input parameters

Parameter	Description
Operator	String that identifies the comparison operator you want to use to filter audit agent reports to be retrieved from Palo Alto Cortex XDR. You can choose from the following: In, Greater Than Equal To, or Less Than Equal To. If you choose the 'In' operator, then you can specify the following parameters: Endpoint ID: String representing the ID of the endpoint whose associated audit agent reports you want to retrieve from Palo Alto Cortex XDR. Endpoint Name: String representing the name of the endpoint whose associated audit agent reports you want to retrieve from Palo Alto Cortex XDR. Type: Type of the audit agent reports you want to retrieve from Palo Alto Cortex XDR. For example, Agent Status. Sub Type: Subtype of the audit agent reports you want to retrieve from Palo Alto Cortex XDR. For example, Fully Protected. Result: Filter audit agent reports you want to retrieve from Palo Alto Cortex XDR based on the result of the agent report. For example, SUCCESS. Domain: Domain of the agent whose audit agent reports you want to retrieve from Palo Alto Cortex XDR. For example, WORKGROUP. xdr_version: XDR version for which you want to retrieve audit agent reports from Palo Alto Cortex XDR. Category: Type of event category whose audit agent reports you want to retrieve from Palo Alto Cortex XDR. You can choose from the following options: Status, Audit, or Monitoring. If you choose the 'Greater Than Equal To' operator, then you can specify the following parameters: Timestamp: Datetime of the report till when you want to retrieve audit management logs from Palo Alto Cortex XDR. This operator will retrieve all audit agent reports whose timestamp matches the time specified or the time later than the time specified on Palo Alto Cortex XDR. If you choose the 'Less Than Equal To' operator, then you can specify the following parameters: Timestamp: Datetime of the report from when you want to retrieve audit management logs from Palo Alto Cortex XDR. This operator will retrieve all audit agent reports whose timestamp matches the time specified or the time earlier than the time specified on Palo Alto Cortex XDR.
Search From	Integer representing the starting offset within the query result set from which you want this operation to return incidents from Palo Alto Cortex XDR.
Search To	Integer representing the end offset within the result set after which you do not want this operation to return incidents from Palo Alto Cortex XDR.
Sort	Select this option if you want to sort the retrieved audit agent reports by field and order the results. If you select this option, then you can specify the following parameters: Sort by Field: Choose the field by which you want to sort the audit agent reports. You can choose from the following options: Type, Category, Trapsversion, Timestamp, or Domaintimestamp. Sort by Order: Choose the order in which you want to sort the result. You can choose between Ascending or Descending.

Output

The output contains the following populated JSON schema:
{
"reply": {
"data": [
{
"RESULT": "",
"REASON": "",
"SUBTYPE": "",
"CATEGORY": "",
"DOMAIN": "",
"TRAPSVERSION": "",
"RECEIVEDTIME": "",
"TIMESTAMP": "",
"DESCRIPTION": "",
"ENDPOINTNAME": "",
"ENDPOINTID": "",
"TYPE": ""
}
],
"result_count": ""
}
}

operation: Blacklist Files

Input parameters

Parameter	Description
Hash List	String that represents a list of hashed files you want to blacklist on Palo Alto Cortex XDR. Note: Hash must be a valid SHA256 value.
Comment	String containing descriptive information about this action.

Output

The output contains the following populated JSON schema:
{
"reply": ""
}

operation: Whitelist Files

Input parameters

Parameter	Description
Hash List	String that represents a list of hashed files you want to whitelist on Palo Alto Cortex XDR. Note: Hash must be a valid SHA256 value.
Comment	String containing descriptive information about this action.

Output

The output contains the following populated JSON schema:
{
"reply": ""
}

operation: Quarantine Files

Input parameters

Parameter	Description
Operator	String that identifies the comparison operator you want to use to filter endpoints on which you want to quarantine files on Palo Alto Cortex XDR. You can choose from the following: In, Greater Than Equal To, or Less Than Equal To. If you choose the 'In' operator, then you can specify the following parameters: Endpoint ID List: List of endpoint IDs on which you want to quarantine files on Palo Alto Cortex XDR. Distribution Name: Name of the distribution list containing the endpoints on which you want to quarantine files on Palo Alto Cortex XDR Group Name: Name of the group containing the endpoints on which you want to quarantine files on Palo Alto Cortex XDR. Alias: Alias of the endpoints on which you want to quarantine files on Palo Alto Cortex XDR. Hostname: Name of the host of the endpoints on which you want to quarantine files on Palo Alto Cortex XDR. IP list: List of IP addresses containing the endpoints on which you want to quarantine files on Palo Alto Cortex XDR. Platform: Type of operating system that contains the endpoints on which you want to quarantine files on Palo Alto Cortex XDR. You can choose between Windows, Linux, Macos, or Android. Isolate: Select Isolated if the endpoints have been isolated and Unisolated if the endpoints have been unisolated. If you choose the 'Greater Than Equal To' operator, then you can specify the following parameters: First Seen: Time when the endpoint was first seen. This operator will quarantine files on all endpoints that match the time specified or the time later than the time specified on Palo Alto Cortex XDR. Last Seen: Time when the endpoint was last seen. This operator will quarantine files on all endpoints that match the time specified or the time later than the time specified on Palo Alto Cortex XDR. If you choose the 'Less Than Equal To' operator, then you can specify the following parameters: First Seen: Time when the endpoint was first seen. This operator will quarantine files on all endpoints that match the time specified or the time earlier than the time specified on Palo Alto Cortex XDR. Last Seen: Time that the incident was last seen. This operator will quarantine files on all endpoints that match the time specified or the time earlier than the time specified on Palo Alto Cortex XDR.
File Path	String that represents the path of the file you want to quarantine on the specified endpoints on Palo Alto Cortex XDR.
File Hash	String that represents the hash value of the file you want to quarantine on the specified endpoints on Palo Alto Cortex XDR.. The hash must be a valid SHA256 value.

Output

The output contains the following populated JSON schema:
{
"reply": {
"action_id": []
}
}

operation: Get Quarantine Status

Input parameters

Parameter	Description
Endpoint ID	String that represents the endpoint ID whose associated files' quarantine status you want to retrieve from Palo Alto Cortex XDR.
File Hash	String that represents the hash value of the file whose quarantine status you want to retrieve from Palo Alto Cortex XDR. The hash must be a valid SHA256 value.
File Path	String that represents the path of the file whose quarantine status you want to retrieve from Palo Alto Cortex XD

Output

The output contains the following populated JSON schema:
{
"reply": [
{
"endpoint_id": "",
"file_path": "",
"file_hash": "",
"status": ""
}
]
}

operation: Restore File

Input parameters

Parameter	Description
File Hash	String that represents the hash value of the quarantined file that you want to restore on the specified endpoint on Palo Alto Cortex XDR. The hash must be a valid SHA256 value.
Endpoint ID	String that represents the endpoint ID on which you want to restore the specified quarantined file.

Output

The output contains the following populated JSON schema:
{
"message": "",
"status": ""
}

operation: Retrieve File

Input parameters

Parameter	Description
Operator	String that identifies the comparison operator you want to use to filter files that you want to retrieve from Palo Alto Cortex XDR. You can choose from the following: In, Greater Than Equal To, or Less Than Equal To. If you choose the 'In' operator, then you can specify the following parameters: Endpoint ID List: List of endpoint IDs whose associated files you want to retrieve from Palo Alto Cortex XDR Distribution Name: Name of the distribution list containing the files you want to retrieve from Palo Alto Cortex XDR Group Name: Name of the endpoint group containing the files you want to retrieve from Palo Alto Cortex XDR Alias: Alias of the endpoints whose associated files you want to retrieve from Palo Alto Cortex XDR. Hostname: Name of the host of the endpoints whose associated files you want to retrieve from Palo Alto Cortex XDR. IP list: List of IP addresses containing the endpoints whose associated files you want to retrieve from Palo Alto Cortex XDR. Platform: Type of operating system that contains the endpoints whose associated files you want to retrieve from Palo Alto Cortex XDR. You can choose between Windows, Linux, Macos, or Android. Isolate: Select Isolated if the endpoints have been isolated and Unisolated if the endpoints have been unisolated. If you choose the 'Greater Than Equal To' operator, then you can specify the following parameters: First Seen: Time when the endpoint was first seen. This operator will retrieve files on all endpoints that match the time specified or the time later than the time specified on Palo Alto Cortex XDR. Last Seen: Time when the endpoint was last seen. This operator will retrieve files on all endpoints that match the time specified or the time later than the time specified on Palo Alto Cortex XDR. If you choose the 'Less Than Equal To' operator, then you can specify the following parameters: First Seen: Time when the endpoint was first seen. This operator will retrieve files on all endpoints that match the time specified or the time earlier than the time specified on Palo Alto Cortex XDR. Last Seen: Time that the incident was last seen. This operator will retrieve files on all endpoints that match the time specified or the time earlier than the time specified on Palo Alto Cortex XDR.
Files	Dictionary containing the type of operating system from which you want to retrieve files from Palo Alto Cortex XDR. You can choose between Windows, Linux, or Macos.
File Path	String that represents the path of the file used to retrieve files from Palo Alto Cortex XDR.

Output

The output contains the following populated JSON schema:
{
"reply": {
"action_id": []
}
}

Included playbooks

The Sample - Palo Alto Cortex XDR - 1.0.0 playbook collection comes bundled with the Palo Alto Cortex XDR connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in CyOPs^TM after importing the Palo Alto Cortex XDR connector.

Blacklist Files
Cancel Scan Endpoints
Create Distributions
Delete Endpoints
Fetch Incidents
Get All Endpoints
Get Audit Agent Report
Get Audit Management Logs
Get Device Violations
Get Distribution Status
Get Distribution URL
Get Distribution Version
Get Endpoints
Get Incident Details
Get Policy
Get Quarantine Status
Insert CEF Alerts
Insert Parsed Alerts
Isolate Endpoints
Quarantine Files
Restore File
Retrieve File
Scan Endpoints
Unisolate Endpoints
Update Incident
Whitelist Files

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.

About the connector

Cortex XDR applies machine learning at cloud scale to rich network, endpoint, and cloud data, so you can quickly find and stop targeted attacks, insider abuse, and compromised endpoints.

Version information

Connector Version: 1.0.0

Authored By: Community

Certified: No

Installing the connector

yum install cyops-connector-paloalto-cortex-xdr

Prerequisites to configuring the connector

You must have the URL of Palo Alto Cortex XDR server to which you will connect and perform automated operations and credentials (API Key ID and API Key) to access that server.
To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

Parameter	Description
Server URL	URL of the Palo Alto Cortex XDR server to which you will connect and perform the automated operations.
API Key ID	ID of the API key configured for your account to access the Palo Alto Cortex XDR server to which you will connect and perform the automated operations.
API Key	API key configured for your account to access the Palo Alto Cortex XDR server to which you will connect and perform the automated operations. Note: You require a "Standard" security level API key.
Verify SSL	Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations from version 4.10.0 onwards:

Function	Description	Annotation and Category
Fetch Incidents	Retrieves incidents from Palo Alto Cortex XDR based on the input parameters specified.	fetch_incidents Investigation
Get Incident Details	Retrieves details, including alert and key artifacts, for a specific incident from Palo Alto Cortex XDR based on the incident ID and other input parameters specified.	get_incident_details Investigation
Update Incident	Updates incident fields like severity, status, etc. of a specific incident in Palo Alto Cortex XDR based on the incident ID and other input parameters specified.	update_incident Investigation
Insert CEF Alerts	Upload alerts in the CEF format from external alert sources to Palo Alto Cortex XDR based on the list of alerts specified. After you have mapped the CEF alert fields to Cortex XDR fields, Cortex XDR displays the alerts in related incidents and views.	insert_cef_alerts Investigation
Insert Parsed Alerts	Uploads alerts in the Cortex XDR format from external alert sources to Palo Alto Cortex XDR based on the product, vendor, and other input parameters specified. Cortex XDR displays alerts that are parsed successfully in related incidents and views.	insert_parsed_alerts Investigation
Isolate Endpoints	Isolates one or more endpoints in a single request on Palo Alto Cortex XDR based on the endpoint ID and other input parameters specified.	isolate_endpoints Investigation
Unisolate Endpoints	Unisolates one or more endpoints in a single request on Palo Alto Cortex XDR based on the endpoint ID and other input parameters specified.	unisolate_endpoints Investigation
Get All Endpoints	Retrieves a list of all your endpoints from Palo Alto Cortex XDR.	get_all_endpoints Investigation
Get Endpoints	Retrieves a list of filtered endpoints from Palo Alto Cortex XDR based on the input parameters specified.	get_endpoints Investigation
Scan Endpoints	Runs a scan on specified endpoints on Palo Alto Cortex XDR based on the input parameters specified.	scan_endpoints Investigation
Cancel Scan Endpoints	Cancels a scan on specified endpoints on Palo Alto Cortex XDR based on the input parameters specified.	cancel_scan_endpoints Investigation
Delete Endpoints	Deletes specified endpoints from the Cortex XDR app based on the input parameters specified. Note: You can delete up to 100 endpoints.	delete_endpoints Investigation
Get Policy	Retrieves the policy for a specific endpoint from Palo Alto Cortex XDR based on the endpoint ID specified	get_policy Investigation
Get Device Violations	Retrieves a list of filtered device violations from Palo Alto Cortex XDR based on the input parameters specified.	get_device_violations Investigation
Get Distribution Version	Retrieves a list of all the agent versions that are used for creating a distribution list from Palo Alto Cortex XDR.	get_distribution_version Investigation
Create Distributions	Creates an installation package on Palo Alto Cortex XDR based on the distribution name and package type specified.	create_distributions Investigation
Get Distribution Status	Checks and retrieves the status of the installation package from Palo Alto Cortex XDR based on the distribution ID specified.	get_distribution_status Investigation
Get Distribution URL	Retrieves the distribution URL for downloading the installation package from Palo Alto Cortex XDR based on the distribution ID and package type specified.	get_distribution_url Investigation
Get Audit Management Logs	Retrieves audit management logs from Palo Alto Cortex XDR based on the input parameters specified.	get_audit_management_log Investigation
Get Audit Agent Report	Retrieves agent event reports from Palo Alto Cortex XDR based on the input parameters specified.	get_audit_agent_report Investigation
Blacklist Files	Blacklists the specified files that have not already been blacklisted on Palo Alto Cortex XDR based on the list of hash files specified.	blacklist_files Investigation
Whitelist Files	Whitelists the specified files that have not already been whitelisted on Palo Alto Cortex XDR based on the list of hash files specified.	whitelist_files Investigation
Quarantine Files	Quarantines files on specified endpoints on Palo Alto Cortex XDR based on the file path, file hash and other input parameters specified.	quarantine_files Investigation
Get Quarantine Status	Retrieves the quarantine status for a specified file from Palo Alto Cortex XDR based on the endpoint ID, file path, and file hash specified.	get_quarantine_status Investigation
Restore File	Restores a quarantined file on a specified endpoint on Palo Alto Cortex XDR based on the endpoint ID and file hash specified	restore_file Investigation
Retrieve File	Retrieves a file from specified endpoints from Palo Alto Cortex XDR based on the file path and other input parameters specified. Note: You can retrieve up to 20 files from a maximum of 100 endpoints.	retrieve_file Investigation

operation: Fetch Incidents

Input parameters

Parameter	Description
Operator	String that identifies the comparison operator you want to use to filter incidents to be retrieved from Palo Alto Cortex XDR. You can choose from the following: In, Contains, Greater Than Equal To, or Less Than Equal To. If you choose the 'In' operator, then you can specify the following parameters: Incident ID List: List of incident IDs based on which you want to retrieve incidents from Palo Alto Cortex XDR. Each item in the list must be an incident ID. Alert Sources: Source which detected the alert whose associated incidents you want to retrieve from Palo Alto Cortex XDR. Description: Description of the incident that you want to retrieve from Palo Alto Cortex XDR. If you choose the 'Contains' operator, then you can specify the following parameters: Description: Description of the incident that you want to retrieve from Palo Alto Cortex XDR. If you choose the 'Greater Than Equal To' operator, then you can specify the following parameters: Modification Time: Time the incident has been modified. This operator will retrieve all incidents that match the time specified or the time later than the time specified from Palo Alto Cortex XDR. Creation Time: Time that the incident has been created. This operator will retrieve all incidents that match the time specified or the time later than the time specified from Palo Alto Cortex XDR. If you choose the 'Less Than Equal To' operator, then you can specify the following parameters: Modification Time: Time the incident has been modified. This operator will retrieve all incidents that match the time specified or the time earlier than the time specified from Palo Alto Cortex XDR. Creation Time: Time that the incident has been created. This operator will retrieve all incidents that match the time specified or the time earlier than the time specified from Palo Alto Cortex XDR.
Search From	Integer representing the starting offset within the query result set from which you want this operation to return incidents from Palo Alto Cortex XDR.
Search To	Integer representing the end offset within the result set after which you do not want this operation to return incidents from Palo Alto Cortex XDR.
Sort	Select this option if you want to sort the retrieved incidents by field and order the results. If you select this option, then you can specify the following parameters: Sort by Field: Choose the field by which you want to sort the incidents. You can choose between Modification Time or Creation Time. Sort by Order: Choose the order in which you want to sort the result. You can choose between Ascending or Descending.

Output

operation: Get Incident Details

Input parameters

Parameter	Description
Incident ID	ID of the incident for which you want to retrieve details including alerts and key artifacts from Palo Alto Cortex XDR.
Alerts Limit	(Optional) Maximum number of alerts related to the specified incident you want to retrieve from Palo Alto Cortex XDR. By default, this is set to '1000'.

Output

operation: Update Incident

Input parameters

Parameter	Description
Incident ID	ID of the incident that you want to update Palo Alto Cortex XDR.
Assigned User Mail	(Optional) Email address of the incident assignee that you want to update in the specified incident in Palo Alto Cortex XDR.
Assigned User Pretty Name	(Optional) Full name of the incident assignee that you want to update in the specified incident in Palo Alto Cortex XDR.
Severity	(Optional) Severity level you want to update in the specified incident in Palo Alto Cortex XDR. You can choose from the following options: High, Medium, or Low.
Status	(Optional) Full name of the incident assignee that you want to update in the specified incident in Palo Alto Cortex XDR. You can choose from the following options: New, Under Investigation, Resolved Threat Handled, Resolved Know Issue, Resolved Duplicate, Resolved False Positive, or Resolved Other.
Resolve Comment	Descriptive comment that explains the updates made to the specified incident.

Output

The output contains the following populated JSON schema:
{
"message": "",
"status": ""
}

operation: Insert CEF Alerts

Input parameters

Parameter	Description
Alerts	Comma-separated list of alerts in the CEF format that you want to add to Palo Alto Cortex XDR.

Output

The output contains the following populated JSON schema:
{
"reply": ""
}

operation: Insert Parsed Alerts

Input parameters
Note: Value that you specify in the following parameters will be used to upload alerts to Palo Alto Cortex XDR.

Parameter	Description
Product	String value that defines the product. For example, VPN & Firewall-1.
Vendor	String value that defines the vendor. For example, Check Point.
Local IP	String value for the source IP address.
Local Port	Integer value for the source port.
Remote IP	String value of the destination IP address.
Remote Port	Integer value for the destination port.
Event Timestamp	Time the alert occurred.
Alert Name	String defining the name of the alert that you want to upload to Palo Alto Cortex XDR.
Severity	(Optional) Choose the severity of the alert that you want to upload to Palo Alto Cortex XDR. You can choose from the following options: Informational, High, Medium, Low, or Unknown.
Alert Description	(Optional) String defining the description of the alert that you want to upload to Palo Alto Cortex XDR.

Output

The output contains the following populated JSON schema:
{
"reply": ""
}

operation: Isolate Endpoints

Input parameters

Parameter	Description
Isolate Endpoint	Choose whether you want to isolate a single endpoint or more than one endpoint on Palo Alto Cortex XDR. You can choose between Isolate One Endpoint or Isolate More Than One Endpoint. If you choose the 'Isolate One Endpoint' option, then you can specify the following parameters: Endpoint ID: ID of the endpoint that you want to isolate on Palo Alto Cortex XDR. If you choose the 'Isolate More Than One Endpoint' option, then you can specify the following parameters: Operator: String that identifies the comparison operator you want to use to filter endpoint to be isolated on Palo Alto Cortex XDR. You can choose from the following: In, Greater Than Equal To, or Less Than Equal To. If you choose the 'In' operator, then you can specify the following parameters: Endpoint ID List: List of endpoint IDs to isolate on Palo Alto Cortex XDR. Distribution Name: Name of the distribution list containing the endpoints to isolate on Palo Alto Cortex XDR. Group Name: Name of the group containing the endpoints to isolate on Palo Alto Cortex XDR. Alias: Alias of the endpoints to isolate on Palo Alto Cortex XDR. Hostname: Name of the host of the endpoints to isolate on Palo Alto Cortex XDR. IP list: List of IP addresses containing the endpoints to isolate on Palo Alto Cortex XDR. Platform: Type of operating system that contains the endpoints to isolate on Palo Alto Cortex XDR. You can choose between Windows, Linux, Macos, or Android. Isolate: Select Isolated if the endpoints are isolated. If you choose the 'Greater Than Equal To' operator, then you can specify the following parameters: First Seen: Time when the endpoint was first seen. This operator will isolate all endpoints that match the time specified or the time later than the time specified on Palo Alto Cortex XDR. Last Seen: Time when the endpoint was last seen. This operator will isolate all endpoints that match the time specified or the time later than the time specified on Palo Alto Cortex XDR. If you choose the 'Less Than Equal To' operator, then you can specify the following parameters: First Seen: Time when the endpoint was first seen. This operator will isolate all endpoints that match the time specified or the time earlier than the time specified on Palo Alto Cortex XDR. Last Seen: Time that the incident was last seen. This operator will isolate all endpoints that match the time specified or the time earlier than the time specified on Palo Alto Cortex XDR.

Parameter

Description

Isolate Endpoint

Endpoint ID: ID of the endpoint that you want to isolate on Palo Alto Cortex XDR.

If you choose the 'Isolate More Than One Endpoint' option, then you can specify the following parameters:

Operator: String that identifies the comparison operator you want to use to filter endpoint to be isolated on Palo Alto Cortex XDR. You can choose from the following: In, Greater Than Equal To, or Less Than Equal To.
If you choose the 'In' operator, then you can specify the following parameters:
- Endpoint ID List: List of endpoint IDs to isolate on Palo Alto Cortex XDR.
- Distribution Name: Name of the distribution list containing the endpoints to isolate on Palo Alto Cortex XDR.
- Group Name: Name of the group containing the endpoints to isolate on Palo Alto Cortex XDR.
- Alias: Alias of the endpoints to isolate on Palo Alto Cortex XDR.
- Hostname: Name of the host of the endpoints to isolate on Palo Alto Cortex XDR.
- IP list: List of IP addresses containing the endpoints to isolate on Palo Alto Cortex XDR.
- Platform: Type of operating system that contains the endpoints to isolate on Palo Alto Cortex XDR. You can choose between Windows, Linux, Macos, or Android.
- Isolate: Select Isolated if the endpoints are isolated.
If you choose the 'Greater Than Equal To' operator, then you can specify the following parameters:
- First Seen: Time when the endpoint was first seen. This operator will isolate all endpoints that match the time specified or the time later than the time specified on Palo Alto Cortex XDR.
- Last Seen: Time when the endpoint was last seen. This operator will isolate all endpoints that match the time specified or the time later than the time specified on Palo Alto Cortex XDR.
If you choose the 'Less Than Equal To' operator, then you can specify the following parameters:
- First Seen: Time when the endpoint was first seen. This operator will isolate all endpoints that match the time specified or the time earlier than the time specified on Palo Alto Cortex XDR.
- Last Seen: Time that the incident was last seen. This operator will isolate all endpoints that match the time specified or the time earlier than the time specified on Palo Alto Cortex XDR.

Output

The output contains the following populated JSON schema:
{
"reply": {
"action_id": []
}
}

operation: Unisolate Endpoints

Input parameters

Parameter	Description
Unisolate Endpoint	Choose whether you want to unisolate a single endpoint or more than one endpoint on Palo Alto Cortex XDR. You can choose between unisolate One Endpoint or unisolate More Than One Endpoint. If you choose the 'Unisolate One Endpoint' option, then you can specify the following parameters: Endpoint ID: ID of the endpoint that you want to unisolate on Palo Alto Cortex XDR. If you choose the 'Unisolate More Than One Endpoint' option, then you can specify the following parameters: Operator: String that identifies the comparison operator you want to use to filter endpoint to be unisolated on Palo Alto Cortex XDR. You can choose from the following: In, Greater Than Equal To, or Less Than Equal To. If you choose the 'In' operator, then you can specify the following parameters: Endpoint ID List: List of endpoint IDs to unisolate on Palo Alto Cortex XDR. Distribution Name: Name of the distribution list containing the endpoints to unisolate on Palo Alto Cortex XDR. Group Name: Name of the group containing the endpoints to unisolate on Palo Alto Cortex XDR. Alias: Alias of the endpoints to unisolate on Palo Alto Cortex XDR. Hostname: Name of the host of the endpoints to unisolate on Palo Alto Cortex XDR. IP list: List of IP addresses containing the endpoints to unisolate on Palo Alto Cortex XDR. Platform: Type of operating system that contains the endpoints to unisolate on Palo Alto Cortex XDR. You can choose between Windows, Linux, Macos, or Android. Isolate: Select Unisolated if the endpoints are unisolated. If you choose the 'Greater Than Equal To' operator, then you can specify the following parameters: First Seen: Time when the endpoint was first seen. This operator will unisolate all endpoints that match the time specified or the time later than the time specified on Palo Alto Cortex XDR. Last Seen: Time when the endpoint was last seen. This operator will unisolate all endpoints that match the time specified or the time later than the time specified on Palo Alto Cortex XDR. If you choose the 'Less Than Equal To' operator, then you can specify the following parameters: First Seen: Time when the endpoint was first seen. This operator will unisolate all endpoints that match the time specified or the time earlier than the time specified on Palo Alto Cortex XDR. Last Seen: Time that the incident was last seen. This operator will unisolate all endpoints that match the time specified or the time earlier than the time specified on Palo Alto Cortex XDR.

Parameter

Description

Unisolate Endpoint

Endpoint ID: ID of the endpoint that you want to unisolate on Palo Alto Cortex XDR.

If you choose the 'Unisolate More Than One Endpoint' option, then you can specify the following parameters:

Operator: String that identifies the comparison operator you want to use to filter endpoint to be unisolated on Palo Alto Cortex XDR. You can choose from the following: In, Greater Than Equal To, or Less Than Equal To.
If you choose the 'In' operator, then you can specify the following parameters:
- Endpoint ID List: List of endpoint IDs to unisolate on Palo Alto Cortex XDR.
- Distribution Name: Name of the distribution list containing the endpoints to unisolate on Palo Alto Cortex XDR.
- Group Name: Name of the group containing the endpoints to unisolate on Palo Alto Cortex XDR.
- Alias: Alias of the endpoints to unisolate on Palo Alto Cortex XDR.
- Hostname: Name of the host of the endpoints to unisolate on Palo Alto Cortex XDR.
- IP list: List of IP addresses containing the endpoints to unisolate on Palo Alto Cortex XDR.
- Platform: Type of operating system that contains the endpoints to unisolate on Palo Alto Cortex XDR. You can choose between Windows, Linux, Macos, or Android.
- Isolate: Select Unisolated if the endpoints are unisolated.
If you choose the 'Greater Than Equal To' operator, then you can specify the following parameters:
- First Seen: Time when the endpoint was first seen. This operator will unisolate all endpoints that match the time specified or the time later than the time specified on Palo Alto Cortex XDR.
- Last Seen: Time when the endpoint was last seen. This operator will unisolate all endpoints that match the time specified or the time later than the time specified on Palo Alto Cortex XDR.
If you choose the 'Less Than Equal To' operator, then you can specify the following parameters:
- First Seen: Time when the endpoint was first seen. This operator will unisolate all endpoints that match the time specified or the time earlier than the time specified on Palo Alto Cortex XDR.
- Last Seen: Time that the incident was last seen. This operator will unisolate all endpoints that match the time specified or the time earlier than the time specified on Palo Alto Cortex XDR.

Output

The output contains the following populated JSON schema:
{
"reply": {
"action_id": []
}
}

operation: Get All Endpoints

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
"reply": [
{
"agent_type": "",
"agent_id": "",
"host_name": "",
"agent_status": "",
"ip": ""
}
]
}

operation: Get Endpoints

Input parameters

Parameter	Description
Operator	String that identifies the comparison operator you want to use to filter endpoints to be retrieved from Palo Alto Cortex XDR. You can choose from the following: In, Greater Than Equal To, or Less Than Equal To. If you choose the 'In' operator, then you can specify the following parameters: Endpoint ID List: List of endpoint IDs based on which you want to retrieve endpoints from Palo Alto Cortex XDR. Distribution Name: Name of the distribution list or installation package name containing the endpoints to be retrieved from Palo Alto Cortex XDR. Group Name: Name of the group containing the endpoints to be retrieved from Palo Alto Cortex XDR. Alias: Alias of the endpoints to be retrieved from Palo Alto Cortex XDR. Hostname: Name of the host of the endpoints to be retrieved from Palo Alto Cortex XDR. IP list: List of IP addresses containing the endpoints to be retrieved from Palo Alto Cortex XDR. Platform: Type of operating system that contains the endpoints to be retrieved from Palo Alto Cortex XDR. You can choose between Windows, Linux, Macos, or Android. Isolate: Select Isolated if the endpoints have been isolated and Unisolated if the endpoints have been unisolated. If you choose the 'Greater Than Equal To' operator, then you can specify the following parameters: First Seen: Time when the endpoint was first seen. This operator will retrieve all endpoints that match the time specified or the time later than the time specified on Palo Alto Cortex XDR. Last Seen: Time when the endpoint was last seen. This operator will retrieve all endpoints that match the time specified or the time later than the time specified on Palo Alto Cortex XDR. If you choose the 'Less Than Equal To' operator, then you can specify the following parameters: First Seen: Time when the endpoint was first seen. This operator will retrieve all endpoints that match the time specified or the time earlier than the time specified on Palo Alto Cortex XDR. Last Seen: Time that the incident was last seen. This operator will retrieve all endpoints that match the time specified or the time earlier than the time specified on Palo Alto Cortex XDR.
Search From	Integer representing the starting offset within the query result set from which you want this operation to return incidents from Palo Alto Cortex XDR.
Search To	Integer representing the end offset within the result set after which you do not want this operation to return incidents from Palo Alto Cortex XDR.
Sort	Select this option if you want to sort the retrieved endpoints by field and order the results. If you select this option, then you can specify the following parameters: Sort by Field: Choose the field by which you want to sort the endpoints. You can choose between First Seen or Last Seen. Sort by Order: Choose the order in which you want to sort the result. You can choose between Ascending or Descending.

Output

operation: Scan Endpoints

Input parameters

Parameter	Description
Operator	String that identifies the comparison operator you want to use to filter endpoints to be scanned on Palo Alto Cortex XDR. You can choose from the following: In, Greater Than Equal To, or Less Than Equal To. If you choose the 'In' operator, then you can specify the following parameters: Endpoint ID List: List of endpoint IDs that you want to scan on Palo Alto Cortex XDR. Distribution Name: Name of the distribution list containing the endpoints that you want to scan on Palo Alto Cortex XDR. Group Name: Name of the group containing the endpoints that you want to scan on Palo Alto Cortex XDR. Alias: Alias of the endpoints to be scanned on Palo Alto Cortex XDR. Hostname: Name of the host of the endpoints to be scanned on Palo Alto Cortex XDR. IP list: List of IP addresses containing the endpoints to be scanned on Palo Alto Cortex XDR. Platform: Type of operating system that contains the endpoints to be scanned on Palo Alto Cortex XDR. You can choose between Windows, Linux, Macos, or Android. Isolate: Select Isolated if the endpoints have been isolated and Unisolated if the endpoints have been unisolated. If you choose the 'Greater Than Equal To' operator, then you can specify the following parameters: First Seen: Time when the endpoint was first seen. This operator will scan all endpoints that match the time specified or the time later than the time specified on Palo Alto Cortex XDR. Last Seen: Time when the endpoint was last seen. This operator will scan all endpoints that match the time specified or the time later than the time specified on Palo Alto Cortex XDR. If you choose the 'Less Than Equal To' operator, then you can specify the following parameters: First Seen: Time when the endpoint was first seen. This operator will scan all endpoints that match the time specified or the time earlier than the time specified on Palo Alto Cortex XDR. Last Seen: Time that the incident was last seen. This operator will scan all endpoints that match the time specified or the time earlier than the time specified on Palo Alto Cortex XDR.

Parameter

Description

Operator

If you choose the 'In' operator, then you can specify the following parameters:
- Endpoint ID List: List of endpoint IDs that you want to scan on Palo Alto Cortex XDR.
- Distribution Name: Name of the distribution list containing the endpoints that you want to scan on Palo Alto Cortex XDR.
- Group Name: Name of the group containing the endpoints that you want to scan on Palo Alto Cortex XDR.
- Alias: Alias of the endpoints to be scanned on Palo Alto Cortex XDR.
- Hostname: Name of the host of the endpoints to be scanned on Palo Alto Cortex XDR.
- IP list: List of IP addresses containing the endpoints to be scanned on Palo Alto Cortex XDR.
- Platform: Type of operating system that contains the endpoints to be scanned on Palo Alto Cortex XDR. You can choose between Windows, Linux, Macos, or Android.
- Isolate: Select Isolated if the endpoints have been isolated and Unisolated if the endpoints have been unisolated.
If you choose the 'Greater Than Equal To' operator, then you can specify the following parameters:
- First Seen: Time when the endpoint was first seen. This operator will scan all endpoints that match the time specified or the time later than the time specified on Palo Alto Cortex XDR.
- Last Seen: Time when the endpoint was last seen. This operator will scan all endpoints that match the time specified or the time later than the time specified on Palo Alto Cortex XDR.
If you choose the 'Less Than Equal To' operator, then you can specify the following parameters:
- First Seen: Time when the endpoint was first seen. This operator will scan all endpoints that match the time specified or the time earlier than the time specified on Palo Alto Cortex XDR.
- Last Seen: Time that the incident was last seen. This operator will scan all endpoints that match the time specified or the time earlier than the time specified on Palo Alto Cortex XDR.

Output

The output contains the following populated JSON schema:
{
"reply": {
"action_id": []
}
}

operation: Cancel Scan Endpoints

Input parameters

Parameter	Description
Operator	String that identifies the comparison operator you want to use to filter endpoints whose scans are to be canceled on Palo Alto Cortex XDR. You can choose from the following: In, Greater Than Equal To, or Less Than Equal To. If you choose the 'In' operator, then you can specify the following parameters: Endpoint ID List: List of endpoint IDs whose scans you want to cancel on Palo Alto Cortex XDR. Distribution Name: Name of the distribution list containing the endpoints whose scans you want to cancel on Palo Alto Cortex XDR. Group Name: Name of the group containing the endpoints whose scans you want to cancel on Palo Alto Cortex XDR. Alias: Alias of the endpoints whose scans you want to cancel Palo Alto Cortex XDR. Hostname: Name of the host of the endpoints whose scans you want to cancel Palo Alto Cortex XDR. IP list: List of IP addresses containing the endpoints whose scans you want to cancel on Palo Alto Cortex XDR. Platform: Type of operating system that contains the endpoints whose scans you want to cancel on Palo Alto Cortex XDR. You can choose between Windows, Linux, Macos, or Android. Isolate: Select Isolated if the endpoints have been isolated and Unisolated if the endpoints have been unisolated. If you choose the 'Greater Than Equal To' operator, then you can specify the following parameters: First Seen: Time when the endpoint was first seen. This operator will cancel the scans on all endpoints that match the time specified or the time later than the time specified on Palo Alto Cortex XDR. Last Seen: Time when the endpoint was last seen. This operator will cancel the scans on all endpoints that match the time specified or the time later than the time specified on Palo Alto Cortex XDR. If you choose the 'Less Than Equal To' operator, then you can specify the following parameters: First Seen: Time when the endpoint was first seen. This operator will cancel the scans on all endpoints that match the time specified or the time earlier than the time specified on Palo Alto Cortex XDR. Last Seen: Time that the incident was last seen. This operator will cancel the scans on all endpoints that match the time specified or the time earlier than the time specified on Palo Alto Cortex XDR.

Parameter

Description

Operator

If you choose the 'In' operator, then you can specify the following parameters:
- Endpoint ID List: List of endpoint IDs whose scans you want to cancel on Palo Alto Cortex XDR.
- Distribution Name: Name of the distribution list containing the endpoints whose scans you want to cancel on Palo Alto Cortex XDR.
- Group Name: Name of the group containing the endpoints whose scans you want to cancel on Palo Alto Cortex XDR.
- Alias: Alias of the endpoints whose scans you want to cancel Palo Alto Cortex XDR.
- Hostname: Name of the host of the endpoints whose scans you want to cancel Palo Alto Cortex XDR.
- IP list: List of IP addresses containing the endpoints whose scans you want to cancel on Palo Alto Cortex XDR.
- Platform: Type of operating system that contains the endpoints whose scans you want to cancel on Palo Alto Cortex XDR. You can choose between Windows, Linux, Macos, or Android.
- Isolate: Select Isolated if the endpoints have been isolated and Unisolated if the endpoints have been unisolated.
If you choose the 'Greater Than Equal To' operator, then you can specify the following parameters:
- First Seen: Time when the endpoint was first seen. This operator will cancel the scans on all endpoints that match the time specified or the time later than the time specified on Palo Alto Cortex XDR.
- Last Seen: Time when the endpoint was last seen. This operator will cancel the scans on all endpoints that match the time specified or the time later than the time specified on Palo Alto Cortex XDR.
If you choose the 'Less Than Equal To' operator, then you can specify the following parameters:
- First Seen: Time when the endpoint was first seen. This operator will cancel the scans on all endpoints that match the time specified or the time earlier than the time specified on Palo Alto Cortex XDR.
- Last Seen: Time that the incident was last seen. This operator will cancel the scans on all endpoints that match the time specified or the time earlier than the time specified on Palo Alto Cortex XDR.

Output

The output contains the following populated JSON schema:
{
"reply": ""
}

operation: Delete Endpoints

Input parameters

Parameter	Description
Operator	String that identifies the comparison operator you want to use to filter endpoints to be deleted from the Palo Alto Cortex XDR app. You can choose from the following: In, Greater Than Equal To, or Less Than Equal To. If you choose the 'In' operator, then you can specify the following parameters: Endpoint ID List: List of endpoint IDs that you want to delete from the Palo Alto Cortex XDR app. Distribution Name: Name of the distribution list containing the endpoints that you want to delete from the Palo Alto Cortex XDR app. Group Name: Name of the group containing the endpoints that you want to delete from the Palo Alto Cortex XDR app. Alias: Alias of the endpoints to be deleted from the Palo Alto Cortex XDR app. Hostname: Name of the host of the endpoints to be deleted from the Palo Alto Cortex XDR app. IP list: List of IP addresses containing the endpoints to be deleted from the Palo Alto Cortex XDR app. Platform: Type of operating system that contains the endpoints to be deleted from the Palo Alto Cortex XDR app. You can choose between Windows, Linux, Macos, or Android. Isolate: Select Isolated if the endpoints have been isolated and Unisolated if the endpoints have been unisolated. If you choose the 'Greater Than Equal To' operator, then you can specify the following parameters: First Seen: Time when the endpoint was first seen. This operator will delete all endpoints that match the time specified or the time later than the time specified on Palo Alto Cortex XDR. Last Seen: Time when the endpoint was last seen. This operator will delete all endpoints that match the time specified or the time later than the time specified on Palo Alto Cortex XDR. If you choose the 'Less Than Equal To' operator, then you can specify the following parameters: First Seen: Time when the endpoint was first seen. This operator will delete all endpoints that match the time specified or the time earlier than the time specified on Palo Alto Cortex XDR. Last Seen: Time that the incident was last seen. This operator will delete all endpoints that match the time specified or the time earlier than the time specified on Palo Alto Cortex XDR.

Parameter

Description

Operator

If you choose the 'In' operator, then you can specify the following parameters:
- Endpoint ID List: List of endpoint IDs that you want to delete from the Palo Alto Cortex XDR app.
- Distribution Name: Name of the distribution list containing the endpoints that you want to delete from the Palo Alto Cortex XDR app.
- Group Name: Name of the group containing the endpoints that you want to delete from the Palo Alto Cortex XDR app.
- Alias: Alias of the endpoints to be deleted from the Palo Alto Cortex XDR app.
- Hostname: Name of the host of the endpoints to be deleted from the Palo Alto Cortex XDR app.
- IP list: List of IP addresses containing the endpoints to be deleted from the Palo Alto Cortex XDR app.
- Platform: Type of operating system that contains the endpoints to be deleted from the Palo Alto Cortex XDR app. You can choose between Windows, Linux, Macos, or Android.
- Isolate: Select Isolated if the endpoints have been isolated and Unisolated if the endpoints have been unisolated.
If you choose the 'Greater Than Equal To' operator, then you can specify the following parameters:
- First Seen: Time when the endpoint was first seen. This operator will delete all endpoints that match the time specified or the time later than the time specified on Palo Alto Cortex XDR.
- Last Seen: Time when the endpoint was last seen. This operator will delete all endpoints that match the time specified or the time later than the time specified on Palo Alto Cortex XDR.
If you choose the 'Less Than Equal To' operator, then you can specify the following parameters:
- First Seen: Time when the endpoint was first seen. This operator will delete all endpoints that match the time specified or the time earlier than the time specified on Palo Alto Cortex XDR.
- Last Seen: Time that the incident was last seen. This operator will delete all endpoints that match the time specified or the time earlier than the time specified on Palo Alto Cortex XDR.

Output

The output contains the following populated JSON schema:
{
"reply": ""
}

operation: Get Policy

Input parameters

Parameter	Description
Endpoint ID	String the represents the endpoint ID based on which you want to retrieve the policy from Palo Alto Cortex XDR. For example, 51588e4ce9214c63b39d054bd073b93a

Output

The output contains the following populated JSON schema:
{
"reply": {
"policy_name": ""
}
}

operation: Get Device Violations

Input parameters

Parameter	Description
Operator	String that identifies the comparison operator you want to use to filter device violations to be retrieved from Palo Alto Cortex XDR. You can choose from the following: In, Greater Than Equal To, or Less Than Equal To. If you choose the 'In' operator, then you can specify the following parameters: Endpoint ID List: List of endpoint IDs based on which you want to retrieve violations from Palo Alto Cortex XDR. Vendor: String value that defines the vendor whose associated violations are to be retrieved from Palo Alto Cortex XDR. For example, Check Point. Vendor ID: String value that defines the vendor ID whose associated violations are to be retrieved from Palo Alto Cortex XDR. For example, 0x0999. Product: String value that defines the product whose associated violations are to be retrieved from Palo Alto Cortex XDR. For example, VPN & Firewall-1. Product ID: String value that defines the product ID whose associated violations are to be retrieved from Palo Alto Cortex XDR. For example, 0x10036. Serial: String value that defines the serial number whose associated violations are to be retrieved from Palo Alto Cortex XDR. For example, 8888889. Hostname: Name of the host whose associated violations are to be retrieved from Palo Alto Cortex XDR. Username: Name of the user whose associated violations are to be retrieved from Palo Alto Cortex XDR. Type: Type of violations that are to be retrieved from Palo Alto Cortex XDR. You can choose between CS ROM, Disk Drive, Floppy Disk, or Portable Device. IP list: List of IP addresses whose associated violations are to be retrieved from Palo Alto Cortex XDR. Violations ID List: List of violations IDs based on which you want to retrieve violations from Palo Alto Cortex XDR. If you choose the 'Greater Than Equal To' operator, then you can specify the following parameters: Timestamp: Datetime till when you want to retrieve violations from Palo Alto Cortex XDR. This operator will retrieve all violations that match the time specified or the time later than the time specified on Palo Alto Cortex XDR. If you choose the 'Less Than Equal To' operator, then you can specify the following parameters: Timestamp: Datetime from when you want to retrieve violations from Palo Alto Cortex XDR. This operator will retrieve all violations that match the time specified or the time earlier than the time specified on Palo Alto Cortex XDR.
Search From	Integer representing the starting offset within the query result set from which you want this operation to return incidents from Palo Alto Cortex XDR.
Search To	Integer representing the end offset within the result set after which you do not want this operation to return incidents from Palo Alto Cortex XDR.
Sort	Select this option if you want to sort the retrieved violations by field and order the results. If you select this option, then you can specify the following parameters: Sort by Field: Choose the field by which you want to sort the violations. You can choose between First Seen or Last Seen. Sort by Order: Choose the order in which you want to sort the result. You can choose between Ascending or Descending.

Output

operation: Get Distribution Version

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
"reply": {
"macos": [],
"linux": [],
"windows": []
}
}

operation: Create Distributions

Input parameters

Parameter	Description
Name	String representing the name of the installation package that you want to create on Palo Alto Cortex XDR.
Package Type	String representing the type of installation package that you want to create on Palo Alto Cortex XDR. You can choose from the following types: Standalone or Upgrade. If you choose the 'Standalone' operator, then you can specify the following parameters: Platform: Platform on which you want to create the installation package. You can choose the following: Windows, Linux, Macos, or Android. If you choose 'Windows', then in the Agent Version field, enter the version of the agent. For example, 5.0.7.16157. If you choose 'Macos', then in the Agent Version field, enter the version of the agent. For example, 5.0.7.16157. If you choose 'Linux', then in the Agent Version field, enter the version of the agent. For example, 5.0.7.16157. If you choose the 'Upgrade' operator, then you can specify the following parameters: Upgrade: Specify the version of an agent from ESM to be upgraded. You can specify the following values: windows_version, linux_version, or macos_version.
Description	String containing descriptive information about the installation package.

Parameter

Description

Name

String representing the name of the installation package that you want to create on Palo Alto Cortex XDR.

Package Type

Platform: Platform on which you want to create the installation package. You can choose the following: Windows, Linux, Macos, or Android.
- If you choose 'Windows', then in the Agent Version field, enter the version of the agent. For example, 5.0.7.16157.
- If you choose 'Macos', then in the Agent Version field, enter the version of the agent. For example, 5.0.7.16157.
- If you choose 'Linux', then in the Agent Version field, enter the version of the agent. For example, 5.0.7.16157.

If you choose the 'Upgrade' operator, then you can specify the following parameters:

Upgrade: Specify the version of an agent from ESM to be upgraded. You can specify the following values: windows_version, linux_version, or macos_version.

Description

String containing descriptive information about the installation package.

Output

The output contains the following populated JSON schema:
{
"reply": {
"distribution_id": ""
}
}

operation: Get Distribution Status

Input parameters

Parameter	Description
Distribution ID	String representing the ID of the installation package whose status you want to retrieve from Palo Alto Cortex XDR.

Output

The output contains the following populated JSON schema:
{
"reply": {
"status": ""
}
}

operation: Get Distribution URL

Input parameters

Parameter	Description
Distribution ID	String representing the ID of the installation package whose distribution URL you want to retrieve from Palo Alto Cortex XDR.
Package Type	String representing the type of installation package whose distribution URL you want to retrieve from Palo Alto Cortex XDR. You can choose from the following options: sh-For Linux, rpm-For Linux, deb-For Linux, pkg-For Mac, x86-For Windows, or x64-For Windows.

Output

The output contains the following populated JSON schema:
{
"reply": {
"distribution_url": ""
}
}

operation: Get Audit Management Logs

Input parameters

Parameter	Description
Operator	String that identifies the comparison operator you want to use to filter audit management logs to be retrieved from Palo Alto Cortex XDR. You can choose from the following: In, Greater Than Equal To, or Less Than Equal To. If you choose the 'In' operator, then you can specify the following parameters: Email: Email address of the user whose audit management logs you want to retrieve from Palo Alto Cortex XDR. Type: Type of the audit management logs you want to retrieve from Palo Alto Cortex XDR. Sub Type: Subtype of the audit management logs you want to retrieve from Palo Alto Cortex XDR. Result: Filter audit log management logs you want to retrieve from Palo Alto Cortex XDR based on the result of the audit log. For example, SUCCESS. If you choose the 'Greater Than Equal To' operator, then you can specify the following parameters: Timestamp: Datetime of the log till when you want to retrieve audit management logs from Palo Alto Cortex XDR. This operator will retrieve all audit management logs whose timestamp matches the time specified or the time later than the time specified on Palo Alto Cortex XDR. If you choose the 'Less Than Equal To' operator, then you can specify the following parameters: Timestamp: Datetime of the log from when you want to retrieve audit management logs from Palo Alto Cortex XDR. This operator will retrieve all audit management logs whose timestamp matches the time specified or the time earlier than the time specified on Palo Alto Cortex XDR.
Search From	An integer representing the starting offset within the query result set from which you want management logs returned.
Search To	An integer representing the end offset within the result set after which you do not want management logs returned.
Sort	Select this option if you want to sort the retrieved management logs by field and order the results. If you select this option, then you can specify the following parameters: Sort by Field: Choose the field by which you want to sort the management logs. For example, timestamp. Sort by Order: Choose the order in which you want to sort the result. You can choose between Ascending or Descending.

Output

operation: Get Audit Agent Report

Input parameters

Parameter	Description
Operator	String that identifies the comparison operator you want to use to filter audit agent reports to be retrieved from Palo Alto Cortex XDR. You can choose from the following: In, Greater Than Equal To, or Less Than Equal To. If you choose the 'In' operator, then you can specify the following parameters: Endpoint ID: String representing the ID of the endpoint whose associated audit agent reports you want to retrieve from Palo Alto Cortex XDR. Endpoint Name: String representing the name of the endpoint whose associated audit agent reports you want to retrieve from Palo Alto Cortex XDR. Type: Type of the audit agent reports you want to retrieve from Palo Alto Cortex XDR. For example, Agent Status. Sub Type: Subtype of the audit agent reports you want to retrieve from Palo Alto Cortex XDR. For example, Fully Protected. Result: Filter audit agent reports you want to retrieve from Palo Alto Cortex XDR based on the result of the agent report. For example, SUCCESS. Domain: Domain of the agent whose audit agent reports you want to retrieve from Palo Alto Cortex XDR. For example, WORKGROUP. xdr_version: XDR version for which you want to retrieve audit agent reports from Palo Alto Cortex XDR. Category: Type of event category whose audit agent reports you want to retrieve from Palo Alto Cortex XDR. You can choose from the following options: Status, Audit, or Monitoring. If you choose the 'Greater Than Equal To' operator, then you can specify the following parameters: Timestamp: Datetime of the report till when you want to retrieve audit management logs from Palo Alto Cortex XDR. This operator will retrieve all audit agent reports whose timestamp matches the time specified or the time later than the time specified on Palo Alto Cortex XDR. If you choose the 'Less Than Equal To' operator, then you can specify the following parameters: Timestamp: Datetime of the report from when you want to retrieve audit management logs from Palo Alto Cortex XDR. This operator will retrieve all audit agent reports whose timestamp matches the time specified or the time earlier than the time specified on Palo Alto Cortex XDR.
Search From	Integer representing the starting offset within the query result set from which you want this operation to return incidents from Palo Alto Cortex XDR.
Search To	Integer representing the end offset within the result set after which you do not want this operation to return incidents from Palo Alto Cortex XDR.
Sort	Select this option if you want to sort the retrieved audit agent reports by field and order the results. If you select this option, then you can specify the following parameters: Sort by Field: Choose the field by which you want to sort the audit agent reports. You can choose from the following options: Type, Category, Trapsversion, Timestamp, or Domaintimestamp. Sort by Order: Choose the order in which you want to sort the result. You can choose between Ascending or Descending.

Output

operation: Blacklist Files

Input parameters

Parameter	Description
Hash List	String that represents a list of hashed files you want to blacklist on Palo Alto Cortex XDR. Note: Hash must be a valid SHA256 value.
Comment	String containing descriptive information about this action.

Output

The output contains the following populated JSON schema:
{
"reply": ""
}

operation: Whitelist Files

Input parameters

Parameter	Description
Hash List	String that represents a list of hashed files you want to whitelist on Palo Alto Cortex XDR. Note: Hash must be a valid SHA256 value.
Comment	String containing descriptive information about this action.

Output

The output contains the following populated JSON schema:
{
"reply": ""
}

operation: Quarantine Files

Input parameters

Parameter	Description
Operator	String that identifies the comparison operator you want to use to filter endpoints on which you want to quarantine files on Palo Alto Cortex XDR. You can choose from the following: In, Greater Than Equal To, or Less Than Equal To. If you choose the 'In' operator, then you can specify the following parameters: Endpoint ID List: List of endpoint IDs on which you want to quarantine files on Palo Alto Cortex XDR. Distribution Name: Name of the distribution list containing the endpoints on which you want to quarantine files on Palo Alto Cortex XDR Group Name: Name of the group containing the endpoints on which you want to quarantine files on Palo Alto Cortex XDR. Alias: Alias of the endpoints on which you want to quarantine files on Palo Alto Cortex XDR. Hostname: Name of the host of the endpoints on which you want to quarantine files on Palo Alto Cortex XDR. IP list: List of IP addresses containing the endpoints on which you want to quarantine files on Palo Alto Cortex XDR. Platform: Type of operating system that contains the endpoints on which you want to quarantine files on Palo Alto Cortex XDR. You can choose between Windows, Linux, Macos, or Android. Isolate: Select Isolated if the endpoints have been isolated and Unisolated if the endpoints have been unisolated. If you choose the 'Greater Than Equal To' operator, then you can specify the following parameters: First Seen: Time when the endpoint was first seen. This operator will quarantine files on all endpoints that match the time specified or the time later than the time specified on Palo Alto Cortex XDR. Last Seen: Time when the endpoint was last seen. This operator will quarantine files on all endpoints that match the time specified or the time later than the time specified on Palo Alto Cortex XDR. If you choose the 'Less Than Equal To' operator, then you can specify the following parameters: First Seen: Time when the endpoint was first seen. This operator will quarantine files on all endpoints that match the time specified or the time earlier than the time specified on Palo Alto Cortex XDR. Last Seen: Time that the incident was last seen. This operator will quarantine files on all endpoints that match the time specified or the time earlier than the time specified on Palo Alto Cortex XDR.
File Path	String that represents the path of the file you want to quarantine on the specified endpoints on Palo Alto Cortex XDR.
File Hash	String that represents the hash value of the file you want to quarantine on the specified endpoints on Palo Alto Cortex XDR.. The hash must be a valid SHA256 value.

Output

The output contains the following populated JSON schema:
{
"reply": {
"action_id": []
}
}

operation: Get Quarantine Status

Input parameters

Parameter	Description
Endpoint ID	String that represents the endpoint ID whose associated files' quarantine status you want to retrieve from Palo Alto Cortex XDR.
File Hash	String that represents the hash value of the file whose quarantine status you want to retrieve from Palo Alto Cortex XDR. The hash must be a valid SHA256 value.
File Path	String that represents the path of the file whose quarantine status you want to retrieve from Palo Alto Cortex XD

Output

The output contains the following populated JSON schema:
{
"reply": [
{
"endpoint_id": "",
"file_path": "",
"file_hash": "",
"status": ""
}
]
}

operation: Restore File

Input parameters

Parameter	Description
File Hash	String that represents the hash value of the quarantined file that you want to restore on the specified endpoint on Palo Alto Cortex XDR. The hash must be a valid SHA256 value.
Endpoint ID	String that represents the endpoint ID on which you want to restore the specified quarantined file.

Output

The output contains the following populated JSON schema:
{
"message": "",
"status": ""
}

operation: Retrieve File

Input parameters

Parameter	Description
Operator	String that identifies the comparison operator you want to use to filter files that you want to retrieve from Palo Alto Cortex XDR. You can choose from the following: In, Greater Than Equal To, or Less Than Equal To. If you choose the 'In' operator, then you can specify the following parameters: Endpoint ID List: List of endpoint IDs whose associated files you want to retrieve from Palo Alto Cortex XDR Distribution Name: Name of the distribution list containing the files you want to retrieve from Palo Alto Cortex XDR Group Name: Name of the endpoint group containing the files you want to retrieve from Palo Alto Cortex XDR Alias: Alias of the endpoints whose associated files you want to retrieve from Palo Alto Cortex XDR. Hostname: Name of the host of the endpoints whose associated files you want to retrieve from Palo Alto Cortex XDR. IP list: List of IP addresses containing the endpoints whose associated files you want to retrieve from Palo Alto Cortex XDR. Platform: Type of operating system that contains the endpoints whose associated files you want to retrieve from Palo Alto Cortex XDR. You can choose between Windows, Linux, Macos, or Android. Isolate: Select Isolated if the endpoints have been isolated and Unisolated if the endpoints have been unisolated. If you choose the 'Greater Than Equal To' operator, then you can specify the following parameters: First Seen: Time when the endpoint was first seen. This operator will retrieve files on all endpoints that match the time specified or the time later than the time specified on Palo Alto Cortex XDR. Last Seen: Time when the endpoint was last seen. This operator will retrieve files on all endpoints that match the time specified or the time later than the time specified on Palo Alto Cortex XDR. If you choose the 'Less Than Equal To' operator, then you can specify the following parameters: First Seen: Time when the endpoint was first seen. This operator will retrieve files on all endpoints that match the time specified or the time earlier than the time specified on Palo Alto Cortex XDR. Last Seen: Time that the incident was last seen. This operator will retrieve files on all endpoints that match the time specified or the time earlier than the time specified on Palo Alto Cortex XDR.
Files	Dictionary containing the type of operating system from which you want to retrieve files from Palo Alto Cortex XDR. You can choose between Windows, Linux, or Macos.
File Path	String that represents the path of the file used to retrieve files from Palo Alto Cortex XDR.

Output

The output contains the following populated JSON schema:
{
"reply": {
"action_id": []
}
}

Included playbooks

Blacklist Files
Cancel Scan Endpoints
Create Distributions
Delete Endpoints
Fetch Incidents
Get All Endpoints
Get Audit Agent Report
Get Audit Management Logs
Get Device Violations
Get Distribution Status
Get Distribution URL
Get Distribution Version
Get Endpoints
Get Incident Details
Get Policy
Get Quarantine Status
Insert CEF Alerts
Insert Parsed Alerts
Isolate Endpoints
Quarantine Files
Restore File
Retrieve File
Scan Endpoints
Unisolate Endpoints
Update Incident
Whitelist Files