Cortex XDR applies machine learning at the cloud scale to rich networks, endpoints, and cloud data, so you can quickly find and stop targeted attacks, insider abuse, and compromised endpoints.
This document provides information about the Palo Alto Cortex XDR connector, which facilitates automated interactions with your Palo Alto Cortex XDR server using FortiSOAR™ playbooks. Add the Palo Alto Cortex XDR connector, as a step in FortiSOAR™ playbooks and perform automated operations such as retrieving a list of all your endpoints from Palo Alto Cortex XDR or isolating endpoints on Palo Alto Cortex XDR.
You can use FortiSOAR™'s Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling incidents from Palo Alto Cortex XDR. For more information, see the Data Ingestion Support section.
Connector Version: 1.1.0
Authored By: Fortinet
Certified: No
The following enhancements have been made to the Palo Alto Cortex XDR connector in version 1.1.0:
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum
command as a root user to install the connector:
yum install cyops-connector-paloalto-cortex-xdr
For the procedure to configure a connector, click here
In FortiSOAR™, on the Connectors page, click the Palo Alto Cortex XDR connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
Parameter | Description |
---|---|
Server URL | Specify the URL of the Palo Alto Cortex XDR server to which you will connect and perform the automated operations. |
API Key ID | Specify the ID of the API key configured for your account to access the Palo Alto Cortex XDR server to which you will connect and perform the automated operations. |
API Key | Specify the API key configured for your account to access the Palo Alto Cortex XDR server to which you will connect and perform the automated operations. Note: You require a "Standard" security level API key. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™:
Function | Description | Annotation and Category |
---|---|---|
Fetch Incidents | Retrieves all incidents or specific incidents from Palo Alto Cortex XDR based on the input parameters specified. | fetch_incidents Investigation |
Get Incident Details | Retrieves details, including alerts and key artifacts, for a specific incident from Palo Alto Cortex XDR based on the incident ID and other input parameters specified. | get_incident_details Investigation |
Update Incident | Updates incident fields like severity, status, etc. of a specific incident in Palo Alto Cortex XDR based on the incident ID and other input parameters specified. | update_incident Investigation |
Insert CEF Alerts | Uploads alerts in the CEF format from external alert sources to Palo Alto Cortex XDR based on the list of alerts specified. Note: After you have mapped the CEF alert fields to Cortex XDR fields, Cortex XDR displays the alerts in related incidents and views. |
insert_cef_alerts Investigation |
Insert Parsed Alerts | Uploads alerts in the Cortex XDR format from external alert sources to Palo Alto Cortex XDR based on the product, vendor, and other input parameters specified. Cortex XDR displays alerts that are parsed successfully in related incidents and views. |
insert_parsed_alerts Investigation |
Isolate Endpoints | Isolates one or more endpoints in a single request on Palo Alto Cortex XDR based on the endpoint ID and other input parameters specified. | isolate_endpoints Investigation |
Unisolate Endpoints | Unisolates one or more endpoints in a single request on Palo Alto Cortex XDR based on the endpoint ID and other input parameters specified. | unisolate_endpoints Investigation |
Get All Endpoints | Retrieves a list of all your endpoints from Palo Alto Cortex XDR. | get_all_endpoints Investigation |
Get Endpoints | Retrieves a list of filtered endpoints from Palo Alto Cortex XDR based on the input parameters specified. | get_endpoints Investigation |
Scan Endpoints | Runs a scan on all endpoints or specified endpoints on Palo Alto Cortex XDR based on the list of endpoint IDs and other input parameters specified. | scan_endpoints Investigation |
Cancel Scan Endpoints | Cancels a scan on all endpoints or specified endpoints on Palo Alto Cortex XDR based on the list of endpoint IDs and other input parameters specified. | cancel_scan_endpoints Investigation |
Delete Endpoints | Deletes the specified endpoints from the Palo Alto Cortex XDR based on the list of endpoint IDs specified. Note: You can delete up to 100 endpoints. |
delete_endpoints Investigation |
Get Policy | Retrieves the policy for a specific endpoint from Palo Alto Cortex XDR based on the endpoint ID specified | get_policy Investigation |
Get Device Violations | Retrieves a list of filtered device violations from Palo Alto Cortex XDR based on the input parameters specified. | get_device_violations Investigation |
Get Distribution Version | Retrieves a list of all the agent versions that are used for creating a distribution list from Palo Alto Cortex XDR. | get_distribution_version Investigation |
Create Distributions | Creates an installation package on Palo Alto Cortex XDR based on the distribution name and description, and the package type specified. | create_distributions Investigation |
Get Distribution Status | Checks and retrieves the status of an installation package from Palo Alto Cortex XDR based on the distribution ID specified. | get_distribution_status Investigation |
Get Distribution URL | Retrieves the distribution URL for downloading the installation package from Palo Alto Cortex XDR based on the distribution ID and package type specified. | get_distribution_url Investigation |
Get Audit Management Logs | Retrieves audit management logs from Palo Alto Cortex XDR based on the input parameters specified. | get_audit_management_log Investigation |
Get Audit Agent Report | Retrieves agent event reports from Palo Alto Cortex XDR based on the input parameters specified. | get_audit_agent_report Investigation |
Blacklist Files | Blacklists the specified files that have not already been blacklisted on Palo Alto Cortex XDR based on the list of file hash values and other input parameters specified. | blacklist_files Investigation |
Whitelist Files | Whitelists the specified files that have not already been whitelisted on Palo Alto Cortex XDR based on the list of file hash values and other input parameters specified. | whitelist_files Investigation |
Quarantine Files | Quarantines files on specified endpoints on Palo Alto Cortex XDR based on the list of endpoint IDs, the file path, and the file hash specified. | quarantine_files Investigation |
Get Quarantine Status | Retrieves the quarantine status for a specific file from Palo Alto Cortex XDR based on the endpoint ID, file path, and file hash specified. | get_quarantine_status Investigation |
Restore File | Restores a quarantined file on a specified endpoint on Palo Alto Cortex XDR based on the endpoint ID, file hash, and other input parameters specified. | restore_file Investigation |
Retrieve File | Retrieves a file from specific endpoints from Palo Alto Cortex XDR based on the list of endpoint IDs, file path, and other input parameters specified. Note: You can retrieve up to 20 files from a maximum of 100 endpoints. |
retrieve_file Investigation |
Retrieve File Details | Retrieves details for a specific file from Palo Alto Cortex XDR based on the action ID specified. | retrieve_file_details Investigation |
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list (of incidents) is returned.
Parameter | Description |
---|---|
Incident ID List |
Specify the list of incident IDs that you want to retrieve from Palo Alto Cortex XDR. Each item in the list must be an incident ID. For example, |
Created After | Select the DateTime using which you want to filter the incidents retrieved by this operation to include only those incidents that were created at the time specified or the time later than the time specified. |
Created Before | Select the DateTime using which you want to filter the incidents retrieved by this operation to include only those incidents that were created at the time specified or the time earlier than the time specified. |
Modified After | Select the DateTime using which you want to filter the incidents retrieved by this operation to include only those incidents that were modified at the time specified or the time later than the time specified. |
Modified Before | Select the DateTime using which you want to filter the incidents retrieved by this operation to include only those incidents that were modified at the time specified or the time earlier than the time specified. |
Alert Sources | Specify the sources which detected the alert and whose associated incidents you want to retrieve from Palo Alto Cortex XDR. For example, ["XDR Agent"] |
Status | Select the status using which you want to filter the incidents retrieved by this operation. You can choose from options such as New, Resolved Known Issue, Resolved Auto, etc. |
Description | Specify the description of the incident you want to retrieve from Palo Alto Cortex XDR. |
Search From | Specify the integer representing the starting offset within the query result set from which you want this operation to return incidents from Palo Alto Cortex XDR. |
Search To | Specify the integer representing the end offset within the result set after which you do not want this operation to return incidents from Palo Alto Cortex XDR. |
Sort by Field | Select the field by which you want to sort the incidents retrieved by this operation. You can choose between creation_time or modification_time. |
Sort by Order | Select this option to order the incidents retrieved by this operation. You can choose between asc (ascending) or desc (Descending). |
The output contains the following populated JSON schema:
{
"reply": {
"total_count": "",
"result_count": "",
"incidents": [
{
"incident_id": "",
"creation_time": "",
"modification_time": "",
"detection_time": "",
"status": "",
"severity": "",
"description": "",
"assigned_user_mail": "",
"assigned_user_pretty_name": "",
"alert_count": "",
"low_severity_alert_count": "",
"med_severity_alert_count": "",
"high_severity_alert_count": "",
"user_count": "",
"host_count": "",
"notes": "",
"resolve_comment": "",
"manual_severity": "",
"manual_description": "",
"xdr_url": "",
"starred": "",
"hosts": [],
"users": [],
"incident_sources": []
}
]
}
}
Parameter | Description |
---|---|
Incident ID | Specify the ID of the incident whose details (including related alerts and key artifacts) you want to retrieve from Palo Alto Cortex XDR. |
Alerts Limit | (Optional) Specify the maximum number of alerts related to the specified incident you want to retrieve from Palo Alto Cortex XDR. By default, this is set to '1000'. |
The output contains the following populated JSON schema:
{
"reply": {
"incident": {
"incident_id": "",
"creation_time": "",
"modification_time": "",
"detection_time": "",
"status": "",
"severity": "",
"description": "",
"assigned_user_mail": "",
"assigned_user_pretty_name": "",
"alert_count": "",
"low_severity_alert_count": "",
"med_severity_alert_count": "",
"high_severity_alert_count": "",
"user_count": "",
"host_count": "",
"notes": "",
"resolve_comment": "",
"manual_severity": "",
"manual_description": "",
"xdr_url": "",
"starred": "",
"hosts": [],
"users": [],
"alert_sources": []
},
"alerts": {
"total_count": "",
"data": [
{
"alert_id": "",
"detection_timestamp": "",
"source": "",
"severity": "",
"name": "",
"category": "",
"action": "",
"action_pretty": "",
"endpoint_id": "",
"description": "",
"host_ip": "",
"host_name": "",
"user_name": "",
"event_type": "",
"actor_process_image_name": "",
"actor_process_command_line": "",
"fw_app_id": "",
"is_whitelisted": "",
"starred": ""
}
]
},
"network_artifacts": {
"total_count": "",
"data": [
{
"type": "",
"alert_count": "",
"is_manual": "",
"network_domain": "",
"network_remote_ip": "",
"network_remote_port": "",
"network_country": ""
}
]
},
"file_artifacts": {
"total_count": "",
"data": [
{
"type": "",
"alert_count": "",
"is_manual": "",
"is_malicious": "",
"is_process": "",
"file_name": "",
"file_sha256": "",
"file_signature_status": "",
"file_signature_vendor_name": "",
"file_wildfire_verdict": ""
}
]
}
}
}
Parameter | Description |
---|---|
Incident ID | Specify the ID of the incident whose details you want to update in Palo Alto Cortex XDR. |
Assigned User Mail | (Optional) Specify the email address of the assignee to whom you want to assign the specified incident in Palo Alto Cortex XDR. |
Assigned User Pretty Name | (Optional) Specify the full name of the assignee to whom you want to assign the specified incident in Palo Alto Cortex XDR. |
Manual Severity | (Optional) Select the severity level that you want to assign to the specified incident in Palo Alto Cortex XDR. You can choose from the following options: High, Medium, Low, Critical, or Informational. |
Status | (Optional) Select the status level that you want to assign to the specified incident in Palo Alto Cortex XDR. You can choose from the following options: New, Under Investigation, Resolved Threat Handled, Resolved Know Issue, Resolved Duplicate, Resolved False Positive, or Resolved Other. |
Comment | (Optional) Select this option if you want to include a comment that explains the updates made to the specified incident. If you select this option, then you must specify the following parameters:
|
Resolve Comment | (Optional) Add a descriptive comment that explains the updates made to the specified incident. |
The output contains the following populated JSON schema:
{
"message": "",
"status": ""
}
Parameter | Description |
---|---|
Alerts | Specify a comma-separated list of alerts in the CEF format that you want to add (upload) to Palo Alto Cortex XDR. |
The output contains the following populated JSON schema:
{
"reply": ""
}
Note: Values that you specify in the following input parameters are used to upload alerts to Palo Alto Cortex XDR.
Parameter | Description |
---|---|
Alert Name | Specify the string defining the name of the alert that you want to upload to Palo Alto Cortex XDR. |
Product | Specify the string value that defines the product related to the alert that you want to upload to Palo Alto Cortex XDR. For example, VPN & Firewall-1 |
Vendor | Specify the string value that defines the vendor related to the alert that you want to upload to Palo Alto Cortex XDR. For example, Check Point |
Local Port | Specify the integer value for the source port related to the alert that you want to upload to Palo Alto Cortex XDR. |
Remote IP | Specify the string value of the destination IP address related to the alert that you want to upload to Palo Alto Cortex XDR. |
Remote Port | Specify the integer value for the destination port related to the alert that you want to upload to Palo Alto Cortex XDR. |
Local IP | (Optional) Specify the string value for the source IP address related to the alert that you want to upload to Palo Alto Cortex XDR. |
Event Timestamp | (Optional) Select the occurrence DateTime of the alert that you want to upload to Palo Alto Cortex XDR. |
Severity | (Optional) Select the severity of the alert that you want to upload to Palo Alto Cortex XDR. You can choose from the following options: Informational, High, Medium, Low, or Unknown. |
Alert Description | (Optional) Specify the string value that contains the description of the alert that you want to upload to Palo Alto Cortex XDR. |
Action Status | (Optional) Specify the string value that defines the action status of the alert that you want to upload to Palo Alto Cortex XDR. |
The output contains the following populated JSON schema:
{
"reply": ""
}
Parameter | Description |
---|---|
Unisolate Endpoint |
Select whether you want to isolate one endpoint or multiple endpoints.
|
Incident ID | (Optional) Specify the ID of the incident to include the Isolate Endpoints action in the Cortex XDR Incident ViewTimeline tab. |
The output contains the following populated JSON schema:
{
"reply": {
"action_id": []
}
}
Parameter | Description |
---|---|
Isolate Endpoint |
Select whether you want to unisolate one endpoint or multiple endpoints.
|
Incident ID | (Optional) Specify the ID of the incident to include the Unisolate Endpoints action in the Cortex XDR Incident ViewTimeline tab. |
The output contains the following populated JSON schema:
{
"reply": {
"action_id": []
}
}
None.
The output contains the following populated JSON schema:
{
"reply": [
{
"agent_type": "",
"agent_id": "",
"host_name": "",
"agent_status": "",
"ip": ""
}
]
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list (of endpoints) is returned.
Parameter | Description |
---|---|
Endpoint ID List | Specify the list of endpoint IDs that you want to retrieve from Palo Alto Cortex XDR. |
Distribution Name | Specify the name of the distribution list or installation package name containing the endpoints to be retrieved from Palo Alto Cortex XDR. |
Group Name | Specify the name of the group containing the endpoints to be retrieved from Palo Alto Cortex XDR. |
Alias | Specify the alias of the endpoints to be retrieved from Palo Alto Cortex XDR. |
Hostname | Specify the name of the host of the endpoints to be retrieved from Palo Alto Cortex XDR. |
Username | Specify the name of the user associated with the endpoints to be retrieved from Palo Alto Cortex XDR. |
Endpoint Status | Select the status of the endpoints to be retrieved from Palo Alto Cortex XDR. You can choose between Connected, Disconnected, Lost, or Uninstalled. |
IP list | Specify the list of IP addresses containing the endpoints to be retrieved from Palo Alto Cortex XDR. |
Platform | Select the type of operating system that contains the endpoints to be retrieved from Palo Alto Cortex XDR. You can choose between Windows, Linux, Macos, or Android. |
Isolate | Select the isolation status of the endpoints to be retrieved from Palo Alto Cortex XDR. Select Isolated to retrieve endpoints that are isolated and Unisolated to retrieve endpoints that are unisolated. |
Scan Status | Select the scan status of endpoints to be retrieved from Palo Alto Cortex XDR. You can choose between None, Pending, In Progress, Cancelled, Aborted, Pending Cancellation, Sucess, or Error. |
First Seen After | Select the DateTime using which you want to filter the endpoints retrieved by this operation to include only those endpoints that were first seen at the time specified or the time later than the time specified. |
First Seen Before | Select the DateTime using which you want to filter the endpoints retrieved by this operation to include only those endpoints that were first seen at the time specified or the time earlier than the time specified. |
Last Seen After | Select the DateTime using which you want to filter the endpoints retrieved by this operation to include only those endpoints that were last seen at the time specified or the time later than the time specified. |
Last Seen Before | Select the DateTime using which you want to filter the endpoints retrieved by this operation to include only those endpoints that were last seen at the time specified or the time earlier than the time specified. |
Search From | Specify the integer representing the starting offset within the query result set from which you want this operation to return endpoints from Palo Alto Cortex XDR. |
Search To | Specify the integer representing the end offset within the result set after which you do not want this operation to return endpoints from Palo Alto Cortex XDR. |
Sort by Field | Select the field by which you want to sort the endpoints retrieved by this operation. You can choose between first_seen or last_seen. |
Sort by Order | Select this option to order the endpoints retrieved by this operation. You can choose between asc (ascending) or desc (Descending). |
The output contains the following populated JSON schema:
{
"reply": {
"result_count": "",
"endpoints": [
{
"endpoint_id": "",
"endpoint_name": "",
"endpoint_type": "",
"endpoint_status": "",
"os_type": "",
"ip": "",
"users": [
""
],
"domain": "",
"alias": "",
"first_seen": "",
"last_seen": "",
"content_version": "",
"installation_package": "",
"active_directory": "",
"install_date": "",
"endpoint_version": "",
"is_isolated": "",
"group_name": ""
}
]
}
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list (of endpoints) is used for this operation.
Parameter | Description |
---|---|
Endpoint ID List | Specify the list of endpoint IDs that you want to scan on Palo Alto Cortex XDR. |
Distribution Name | Specify the name of the distribution list containing the endpoints that you want to scan on Palo Alto Cortex XDR. |
Group Name | Specify the name of the group containing the endpoints that you want to scan on Palo Alto Cortex XDR. |
Alias | Specify the alias of the endpoints to be scanned on Palo Alto Cortex XDR. |
Hostname | Specify the name of the host of the endpoints to be scanned on Palo Alto Cortex XDR |
Username | Specify the name of the user associated with the endpoints to be scanned on Palo Alto Cortex XDR. |
IP List | Specify the list of IP addresses containing the endpoints to be scanned on Palo Alto Cortex XDR. |
Platform | Select the type of operating system that contains the endpoints to be scanned on Palo Alto Cortex XDR. You can choose between Windows, Linux, Macos, or Android. |
Isolate | Select the isolation status of the endpoints to be scanned on Palo Alto Cortex XDR. Select Isolated to retrieve endpoints that are isolated and Unisolated to retrieve endpoints that are unisolated. |
Scan Status | Select the scan status of endpoints to be scanned on Palo Alto Cortex XDR. You can choose between None, Pending, In Progress, Cancelled, Aborted, Pending Cancellation, Sucess, or Error. |
First Seen After | Select the DateTime using which you want to filter the endpoints retrieved by this operation to include only those endpoints that were first seen at the time specified or the time later than the time specified. |
First Seen Before | Select the DateTime using which you want to filter the endpoints retrieved by this operation to include only those endpoints that were first seen at the time specified or the time earlier than the time specified. |
Last Seen After | Select the DateTime using which you want to filter the endpoints retrieved by this operation to include only those endpoints that were last seen at the time specified or the time later than the time specified. |
Last Seen Before | Select the DateTime using which you want to filter the endpoints retrieved by this operation to include only those endpoints that were last seen at the time specified or the time earlier than the time specified. |
Incident ID | Specify the ID of the incident to include the Scan Endpoints action in the Cortex XDR Incident ViewTimeline tab. |
The output contains the following populated JSON schema:
{
"reply": {
"action_id": []
}
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list (of endpoints) is used for this operation.
Parameter | Description |
---|---|
Endpoint ID List | Specify the list of endpoint IDs whose scan you want to cancel on Palo Alto Cortex XDR. |
Distribution Name | Specify the name of the distribution list containing the endpoints whose scan you want to cancel on Palo Alto Cortex XDR. |
Group Name | Specify the name of the group containing the endpoints whose scan you want to cancel on Palo Alto Cortex XDR. |
Alias | Specify the alias of the endpoints whose scan you want to cancel on Palo Alto Cortex XDR. |
Hostname | Specify the name of the host of the endpoints whose scan you want to cancel on Palo Alto Cortex XDR |
Username | Specify the name of the user associated with the endpoints whose scan you want to cancel on Palo Alto Cortex XDR. |
IP List | Specify the list of IP addresses containing the endpoints whose scan you want to cancel on Palo Alto Cortex XDR. |
Platform | Select the type of operating system that contains the endpoints whose scan you want to cancel on Palo Alto Cortex XDR. You can choose between Windows, Linux, Macos, or Android. |
Isolate | Select the isolation status of the endpoints whose scan you want to cancel on Palo Alto Cortex XDR. Select Isolated to retrieve endpoints that are isolated and Unisolated to retrieve endpoints that are unisolated. |
Scan Status | Select the scan status of endpoints whose scan you want to cancel on Palo Alto Cortex XDR. You can choose between None, Pending, In Progress, Cancelled, Aborted, Pending Cancellation, Sucess, or Error. |
First Seen After | Select the DateTime using which you want to filter the endpoints retrieved by this operation to include only those endpoints that were first seen at the time specified or the time later than the time specified. |
First Seen Before | Select the DateTime using which you want to filter the endpoints retrieved by this operation to include only those endpoints that were first seen at the time specified or the time earlier than the time specified. |
Last Seen After | Select the DateTime using which you want to filter the endpoints retrieved by this operation to include only those endpoints that were last seen at the time specified or the time later than the time specified. |
Last Seen Before | Select the DateTime using which you want to filter the endpoints retrieved by this operation to include only those endpoints that were last seen at the time specified or the time earlier than the time specified. |
Incident ID | Specify the ID of the incident to include the Cancel Scan Endpoints action in the Cortex XDR Incident ViewTimeline tab. |
The output contains the following populated JSON schema:
{
"reply": ""
}
Parameter | Description |
---|---|
Endpoint ID List: | Specify a list of endpoint IDs that you want to delete from the Palo Alto Cortex XDR app. |
The output contains the following populated JSON schema:
{
"reply": ""
}
Parameter | Description |
---|---|
Endpoint ID | Specify a string that represents the endpoint ID for which you want to retrieve the policy from Palo Alto Cortex XDR. For example, 51588e4ce9214c63b39d054bd073b93a |
The output contains the following populated JSON schema:
{
"reply": {
"policy_name": ""
}
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list (of device violations) is returned.
Parameter | Description |
---|---|
Endpoint ID List | Specify the list of endpoint IDs based on which you want to retrieve violations from Palo Alto Cortex XDR. |
Vendor | Specify the string value that defines the vendor whose associated violations are to be retrieved from Palo Alto Cortex XDR. For example, Check Point |
Vendor ID | Specify the string value that defines the vendor ID whose associated violations are to be retrieved from Palo Alto Cortex XDR. For example, 0x0999 |
Product | Specify the string value that defines the product whose associated violations are to be retrieved from Palo Alto Cortex XDR. For example, VPN & Firewall-1 |
Product ID | Specify the string value that defines the product ID whose associated violations are to be retrieved from Palo Alto Cortex XDR. For example, 0x10036 |
Serial | Specify the string value that defines the serial number whose associated violations are to be retrieved from Palo Alto Cortex XDR. For example, 8888889 |
Hostname | Specify the name of the host whose associated violations are to be retrieved from Palo Alto Cortex XDR. |
Username | Specify the name of the user whose associated violations are to be retrieved from Palo Alto Cortex XDR. |
Type | Select the type of violations that are to be retrieved from Palo Alto Cortex XDR. You can choose between CD ROM, Disk Drive, Floppy Disk, or Portable Device. |
IP List | Specify the list of IP addresses whose associated violations are to be retrieved from Palo Alto Cortex XDR. |
Violations ID List | Specify the list of violation IDs that you want to retrieve from Palo Alto Cortex XDR. |
Timestamp After | Select the DateTime till when you want to retrieve violations from Palo Alto Cortex XDR. This operator will retrieve all violations whose timestamp matches the time specified or the time later than the time specified on Palo Alto Cortex XDR. |
Timestamp Before | Select the DateTime till when you want to retrieve violations from Palo Alto Cortex XDR. This operator will retrieve all violations whose timestamp matches the time specified or the time earlier than the time specified on Palo Alto Cortex XDR. |
Search From | Specify the integer representing the starting offset within the query result set from which you want this operation to return incidents from Palo Alto Cortex XDR. |
Search To | Specify the integer representing the end offset within the result set after which you do not want this operation to return incidents from Palo Alto Cortex XDR. |
Sort by Field | Select the field by which you want to sort the endpoints retrieved by this operation. You can from options such as serial, product, username, etc. |
Sort by Order | Select this option to order the endpoints retrieved by this operation. You can choose between asc (ascending) or desc (Descending). |
The output contains the following populated JSON schema:
{
"reply": {
"result_count": "",
"violations": [
{
"hostname": "",
"username": "",
"ip": "",
"timestamp": "",
"violation_id": "",
"type": "",
"vendor_id": "",
"vendor": "",
"product_id": "",
"product": "",
"serial": "",
"endpoint_id": ""
}
]
}
}
None.
The output contains the following populated JSON schema:
{
"reply": {
"macos": [],
"linux": [],
"windows": []
}
}
Parameter | Description |
---|---|
Name | Specify the string representing the name of the installation package that you want to create on Palo Alto Cortex XDR. |
Package Type |
Select the type of installation package that you want to create on Palo Alto Cortex XDR. You can choose from the following types: Standalone or Upgrade.
|
Description | Specify the string containing descriptive information about the installation package. |
The output contains the following populated JSON schema:
{
"reply": {
"distribution_id": ""
}
}
Parameter | Description |
---|---|
Distribution ID | Specify the string representing the ID of the installation package whose status you want to retrieve from Palo Alto Cortex XDR. |
The output contains the following populated JSON schema:
{
"reply": {
"status": ""
}
}
Parameter | Description |
---|---|
Distribution ID | Specify the string representing the ID of the installation package whose distribution URL you want to retrieve from Palo Alto Cortex XDR. |
Package Type | Select the type of installation package whose distribution URL you want to retrieve from Palo Alto Cortex XDR. You can choose from the following options: sh-For Linux, rpm-For Linux, deb-For Linux, pkg-For Mac, x86-For Windows, or x64-For Windows. |
The output contains the following populated JSON schema:
{
"reply": {
"distribution_url": ""
}
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list (of audit management logs) is returned.
Parameter | Description |
---|---|
Specify the email address of the user whose audit management logs you want to retrieve from Palo Alto Cortex XDR. | |
Type | Specify the type of audit management logs you want to retrieve from Palo Alto Cortex XDR. |
Sub Type | Specify the sub-type of the audit management logs you want to retrieve from Palo Alto Cortex XDR. |
Result | Specify the result of the audit log using which you want to filter the audit log management logs retrieved from Palo Alto Cortex XDR. For example, SUCCESS . |
Timestamp After | Select the DateTime of the log till when you want to retrieve audit management logs from Palo Alto Cortex XDR. This operator will retrieve all audit management logs whose timestamp matches the time specified or the time later than the time specified on Palo Alto Cortex XDR. |
Timestamp Before | Select the DateTime of the log from when you want to retrieve audit management logs from Palo Alto Cortex XDR. This operator will retrieve all audit management logs whose timestamp matches the time specified or the time earlier than the time specified on Palo Alto Cortex XDR. |
Search From | Specify an integer representing the starting offset within the query result set from which you want management logs returned. |
Search To | Specify an integer representing the end offset within the result set after which you do not want management logs returned. |
Sort by Field | Select the field by which you want to sort the audit management logs retrieved by this operation. You can choose between type, sub-type, or result. |
Sort by Order | Select this option to order the audit management logs retrieved by this operation. You can choose between asc (ascending) or desc (Descending). |
The output contains the following populated JSON schema:
{
"reply": {
"data": [
{
"AUDIT_DESCRIPTION": "",
"AUDIT_HOSTNAME": "",
"AUDIT_SESSION_ID": "",
"AUDIT_ASSET_JSON": "",
"AUDIT_REASON": "",
"AUDIT_RESULT": "",
"AUDIT_OWNER_EMAIL": "",
"AUDIT_ENTITY": "",
"AUDIT_ASSET_NAMES": "",
"AUDIT_ID": "",
"AUDIT_ENTITY_SUBTYPE": "",
"AUDIT_CASE_ID": "",
"AUDIT_OWNER_NAME": "",
"AUDIT_INSERT_TIME": ""
}
],
"result_count": ""
}
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list (of audit agent reports) is returned.
Parameter | Description |
---|---|
Endpoint ID | Specify the string representing the ID of the endpoint whose associated audit agent reports you want to retrieve from Palo Alto Cortex XDR. |
Endpoint Name | Specify the string representing the name of the endpoint whose associated audit agent reports you want to retrieve from Palo Alto Cortex XDR. |
Type | Specify the type of audit agent reports you want to retrieve from Palo Alto Cortex XDR. For example, Agent Status |
Sub Type | Specify the sub-type of the audit agent reports you want to retrieve from Palo Alto Cortex XDR. For example, Fully Protected |
Result | Specify the result of the agent report using which you want to filter the audit agent reports retrieved from Palo Alto Cortex XDR. For example, SUCCESS |
Domain | Specify the domain of the agent whose audit agent reports you want to retrieve from Palo Alto Cortex XDR. For example, WORKGROUP |
xdr_version | Specify the XDR version for which you want to retrieve audit agent reports from Palo Alto Cortex XDR. |
Category | Select the type of event category of the audit agent reports you want to retrieve from Palo Alto Cortex XDR. You can choose from the following options: Status, Audit, or Monitoring. |
Timestamp After | Select the DateTime of the report till when you want to retrieve audit management logs from Palo Alto Cortex XDR. This operator will retrieve all audit agent reports whose timestamp matches the time specified or the time later than the time specified on Palo Alto Cortex XDR. |
Timestamp Before | Select the DateTime of the report from when you want to retrieve audit management logs from Palo Alto Cortex XDR. This operator will retrieve all audit agent reports whose timestamp matches the time specified or the time earlier than the time specified on Palo Alto Cortex XDR. |
Search From | Specify an integer representing the starting offset within the query result set from which you want this operation to return incidents from Palo Alto Cortex XDR. |
Search To | Specify an integer representing the end offset within the result set after which you do not want this operation to return incidents from Palo Alto Cortex XDR. |
Sort by Field | Select the field by which you want to sort the audit management logs retrieved by this operation. You can choose between type, category, trapsversion, timestamp, or domain. |
Sort by Order | Select this option to order the audit management logs retrieved by this operation. You can choose between asc (ascending) or desc (Descending). |
The output contains the following populated JSON schema:
{
"reply": {
"data": [
{
"RESULT": "",
"REASON": "",
"SUBTYPE": "",
"CATEGORY": "",
"DOMAIN": "",
"TRAPSVERSION": "",
"RECEIVEDTIME": "",
"TIMESTAMP": "",
"DESCRIPTION": "",
"ENDPOINTNAME": "",
"ENDPOINTID": "",
"TYPE": ""
}
],
"result_count": ""
}
}
Parameter | Description |
---|---|
Hash List | Specify a string that represents a list of file hash values you want to blacklist on Palo Alto Cortex XDR. Note: Hash must be a valid SHA256 value. |
Comment | (Optional) Specify a string containing descriptive information about this action. |
Incident ID | (Optional) Specify the ID of the incident related to the specified file hash to include the Blacklist Files action in the Cortex XDR Incident ViewTimeline tab. |
The output contains the following populated JSON schema:
{
"reply": ""
}
Parameter | Description |
---|---|
Hash List | Specify a string that represents a list of file hash values you want to whitelist on Palo Alto Cortex XDR. Note: The hash must be a valid SHA256 value. |
Comment | (Optional) Specify a string containing descriptive information about this action. |
Incident ID | (Optional) Specify the ID of the incident related to the specified file hash to include the Blacklist Files action in the Cortex XDR Incident ViewTimeline tab. |
The output contains the following populated JSON schema:
{
"reply": ""
}
Parameter | Description |
---|---|
Endpoint ID List | Specify a list of endpoint IDs representing the endpoints on which you want to quarantine files on Palo Alto Cortex XDR. |
File Path | Specify the string representing the path of the file you want to quarantine on the specified endpoints on Palo Alto Cortex XDR. |
File Hash | Specify the string representing the hash value of the file you want to quarantine on the specified endpoints on Palo Alto Cortex XDR. Note: The hash must be a valid SHA256 value. |
The output contains the following populated JSON schema:
{
"reply": {
"action_id": []
}
}
Parameter | Description |
---|---|
Endpoint ID | Specify the string representing the endpoint ID whose associated files' quarantine status you want to retrieve from Palo Alto Cortex XDR. |
File Hash | Specify the string representing the hash value of the file whose quarantine status you want to retrieve from Palo Alto Cortex XDR. Note: The hash must be a valid SHA256 value. |
File Path | Specify the string representing the path of the file whose quarantine status you want to retrieve from Palo Alto Cortex XDR. |
The output contains the following populated JSON schema:
{
"reply": [
{
"endpoint_id": "",
"file_path": "",
"file_hash": "",
"status": ""
}
]
}
Parameter | Description |
---|---|
File Hash |
Specify the string representing the hash value of the quarantined file that you want to restore on the specified endpoint on Palo Alto Cortex XDR. |
Endpoint ID | Specify the string representing the endpoint ID on which you want to restore the specified quarantined file. |
Incident ID | (Optional) Specify the ID of the incident related to the specified file hash to include the Restore Files action in the Cortex XDR Incident ViewTimeline tab. |
The output contains the following populated JSON schema:
{
"message": "",
"status": ""
}
Parameter | Description |
---|---|
Endpoint ID List | Specify the list of endpoint IDs whose associated files you want to retrieve from Palo Alto Cortex XDR. |
Files | Select the type of operating system from which you want to retrieve files from Palo Alto Cortex XDR. You can choose between Windows, Linux, or Macos. |
File Path | Specify the string representing the path of the file used to retrieve files from Palo Alto Cortex XDR. |
Distribution Name | Specify the string representing the name of the distribution list containing the files you want to retrieve from Palo Alto Cortex XDR. |
Group Name | Specify the string representing the name of the endpoint group containing the files you want to retrieve from Palo Alto Cortex XDR. |
Alias | Specify the string representing the alias of the endpoints whose associated files you want to retrieve from Palo Alto Cortex XDR. |
Hostname | Specify the string representing the name of the host of the endpoints whose associated files you want to retrieve from Palo Alto Cortex XDR. |
IP list | Specify the string representing the list of IP addresses containing the endpoints whose associated files you want to retrieve from Palo Alto Cortex XDR. |
Platform | Select the type of operating system that contains the endpoints whose associated files you want to retrieve from Palo Alto Cortex XDR. You can choose between Windows, Linux, Macos, or Android. |
Isolate | Select the isolation status of the endpoints whose associated files you want to retrieve from Palo Alto Cortex XDR. Select Isolated to retrieve endpoints that are isolated and Unisolated to retrieve endpoints that are unisolated. |
First Seen After | Select the DateTime using which you want to filter the endpoints, whose associated files you want to be retrieved by this operation to include only those endpoints that were first seen at the time specified or the time later than the time specified. |
Last Seen After | Select the DateTime using which you want to filter the endpoints, whose associated files you want to be retrieved by this operation to include only those endpoints that were last seen at the time specified or the time later than the time specified. |
First Seen Before | Select the DateTime using which you want to filter the endpoints, whose associated files you want to be retrieved by this operation to include only those endpoints that were first seen at the time specified or the time earlier than the time specified. |
Last Seen Before | Select the DateTime using which you want to filter the endpoints, whose associated files you want to be retrieved by this operation to include only those endpoints that were last seen at the time specified or the time earlier than the time specified. |
The output contains the following populated JSON schema:
{
"reply": {
"action_id": []
}
}
Parameter | Description |
---|---|
Action ID | Specify the ID of the action ID whose associated file details you want to retrieve from Palo Alto Cortex XDR. |
The output contains the following populated JSON schema:
{
"reply": {
"data": {}
}
}
The Sample - Palo Alto Cortex XDR - 1.1.0
playbook collection comes bundled with the Palo Alto Cortex XDR connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Palo Alto Cortex XDR connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.
Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling incidents from Palo Alto Cortex XDR. Currently, "incidents" in Palo Alto Cortex XDR are mapped to "incidents" in FortiSOAR™. For more information on the Data Ingestion Wizard, see the "Connectors Guide" in the FortiSOAR™ product documentation.
You can configure data ingestion using the “Data Ingestion Wizard” to seamlessly map the incoming Palo Alto Cortex XDR "Incidents" to FortiSOAR™ "Incidents".
The Data Ingestion Wizard enables you to configure the scheduled pulling of data from Palo Alto Cortex XDR into FortiSOAR™. It also lets you pull some sample data from Palo Alto Cortex XDR using which you can define the mapping of data between Palo Alto Cortex XDR and FortiSOAR™. The mapping of common fields is generally already done by the Data Ingestion Wizard; users are mostly required to only map any custom fields that are added to the Palo Alto Cortex XDR incident.
["9834","7389"]
. Additionally, you can filter incidents retrieved from Palo Alto Cortex XDR based on their Status, and also Limit the number of incidents to be retrieved from Palo Alto Cortex XDR.On the Field Mapping screen, map the fields of a Palo Alto Cortex XDR incident to the fields of an incident present in FortiSOAR™.
To map a field, click the key in the sample data to add the “jinja” value of the field. For example, to map the hosts parameter of a Palo Alto Cortex XDR incident to the Affected Host parameter of a FortiSOAR™ incident, click the Affected Host field and then click the hosts field to populate its keys:
For more information on field mapping, see the Data Ingestion chapter in the "Connectors Guide" in the FortiSOAR™ product documentation. Once you have completed the mapping of fields, click Save Mapping & Continue.
(Optional) Use the Scheduling screen to configure schedule-based ingestion, i.e., specify the polling frequency to Palo Alto Cortex XDR, so that the content gets pulled from the Palo Alto Cortex XDR integration into FortiSOAR™.
On the Scheduling screen, from the Do you want to schedule the ingestion? drop-down list, select Yes.
In the “Configure Schedule Settings” section, specify the Cron expression for the schedule. For example, if you want to pull data from Palo Alto Cortex XDR every morning at 5 am, click Daily, and in the hour box enter 5
, and in the minute box enter 0
:
Once you have completed scheduling, click Save Settings & Continue.
The Summary screen displays a summary of the mapping done, and it also contains links to the Ingestion playbooks. Click Done to complete the data ingestion and exit the Data Ingestion Wizard.
Cortex XDR applies machine learning at the cloud scale to rich networks, endpoints, and cloud data, so you can quickly find and stop targeted attacks, insider abuse, and compromised endpoints.
This document provides information about the Palo Alto Cortex XDR connector, which facilitates automated interactions with your Palo Alto Cortex XDR server using FortiSOAR™ playbooks. Add the Palo Alto Cortex XDR connector, as a step in FortiSOAR™ playbooks and perform automated operations such as retrieving a list of all your endpoints from Palo Alto Cortex XDR or isolating endpoints on Palo Alto Cortex XDR.
You can use FortiSOAR™'s Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling incidents from Palo Alto Cortex XDR. For more information, see the Data Ingestion Support section.
Connector Version: 1.1.0
Authored By: Fortinet
Certified: No
The following enhancements have been made to the Palo Alto Cortex XDR connector in version 1.1.0:
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum
command as a root user to install the connector:
yum install cyops-connector-paloalto-cortex-xdr
For the procedure to configure a connector, click here
In FortiSOAR™, on the Connectors page, click the Palo Alto Cortex XDR connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
Parameter | Description |
---|---|
Server URL | Specify the URL of the Palo Alto Cortex XDR server to which you will connect and perform the automated operations. |
API Key ID | Specify the ID of the API key configured for your account to access the Palo Alto Cortex XDR server to which you will connect and perform the automated operations. |
API Key | Specify the API key configured for your account to access the Palo Alto Cortex XDR server to which you will connect and perform the automated operations. Note: You require a "Standard" security level API key. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™:
Function | Description | Annotation and Category |
---|---|---|
Fetch Incidents | Retrieves all incidents or specific incidents from Palo Alto Cortex XDR based on the input parameters specified. | fetch_incidents Investigation |
Get Incident Details | Retrieves details, including alerts and key artifacts, for a specific incident from Palo Alto Cortex XDR based on the incident ID and other input parameters specified. | get_incident_details Investigation |
Update Incident | Updates incident fields like severity, status, etc. of a specific incident in Palo Alto Cortex XDR based on the incident ID and other input parameters specified. | update_incident Investigation |
Insert CEF Alerts | Uploads alerts in the CEF format from external alert sources to Palo Alto Cortex XDR based on the list of alerts specified. Note: After you have mapped the CEF alert fields to Cortex XDR fields, Cortex XDR displays the alerts in related incidents and views. |
insert_cef_alerts Investigation |
Insert Parsed Alerts | Uploads alerts in the Cortex XDR format from external alert sources to Palo Alto Cortex XDR based on the product, vendor, and other input parameters specified. Cortex XDR displays alerts that are parsed successfully in related incidents and views. |
insert_parsed_alerts Investigation |
Isolate Endpoints | Isolates one or more endpoints in a single request on Palo Alto Cortex XDR based on the endpoint ID and other input parameters specified. | isolate_endpoints Investigation |
Unisolate Endpoints | Unisolates one or more endpoints in a single request on Palo Alto Cortex XDR based on the endpoint ID and other input parameters specified. | unisolate_endpoints Investigation |
Get All Endpoints | Retrieves a list of all your endpoints from Palo Alto Cortex XDR. | get_all_endpoints Investigation |
Get Endpoints | Retrieves a list of filtered endpoints from Palo Alto Cortex XDR based on the input parameters specified. | get_endpoints Investigation |
Scan Endpoints | Runs a scan on all endpoints or specified endpoints on Palo Alto Cortex XDR based on the list of endpoint IDs and other input parameters specified. | scan_endpoints Investigation |
Cancel Scan Endpoints | Cancels a scan on all endpoints or specified endpoints on Palo Alto Cortex XDR based on the list of endpoint IDs and other input parameters specified. | cancel_scan_endpoints Investigation |
Delete Endpoints | Deletes the specified endpoints from the Palo Alto Cortex XDR based on the list of endpoint IDs specified. Note: You can delete up to 100 endpoints. |
delete_endpoints Investigation |
Get Policy | Retrieves the policy for a specific endpoint from Palo Alto Cortex XDR based on the endpoint ID specified | get_policy Investigation |
Get Device Violations | Retrieves a list of filtered device violations from Palo Alto Cortex XDR based on the input parameters specified. | get_device_violations Investigation |
Get Distribution Version | Retrieves a list of all the agent versions that are used for creating a distribution list from Palo Alto Cortex XDR. | get_distribution_version Investigation |
Create Distributions | Creates an installation package on Palo Alto Cortex XDR based on the distribution name and description, and the package type specified. | create_distributions Investigation |
Get Distribution Status | Checks and retrieves the status of an installation package from Palo Alto Cortex XDR based on the distribution ID specified. | get_distribution_status Investigation |
Get Distribution URL | Retrieves the distribution URL for downloading the installation package from Palo Alto Cortex XDR based on the distribution ID and package type specified. | get_distribution_url Investigation |
Get Audit Management Logs | Retrieves audit management logs from Palo Alto Cortex XDR based on the input parameters specified. | get_audit_management_log Investigation |
Get Audit Agent Report | Retrieves agent event reports from Palo Alto Cortex XDR based on the input parameters specified. | get_audit_agent_report Investigation |
Blacklist Files | Blacklists the specified files that have not already been blacklisted on Palo Alto Cortex XDR based on the list of file hash values and other input parameters specified. | blacklist_files Investigation |
Whitelist Files | Whitelists the specified files that have not already been whitelisted on Palo Alto Cortex XDR based on the list of file hash values and other input parameters specified. | whitelist_files Investigation |
Quarantine Files | Quarantines files on specified endpoints on Palo Alto Cortex XDR based on the list of endpoint IDs, the file path, and the file hash specified. | quarantine_files Investigation |
Get Quarantine Status | Retrieves the quarantine status for a specific file from Palo Alto Cortex XDR based on the endpoint ID, file path, and file hash specified. | get_quarantine_status Investigation |
Restore File | Restores a quarantined file on a specified endpoint on Palo Alto Cortex XDR based on the endpoint ID, file hash, and other input parameters specified. | restore_file Investigation |
Retrieve File | Retrieves a file from specific endpoints from Palo Alto Cortex XDR based on the list of endpoint IDs, file path, and other input parameters specified. Note: You can retrieve up to 20 files from a maximum of 100 endpoints. |
retrieve_file Investigation |
Retrieve File Details | Retrieves details for a specific file from Palo Alto Cortex XDR based on the action ID specified. | retrieve_file_details Investigation |
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list (of incidents) is returned.
Parameter | Description |
---|---|
Incident ID List |
Specify the list of incident IDs that you want to retrieve from Palo Alto Cortex XDR. Each item in the list must be an incident ID. For example, |
Created After | Select the DateTime using which you want to filter the incidents retrieved by this operation to include only those incidents that were created at the time specified or the time later than the time specified. |
Created Before | Select the DateTime using which you want to filter the incidents retrieved by this operation to include only those incidents that were created at the time specified or the time earlier than the time specified. |
Modified After | Select the DateTime using which you want to filter the incidents retrieved by this operation to include only those incidents that were modified at the time specified or the time later than the time specified. |
Modified Before | Select the DateTime using which you want to filter the incidents retrieved by this operation to include only those incidents that were modified at the time specified or the time earlier than the time specified. |
Alert Sources | Specify the sources which detected the alert and whose associated incidents you want to retrieve from Palo Alto Cortex XDR. For example, ["XDR Agent"] |
Status | Select the status using which you want to filter the incidents retrieved by this operation. You can choose from options such as New, Resolved Known Issue, Resolved Auto, etc. |
Description | Specify the description of the incident you want to retrieve from Palo Alto Cortex XDR. |
Search From | Specify the integer representing the starting offset within the query result set from which you want this operation to return incidents from Palo Alto Cortex XDR. |
Search To | Specify the integer representing the end offset within the result set after which you do not want this operation to return incidents from Palo Alto Cortex XDR. |
Sort by Field | Select the field by which you want to sort the incidents retrieved by this operation. You can choose between creation_time or modification_time. |
Sort by Order | Select this option to order the incidents retrieved by this operation. You can choose between asc (ascending) or desc (Descending). |
The output contains the following populated JSON schema:
{
"reply": {
"total_count": "",
"result_count": "",
"incidents": [
{
"incident_id": "",
"creation_time": "",
"modification_time": "",
"detection_time": "",
"status": "",
"severity": "",
"description": "",
"assigned_user_mail": "",
"assigned_user_pretty_name": "",
"alert_count": "",
"low_severity_alert_count": "",
"med_severity_alert_count": "",
"high_severity_alert_count": "",
"user_count": "",
"host_count": "",
"notes": "",
"resolve_comment": "",
"manual_severity": "",
"manual_description": "",
"xdr_url": "",
"starred": "",
"hosts": [],
"users": [],
"incident_sources": []
}
]
}
}
Parameter | Description |
---|---|
Incident ID | Specify the ID of the incident whose details (including related alerts and key artifacts) you want to retrieve from Palo Alto Cortex XDR. |
Alerts Limit | (Optional) Specify the maximum number of alerts related to the specified incident you want to retrieve from Palo Alto Cortex XDR. By default, this is set to '1000'. |
The output contains the following populated JSON schema:
{
"reply": {
"incident": {
"incident_id": "",
"creation_time": "",
"modification_time": "",
"detection_time": "",
"status": "",
"severity": "",
"description": "",
"assigned_user_mail": "",
"assigned_user_pretty_name": "",
"alert_count": "",
"low_severity_alert_count": "",
"med_severity_alert_count": "",
"high_severity_alert_count": "",
"user_count": "",
"host_count": "",
"notes": "",
"resolve_comment": "",
"manual_severity": "",
"manual_description": "",
"xdr_url": "",
"starred": "",
"hosts": [],
"users": [],
"alert_sources": []
},
"alerts": {
"total_count": "",
"data": [
{
"alert_id": "",
"detection_timestamp": "",
"source": "",
"severity": "",
"name": "",
"category": "",
"action": "",
"action_pretty": "",
"endpoint_id": "",
"description": "",
"host_ip": "",
"host_name": "",
"user_name": "",
"event_type": "",
"actor_process_image_name": "",
"actor_process_command_line": "",
"fw_app_id": "",
"is_whitelisted": "",
"starred": ""
}
]
},
"network_artifacts": {
"total_count": "",
"data": [
{
"type": "",
"alert_count": "",
"is_manual": "",
"network_domain": "",
"network_remote_ip": "",
"network_remote_port": "",
"network_country": ""
}
]
},
"file_artifacts": {
"total_count": "",
"data": [
{
"type": "",
"alert_count": "",
"is_manual": "",
"is_malicious": "",
"is_process": "",
"file_name": "",
"file_sha256": "",
"file_signature_status": "",
"file_signature_vendor_name": "",
"file_wildfire_verdict": ""
}
]
}
}
}
Parameter | Description |
---|---|
Incident ID | Specify the ID of the incident whose details you want to update in Palo Alto Cortex XDR. |
Assigned User Mail | (Optional) Specify the email address of the assignee to whom you want to assign the specified incident in Palo Alto Cortex XDR. |
Assigned User Pretty Name | (Optional) Specify the full name of the assignee to whom you want to assign the specified incident in Palo Alto Cortex XDR. |
Manual Severity | (Optional) Select the severity level that you want to assign to the specified incident in Palo Alto Cortex XDR. You can choose from the following options: High, Medium, Low, Critical, or Informational. |
Status | (Optional) Select the status level that you want to assign to the specified incident in Palo Alto Cortex XDR. You can choose from the following options: New, Under Investigation, Resolved Threat Handled, Resolved Know Issue, Resolved Duplicate, Resolved False Positive, or Resolved Other. |
Comment | (Optional) Select this option if you want to include a comment that explains the updates made to the specified incident. If you select this option, then you must specify the following parameters:
|
Resolve Comment | (Optional) Add a descriptive comment that explains the updates made to the specified incident. |
The output contains the following populated JSON schema:
{
"message": "",
"status": ""
}
Parameter | Description |
---|---|
Alerts | Specify a comma-separated list of alerts in the CEF format that you want to add (upload) to Palo Alto Cortex XDR. |
The output contains the following populated JSON schema:
{
"reply": ""
}
Note: Values that you specify in the following input parameters are used to upload alerts to Palo Alto Cortex XDR.
Parameter | Description |
---|---|
Alert Name | Specify the string defining the name of the alert that you want to upload to Palo Alto Cortex XDR. |
Product | Specify the string value that defines the product related to the alert that you want to upload to Palo Alto Cortex XDR. For example, VPN & Firewall-1 |
Vendor | Specify the string value that defines the vendor related to the alert that you want to upload to Palo Alto Cortex XDR. For example, Check Point |
Local Port | Specify the integer value for the source port related to the alert that you want to upload to Palo Alto Cortex XDR. |
Remote IP | Specify the string value of the destination IP address related to the alert that you want to upload to Palo Alto Cortex XDR. |
Remote Port | Specify the integer value for the destination port related to the alert that you want to upload to Palo Alto Cortex XDR. |
Local IP | (Optional) Specify the string value for the source IP address related to the alert that you want to upload to Palo Alto Cortex XDR. |
Event Timestamp | (Optional) Select the occurrence DateTime of the alert that you want to upload to Palo Alto Cortex XDR. |
Severity | (Optional) Select the severity of the alert that you want to upload to Palo Alto Cortex XDR. You can choose from the following options: Informational, High, Medium, Low, or Unknown. |
Alert Description | (Optional) Specify the string value that contains the description of the alert that you want to upload to Palo Alto Cortex XDR. |
Action Status | (Optional) Specify the string value that defines the action status of the alert that you want to upload to Palo Alto Cortex XDR. |
The output contains the following populated JSON schema:
{
"reply": ""
}
Parameter | Description |
---|---|
Unisolate Endpoint |
Select whether you want to isolate one endpoint or multiple endpoints.
|
Incident ID | (Optional) Specify the ID of the incident to include the Isolate Endpoints action in the Cortex XDR Incident ViewTimeline tab. |
The output contains the following populated JSON schema:
{
"reply": {
"action_id": []
}
}
Parameter | Description |
---|---|
Isolate Endpoint |
Select whether you want to unisolate one endpoint or multiple endpoints.
|
Incident ID | (Optional) Specify the ID of the incident to include the Unisolate Endpoints action in the Cortex XDR Incident ViewTimeline tab. |
The output contains the following populated JSON schema:
{
"reply": {
"action_id": []
}
}
None.
The output contains the following populated JSON schema:
{
"reply": [
{
"agent_type": "",
"agent_id": "",
"host_name": "",
"agent_status": "",
"ip": ""
}
]
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list (of endpoints) is returned.
Parameter | Description |
---|---|
Endpoint ID List | Specify the list of endpoint IDs that you want to retrieve from Palo Alto Cortex XDR. |
Distribution Name | Specify the name of the distribution list or installation package name containing the endpoints to be retrieved from Palo Alto Cortex XDR. |
Group Name | Specify the name of the group containing the endpoints to be retrieved from Palo Alto Cortex XDR. |
Alias | Specify the alias of the endpoints to be retrieved from Palo Alto Cortex XDR. |
Hostname | Specify the name of the host of the endpoints to be retrieved from Palo Alto Cortex XDR. |
Username | Specify the name of the user associated with the endpoints to be retrieved from Palo Alto Cortex XDR. |
Endpoint Status | Select the status of the endpoints to be retrieved from Palo Alto Cortex XDR. You can choose between Connected, Disconnected, Lost, or Uninstalled. |
IP list | Specify the list of IP addresses containing the endpoints to be retrieved from Palo Alto Cortex XDR. |
Platform | Select the type of operating system that contains the endpoints to be retrieved from Palo Alto Cortex XDR. You can choose between Windows, Linux, Macos, or Android. |
Isolate | Select the isolation status of the endpoints to be retrieved from Palo Alto Cortex XDR. Select Isolated to retrieve endpoints that are isolated and Unisolated to retrieve endpoints that are unisolated. |
Scan Status | Select the scan status of endpoints to be retrieved from Palo Alto Cortex XDR. You can choose between None, Pending, In Progress, Cancelled, Aborted, Pending Cancellation, Sucess, or Error. |
First Seen After | Select the DateTime using which you want to filter the endpoints retrieved by this operation to include only those endpoints that were first seen at the time specified or the time later than the time specified. |
First Seen Before | Select the DateTime using which you want to filter the endpoints retrieved by this operation to include only those endpoints that were first seen at the time specified or the time earlier than the time specified. |
Last Seen After | Select the DateTime using which you want to filter the endpoints retrieved by this operation to include only those endpoints that were last seen at the time specified or the time later than the time specified. |
Last Seen Before | Select the DateTime using which you want to filter the endpoints retrieved by this operation to include only those endpoints that were last seen at the time specified or the time earlier than the time specified. |
Search From | Specify the integer representing the starting offset within the query result set from which you want this operation to return endpoints from Palo Alto Cortex XDR. |
Search To | Specify the integer representing the end offset within the result set after which you do not want this operation to return endpoints from Palo Alto Cortex XDR. |
Sort by Field | Select the field by which you want to sort the endpoints retrieved by this operation. You can choose between first_seen or last_seen. |
Sort by Order | Select this option to order the endpoints retrieved by this operation. You can choose between asc (ascending) or desc (Descending). |
The output contains the following populated JSON schema:
{
"reply": {
"result_count": "",
"endpoints": [
{
"endpoint_id": "",
"endpoint_name": "",
"endpoint_type": "",
"endpoint_status": "",
"os_type": "",
"ip": "",
"users": [
""
],
"domain": "",
"alias": "",
"first_seen": "",
"last_seen": "",
"content_version": "",
"installation_package": "",
"active_directory": "",
"install_date": "",
"endpoint_version": "",
"is_isolated": "",
"group_name": ""
}
]
}
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list (of endpoints) is used for this operation.
Parameter | Description |
---|---|
Endpoint ID List | Specify the list of endpoint IDs that you want to scan on Palo Alto Cortex XDR. |
Distribution Name | Specify the name of the distribution list containing the endpoints that you want to scan on Palo Alto Cortex XDR. |
Group Name | Specify the name of the group containing the endpoints that you want to scan on Palo Alto Cortex XDR. |
Alias | Specify the alias of the endpoints to be scanned on Palo Alto Cortex XDR. |
Hostname | Specify the name of the host of the endpoints to be scanned on Palo Alto Cortex XDR |
Username | Specify the name of the user associated with the endpoints to be scanned on Palo Alto Cortex XDR. |
IP List | Specify the list of IP addresses containing the endpoints to be scanned on Palo Alto Cortex XDR. |
Platform | Select the type of operating system that contains the endpoints to be scanned on Palo Alto Cortex XDR. You can choose between Windows, Linux, Macos, or Android. |
Isolate | Select the isolation status of the endpoints to be scanned on Palo Alto Cortex XDR. Select Isolated to retrieve endpoints that are isolated and Unisolated to retrieve endpoints that are unisolated. |
Scan Status | Select the scan status of endpoints to be scanned on Palo Alto Cortex XDR. You can choose between None, Pending, In Progress, Cancelled, Aborted, Pending Cancellation, Sucess, or Error. |
First Seen After | Select the DateTime using which you want to filter the endpoints retrieved by this operation to include only those endpoints that were first seen at the time specified or the time later than the time specified. |
First Seen Before | Select the DateTime using which you want to filter the endpoints retrieved by this operation to include only those endpoints that were first seen at the time specified or the time earlier than the time specified. |
Last Seen After | Select the DateTime using which you want to filter the endpoints retrieved by this operation to include only those endpoints that were last seen at the time specified or the time later than the time specified. |
Last Seen Before | Select the DateTime using which you want to filter the endpoints retrieved by this operation to include only those endpoints that were last seen at the time specified or the time earlier than the time specified. |
Incident ID | Specify the ID of the incident to include the Scan Endpoints action in the Cortex XDR Incident ViewTimeline tab. |
The output contains the following populated JSON schema:
{
"reply": {
"action_id": []
}
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list (of endpoints) is used for this operation.
Parameter | Description |
---|---|
Endpoint ID List | Specify the list of endpoint IDs whose scan you want to cancel on Palo Alto Cortex XDR. |
Distribution Name | Specify the name of the distribution list containing the endpoints whose scan you want to cancel on Palo Alto Cortex XDR. |
Group Name | Specify the name of the group containing the endpoints whose scan you want to cancel on Palo Alto Cortex XDR. |
Alias | Specify the alias of the endpoints whose scan you want to cancel on Palo Alto Cortex XDR. |
Hostname | Specify the name of the host of the endpoints whose scan you want to cancel on Palo Alto Cortex XDR |
Username | Specify the name of the user associated with the endpoints whose scan you want to cancel on Palo Alto Cortex XDR. |
IP List | Specify the list of IP addresses containing the endpoints whose scan you want to cancel on Palo Alto Cortex XDR. |
Platform | Select the type of operating system that contains the endpoints whose scan you want to cancel on Palo Alto Cortex XDR. You can choose between Windows, Linux, Macos, or Android. |
Isolate | Select the isolation status of the endpoints whose scan you want to cancel on Palo Alto Cortex XDR. Select Isolated to retrieve endpoints that are isolated and Unisolated to retrieve endpoints that are unisolated. |
Scan Status | Select the scan status of endpoints whose scan you want to cancel on Palo Alto Cortex XDR. You can choose between None, Pending, In Progress, Cancelled, Aborted, Pending Cancellation, Sucess, or Error. |
First Seen After | Select the DateTime using which you want to filter the endpoints retrieved by this operation to include only those endpoints that were first seen at the time specified or the time later than the time specified. |
First Seen Before | Select the DateTime using which you want to filter the endpoints retrieved by this operation to include only those endpoints that were first seen at the time specified or the time earlier than the time specified. |
Last Seen After | Select the DateTime using which you want to filter the endpoints retrieved by this operation to include only those endpoints that were last seen at the time specified or the time later than the time specified. |
Last Seen Before | Select the DateTime using which you want to filter the endpoints retrieved by this operation to include only those endpoints that were last seen at the time specified or the time earlier than the time specified. |
Incident ID | Specify the ID of the incident to include the Cancel Scan Endpoints action in the Cortex XDR Incident ViewTimeline tab. |
The output contains the following populated JSON schema:
{
"reply": ""
}
Parameter | Description |
---|---|
Endpoint ID List: | Specify a list of endpoint IDs that you want to delete from the Palo Alto Cortex XDR app. |
The output contains the following populated JSON schema:
{
"reply": ""
}
Parameter | Description |
---|---|
Endpoint ID | Specify a string that represents the endpoint ID for which you want to retrieve the policy from Palo Alto Cortex XDR. For example, 51588e4ce9214c63b39d054bd073b93a |
The output contains the following populated JSON schema:
{
"reply": {
"policy_name": ""
}
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list (of device violations) is returned.
Parameter | Description |
---|---|
Endpoint ID List | Specify the list of endpoint IDs based on which you want to retrieve violations from Palo Alto Cortex XDR. |
Vendor | Specify the string value that defines the vendor whose associated violations are to be retrieved from Palo Alto Cortex XDR. For example, Check Point |
Vendor ID | Specify the string value that defines the vendor ID whose associated violations are to be retrieved from Palo Alto Cortex XDR. For example, 0x0999 |
Product | Specify the string value that defines the product whose associated violations are to be retrieved from Palo Alto Cortex XDR. For example, VPN & Firewall-1 |
Product ID | Specify the string value that defines the product ID whose associated violations are to be retrieved from Palo Alto Cortex XDR. For example, 0x10036 |
Serial | Specify the string value that defines the serial number whose associated violations are to be retrieved from Palo Alto Cortex XDR. For example, 8888889 |
Hostname | Specify the name of the host whose associated violations are to be retrieved from Palo Alto Cortex XDR. |
Username | Specify the name of the user whose associated violations are to be retrieved from Palo Alto Cortex XDR. |
Type | Select the type of violations that are to be retrieved from Palo Alto Cortex XDR. You can choose between CD ROM, Disk Drive, Floppy Disk, or Portable Device. |
IP List | Specify the list of IP addresses whose associated violations are to be retrieved from Palo Alto Cortex XDR. |
Violations ID List | Specify the list of violation IDs that you want to retrieve from Palo Alto Cortex XDR. |
Timestamp After | Select the DateTime till when you want to retrieve violations from Palo Alto Cortex XDR. This operator will retrieve all violations whose timestamp matches the time specified or the time later than the time specified on Palo Alto Cortex XDR. |
Timestamp Before | Select the DateTime till when you want to retrieve violations from Palo Alto Cortex XDR. This operator will retrieve all violations whose timestamp matches the time specified or the time earlier than the time specified on Palo Alto Cortex XDR. |
Search From | Specify the integer representing the starting offset within the query result set from which you want this operation to return incidents from Palo Alto Cortex XDR. |
Search To | Specify the integer representing the end offset within the result set after which you do not want this operation to return incidents from Palo Alto Cortex XDR. |
Sort by Field | Select the field by which you want to sort the endpoints retrieved by this operation. You can from options such as serial, product, username, etc. |
Sort by Order | Select this option to order the endpoints retrieved by this operation. You can choose between asc (ascending) or desc (Descending). |
The output contains the following populated JSON schema:
{
"reply": {
"result_count": "",
"violations": [
{
"hostname": "",
"username": "",
"ip": "",
"timestamp": "",
"violation_id": "",
"type": "",
"vendor_id": "",
"vendor": "",
"product_id": "",
"product": "",
"serial": "",
"endpoint_id": ""
}
]
}
}
None.
The output contains the following populated JSON schema:
{
"reply": {
"macos": [],
"linux": [],
"windows": []
}
}
Parameter | Description |
---|---|
Name | Specify the string representing the name of the installation package that you want to create on Palo Alto Cortex XDR. |
Package Type |
Select the type of installation package that you want to create on Palo Alto Cortex XDR. You can choose from the following types: Standalone or Upgrade.
|
Description | Specify the string containing descriptive information about the installation package. |
The output contains the following populated JSON schema:
{
"reply": {
"distribution_id": ""
}
}
Parameter | Description |
---|---|
Distribution ID | Specify the string representing the ID of the installation package whose status you want to retrieve from Palo Alto Cortex XDR. |
The output contains the following populated JSON schema:
{
"reply": {
"status": ""
}
}
Parameter | Description |
---|---|
Distribution ID | Specify the string representing the ID of the installation package whose distribution URL you want to retrieve from Palo Alto Cortex XDR. |
Package Type | Select the type of installation package whose distribution URL you want to retrieve from Palo Alto Cortex XDR. You can choose from the following options: sh-For Linux, rpm-For Linux, deb-For Linux, pkg-For Mac, x86-For Windows, or x64-For Windows. |
The output contains the following populated JSON schema:
{
"reply": {
"distribution_url": ""
}
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list (of audit management logs) is returned.
Parameter | Description |
---|---|
Specify the email address of the user whose audit management logs you want to retrieve from Palo Alto Cortex XDR. | |
Type | Specify the type of audit management logs you want to retrieve from Palo Alto Cortex XDR. |
Sub Type | Specify the sub-type of the audit management logs you want to retrieve from Palo Alto Cortex XDR. |
Result | Specify the result of the audit log using which you want to filter the audit log management logs retrieved from Palo Alto Cortex XDR. For example, SUCCESS . |
Timestamp After | Select the DateTime of the log till when you want to retrieve audit management logs from Palo Alto Cortex XDR. This operator will retrieve all audit management logs whose timestamp matches the time specified or the time later than the time specified on Palo Alto Cortex XDR. |
Timestamp Before | Select the DateTime of the log from when you want to retrieve audit management logs from Palo Alto Cortex XDR. This operator will retrieve all audit management logs whose timestamp matches the time specified or the time earlier than the time specified on Palo Alto Cortex XDR. |
Search From | Specify an integer representing the starting offset within the query result set from which you want management logs returned. |
Search To | Specify an integer representing the end offset within the result set after which you do not want management logs returned. |
Sort by Field | Select the field by which you want to sort the audit management logs retrieved by this operation. You can choose between type, sub-type, or result. |
Sort by Order | Select this option to order the audit management logs retrieved by this operation. You can choose between asc (ascending) or desc (Descending). |
The output contains the following populated JSON schema:
{
"reply": {
"data": [
{
"AUDIT_DESCRIPTION": "",
"AUDIT_HOSTNAME": "",
"AUDIT_SESSION_ID": "",
"AUDIT_ASSET_JSON": "",
"AUDIT_REASON": "",
"AUDIT_RESULT": "",
"AUDIT_OWNER_EMAIL": "",
"AUDIT_ENTITY": "",
"AUDIT_ASSET_NAMES": "",
"AUDIT_ID": "",
"AUDIT_ENTITY_SUBTYPE": "",
"AUDIT_CASE_ID": "",
"AUDIT_OWNER_NAME": "",
"AUDIT_INSERT_TIME": ""
}
],
"result_count": ""
}
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list (of audit agent reports) is returned.
Parameter | Description |
---|---|
Endpoint ID | Specify the string representing the ID of the endpoint whose associated audit agent reports you want to retrieve from Palo Alto Cortex XDR. |
Endpoint Name | Specify the string representing the name of the endpoint whose associated audit agent reports you want to retrieve from Palo Alto Cortex XDR. |
Type | Specify the type of audit agent reports you want to retrieve from Palo Alto Cortex XDR. For example, Agent Status |
Sub Type | Specify the sub-type of the audit agent reports you want to retrieve from Palo Alto Cortex XDR. For example, Fully Protected |
Result | Specify the result of the agent report using which you want to filter the audit agent reports retrieved from Palo Alto Cortex XDR. For example, SUCCESS |
Domain | Specify the domain of the agent whose audit agent reports you want to retrieve from Palo Alto Cortex XDR. For example, WORKGROUP |
xdr_version | Specify the XDR version for which you want to retrieve audit agent reports from Palo Alto Cortex XDR. |
Category | Select the type of event category of the audit agent reports you want to retrieve from Palo Alto Cortex XDR. You can choose from the following options: Status, Audit, or Monitoring. |
Timestamp After | Select the DateTime of the report till when you want to retrieve audit management logs from Palo Alto Cortex XDR. This operator will retrieve all audit agent reports whose timestamp matches the time specified or the time later than the time specified on Palo Alto Cortex XDR. |
Timestamp Before | Select the DateTime of the report from when you want to retrieve audit management logs from Palo Alto Cortex XDR. This operator will retrieve all audit agent reports whose timestamp matches the time specified or the time earlier than the time specified on Palo Alto Cortex XDR. |
Search From | Specify an integer representing the starting offset within the query result set from which you want this operation to return incidents from Palo Alto Cortex XDR. |
Search To | Specify an integer representing the end offset within the result set after which you do not want this operation to return incidents from Palo Alto Cortex XDR. |
Sort by Field | Select the field by which you want to sort the audit management logs retrieved by this operation. You can choose between type, category, trapsversion, timestamp, or domain. |
Sort by Order | Select this option to order the audit management logs retrieved by this operation. You can choose between asc (ascending) or desc (Descending). |
The output contains the following populated JSON schema:
{
"reply": {
"data": [
{
"RESULT": "",
"REASON": "",
"SUBTYPE": "",
"CATEGORY": "",
"DOMAIN": "",
"TRAPSVERSION": "",
"RECEIVEDTIME": "",
"TIMESTAMP": "",
"DESCRIPTION": "",
"ENDPOINTNAME": "",
"ENDPOINTID": "",
"TYPE": ""
}
],
"result_count": ""
}
}
Parameter | Description |
---|---|
Hash List | Specify a string that represents a list of file hash values you want to blacklist on Palo Alto Cortex XDR. Note: Hash must be a valid SHA256 value. |
Comment | (Optional) Specify a string containing descriptive information about this action. |
Incident ID | (Optional) Specify the ID of the incident related to the specified file hash to include the Blacklist Files action in the Cortex XDR Incident ViewTimeline tab. |
The output contains the following populated JSON schema:
{
"reply": ""
}
Parameter | Description |
---|---|
Hash List | Specify a string that represents a list of file hash values you want to whitelist on Palo Alto Cortex XDR. Note: The hash must be a valid SHA256 value. |
Comment | (Optional) Specify a string containing descriptive information about this action. |
Incident ID | (Optional) Specify the ID of the incident related to the specified file hash to include the Blacklist Files action in the Cortex XDR Incident ViewTimeline tab. |
The output contains the following populated JSON schema:
{
"reply": ""
}
Parameter | Description |
---|---|
Endpoint ID List | Specify a list of endpoint IDs representing the endpoints on which you want to quarantine files on Palo Alto Cortex XDR. |
File Path | Specify the string representing the path of the file you want to quarantine on the specified endpoints on Palo Alto Cortex XDR. |
File Hash | Specify the string representing the hash value of the file you want to quarantine on the specified endpoints on Palo Alto Cortex XDR. Note: The hash must be a valid SHA256 value. |
The output contains the following populated JSON schema:
{
"reply": {
"action_id": []
}
}
Parameter | Description |
---|---|
Endpoint ID | Specify the string representing the endpoint ID whose associated files' quarantine status you want to retrieve from Palo Alto Cortex XDR. |
File Hash | Specify the string representing the hash value of the file whose quarantine status you want to retrieve from Palo Alto Cortex XDR. Note: The hash must be a valid SHA256 value. |
File Path | Specify the string representing the path of the file whose quarantine status you want to retrieve from Palo Alto Cortex XDR. |
The output contains the following populated JSON schema:
{
"reply": [
{
"endpoint_id": "",
"file_path": "",
"file_hash": "",
"status": ""
}
]
}
Parameter | Description |
---|---|
File Hash |
Specify the string representing the hash value of the quarantined file that you want to restore on the specified endpoint on Palo Alto Cortex XDR. |
Endpoint ID | Specify the string representing the endpoint ID on which you want to restore the specified quarantined file. |
Incident ID | (Optional) Specify the ID of the incident related to the specified file hash to include the Restore Files action in the Cortex XDR Incident ViewTimeline tab. |
The output contains the following populated JSON schema:
{
"message": "",
"status": ""
}
Parameter | Description |
---|---|
Endpoint ID List | Specify the list of endpoint IDs whose associated files you want to retrieve from Palo Alto Cortex XDR. |
Files | Select the type of operating system from which you want to retrieve files from Palo Alto Cortex XDR. You can choose between Windows, Linux, or Macos. |
File Path | Specify the string representing the path of the file used to retrieve files from Palo Alto Cortex XDR. |
Distribution Name | Specify the string representing the name of the distribution list containing the files you want to retrieve from Palo Alto Cortex XDR. |
Group Name | Specify the string representing the name of the endpoint group containing the files you want to retrieve from Palo Alto Cortex XDR. |
Alias | Specify the string representing the alias of the endpoints whose associated files you want to retrieve from Palo Alto Cortex XDR. |
Hostname | Specify the string representing the name of the host of the endpoints whose associated files you want to retrieve from Palo Alto Cortex XDR. |
IP list | Specify the string representing the list of IP addresses containing the endpoints whose associated files you want to retrieve from Palo Alto Cortex XDR. |
Platform | Select the type of operating system that contains the endpoints whose associated files you want to retrieve from Palo Alto Cortex XDR. You can choose between Windows, Linux, Macos, or Android. |
Isolate | Select the isolation status of the endpoints whose associated files you want to retrieve from Palo Alto Cortex XDR. Select Isolated to retrieve endpoints that are isolated and Unisolated to retrieve endpoints that are unisolated. |
First Seen After | Select the DateTime using which you want to filter the endpoints, whose associated files you want to be retrieved by this operation to include only those endpoints that were first seen at the time specified or the time later than the time specified. |
Last Seen After | Select the DateTime using which you want to filter the endpoints, whose associated files you want to be retrieved by this operation to include only those endpoints that were last seen at the time specified or the time later than the time specified. |
First Seen Before | Select the DateTime using which you want to filter the endpoints, whose associated files you want to be retrieved by this operation to include only those endpoints that were first seen at the time specified or the time earlier than the time specified. |
Last Seen Before | Select the DateTime using which you want to filter the endpoints, whose associated files you want to be retrieved by this operation to include only those endpoints that were last seen at the time specified or the time earlier than the time specified. |
The output contains the following populated JSON schema:
{
"reply": {
"action_id": []
}
}
Parameter | Description |
---|---|
Action ID | Specify the ID of the action ID whose associated file details you want to retrieve from Palo Alto Cortex XDR. |
The output contains the following populated JSON schema:
{
"reply": {
"data": {}
}
}
The Sample - Palo Alto Cortex XDR - 1.1.0
playbook collection comes bundled with the Palo Alto Cortex XDR connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Palo Alto Cortex XDR connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.
Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling incidents from Palo Alto Cortex XDR. Currently, "incidents" in Palo Alto Cortex XDR are mapped to "incidents" in FortiSOAR™. For more information on the Data Ingestion Wizard, see the "Connectors Guide" in the FortiSOAR™ product documentation.
You can configure data ingestion using the “Data Ingestion Wizard” to seamlessly map the incoming Palo Alto Cortex XDR "Incidents" to FortiSOAR™ "Incidents".
The Data Ingestion Wizard enables you to configure the scheduled pulling of data from Palo Alto Cortex XDR into FortiSOAR™. It also lets you pull some sample data from Palo Alto Cortex XDR using which you can define the mapping of data between Palo Alto Cortex XDR and FortiSOAR™. The mapping of common fields is generally already done by the Data Ingestion Wizard; users are mostly required to only map any custom fields that are added to the Palo Alto Cortex XDR incident.
["9834","7389"]
. Additionally, you can filter incidents retrieved from Palo Alto Cortex XDR based on their Status, and also Limit the number of incidents to be retrieved from Palo Alto Cortex XDR.On the Field Mapping screen, map the fields of a Palo Alto Cortex XDR incident to the fields of an incident present in FortiSOAR™.
To map a field, click the key in the sample data to add the “jinja” value of the field. For example, to map the hosts parameter of a Palo Alto Cortex XDR incident to the Affected Host parameter of a FortiSOAR™ incident, click the Affected Host field and then click the hosts field to populate its keys:
For more information on field mapping, see the Data Ingestion chapter in the "Connectors Guide" in the FortiSOAR™ product documentation. Once you have completed the mapping of fields, click Save Mapping & Continue.
(Optional) Use the Scheduling screen to configure schedule-based ingestion, i.e., specify the polling frequency to Palo Alto Cortex XDR, so that the content gets pulled from the Palo Alto Cortex XDR integration into FortiSOAR™.
On the Scheduling screen, from the Do you want to schedule the ingestion? drop-down list, select Yes.
In the “Configure Schedule Settings” section, specify the Cron expression for the schedule. For example, if you want to pull data from Palo Alto Cortex XDR every morning at 5 am, click Daily, and in the hour box enter 5
, and in the minute box enter 0
:
Once you have completed scheduling, click Save Settings & Continue.
The Summary screen displays a summary of the mapping done, and it also contains links to the Ingestion playbooks. Click Done to complete the data ingestion and exit the Data Ingestion Wizard.