Palo Alto Cortex XDR

Palo Alto Cortex XDR v1.1.0

Home FortiSOAR Connectors Palo Alto Cortex XDR

Palo Alto Cortex XDR v1.1.0

1.1.0

Copy Link

Copy Doc ID 6907e65d-d467-11ed-8e6d-fa163e15d75b:552

About the connector

Cortex XDR applies machine learning at the cloud scale to rich networks, endpoints, and cloud data, so you can quickly find and stop targeted attacks, insider abuse, and compromised endpoints.

This document provides information about the Palo Alto Cortex XDR connector, which facilitates automated interactions with your Palo Alto Cortex XDR server using FortiSOAR™ playbooks. Add the Palo Alto Cortex XDR connector, as a step in FortiSOAR™ playbooks and perform automated operations such as retrieving a list of all your endpoints from Palo Alto Cortex XDR or isolating endpoints on Palo Alto Cortex XDR.

You can use FortiSOAR™'s Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling incidents from Palo Alto Cortex XDR. For more information, see the Data Ingestion Support section.

Version information

Connector Version: 1.1.0

Authored By: Fortinet

Certified: No

Release Notes for version 1.1.0

The following enhancements have been made to the Palo Alto Cortex XDR connector in version 1.1.0:

Updated the input parameters for all the actions in the Palo Alto Cortex XDR connector as the Palo Alto Cortex XDR APIs have been updated.
Added a new operation named "Retrieve File Details".
Added support for ingesting Palo Alto Cortex XDR incidents into FortiSOAR™ using the Data Ingestion Wizard.

Installing the connector

Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.

You can also use the yum command as a root user to install the connector:
yum install cyops-connector-paloalto-cortex-xdr

Prerequisites to configuring the connector

You must have the URL of the Palo Alto Cortex XDR server to which you will connect and perform automated operations and credentials (API Key ID and API Key) to access that server.
To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.

Minimum Permissions Required

Not applicable

Configuring the connector

For the procedure to configure a connector, click here

Configuration parameters

In FortiSOAR™, on the Connectors page, click the Palo Alto Cortex XDR connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:

Parameter	Description
Server URL	Specify the URL of the Palo Alto Cortex XDR server to which you will connect and perform the automated operations.
API Key ID	Specify the ID of the API key configured for your account to access the Palo Alto Cortex XDR server to which you will connect and perform the automated operations.
API Key	Specify the API key configured for your account to access the Palo Alto Cortex XDR server to which you will connect and perform the automated operations. Note: You require a "Standard" security level API key.
Verify SSL	Specifies whether the SSL certificate for the server is to be verified or not.

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™:

Function	Description	Annotation and Category
Fetch Incidents	Retrieves all incidents or specific incidents from Palo Alto Cortex XDR based on the input parameters specified.	fetch_incidents Investigation
Get Incident Details	Retrieves details, including alerts and key artifacts, for a specific incident from Palo Alto Cortex XDR based on the incident ID and other input parameters specified.	get_incident_details Investigation
Update Incident	Updates incident fields like severity, status, etc. of a specific incident in Palo Alto Cortex XDR based on the incident ID and other input parameters specified.	update_incident Investigation
Insert CEF Alerts	Uploads alerts in the CEF format from external alert sources to Palo Alto Cortex XDR based on the list of alerts specified. Note: After you have mapped the CEF alert fields to Cortex XDR fields, Cortex XDR displays the alerts in related incidents and views.	insert_cef_alerts Investigation
Insert Parsed Alerts	Uploads alerts in the Cortex XDR format from external alert sources to Palo Alto Cortex XDR based on the product, vendor, and other input parameters specified. Cortex XDR displays alerts that are parsed successfully in related incidents and views.	insert_parsed_alerts Investigation
Isolate Endpoints	Isolates one or more endpoints in a single request on Palo Alto Cortex XDR based on the endpoint ID and other input parameters specified.	isolate_endpoints Investigation
Unisolate Endpoints	Unisolates one or more endpoints in a single request on Palo Alto Cortex XDR based on the endpoint ID and other input parameters specified.	unisolate_endpoints Investigation
Get All Endpoints	Retrieves a list of all your endpoints from Palo Alto Cortex XDR.	get_all_endpoints Investigation
Get Endpoints	Retrieves a list of filtered endpoints from Palo Alto Cortex XDR based on the input parameters specified.	get_endpoints Investigation
Scan Endpoints	Runs a scan on all endpoints or specified endpoints on Palo Alto Cortex XDR based on the list of endpoint IDs and other input parameters specified.	scan_endpoints Investigation
Cancel Scan Endpoints	Cancels a scan on all endpoints or specified endpoints on Palo Alto Cortex XDR based on the list of endpoint IDs and other input parameters specified.	cancel_scan_endpoints Investigation
Delete Endpoints	Deletes the specified endpoints from the Palo Alto Cortex XDR based on the list of endpoint IDs specified. Note: You can delete up to 100 endpoints.	delete_endpoints Investigation
Get Policy	Retrieves the policy for a specific endpoint from Palo Alto Cortex XDR based on the endpoint ID specified	get_policy Investigation
Get Device Violations	Retrieves a list of filtered device violations from Palo Alto Cortex XDR based on the input parameters specified.	get_device_violations Investigation
Get Distribution Version	Retrieves a list of all the agent versions that are used for creating a distribution list from Palo Alto Cortex XDR.	get_distribution_version Investigation
Create Distributions	Creates an installation package on Palo Alto Cortex XDR based on the distribution name and description, and the package type specified.	create_distributions Investigation
Get Distribution Status	Checks and retrieves the status of an installation package from Palo Alto Cortex XDR based on the distribution ID specified.	get_distribution_status Investigation
Get Distribution URL	Retrieves the distribution URL for downloading the installation package from Palo Alto Cortex XDR based on the distribution ID and package type specified.	get_distribution_url Investigation
Get Audit Management Logs	Retrieves audit management logs from Palo Alto Cortex XDR based on the input parameters specified.	get_audit_management_log Investigation
Get Audit Agent Report	Retrieves agent event reports from Palo Alto Cortex XDR based on the input parameters specified.	get_audit_agent_report Investigation
Blacklist Files	Blacklists the specified files that have not already been blacklisted on Palo Alto Cortex XDR based on the list of file hash values and other input parameters specified.	blacklist_files Investigation
Whitelist Files	Whitelists the specified files that have not already been whitelisted on Palo Alto Cortex XDR based on the list of file hash values and other input parameters specified.	whitelist_files Investigation
Quarantine Files	Quarantines files on specified endpoints on Palo Alto Cortex XDR based on the list of endpoint IDs, the file path, and the file hash specified.	quarantine_files Investigation
Get Quarantine Status	Retrieves the quarantine status for a specific file from Palo Alto Cortex XDR based on the endpoint ID, file path, and file hash specified.	get_quarantine_status Investigation
Restore File	Restores a quarantined file on a specified endpoint on Palo Alto Cortex XDR based on the endpoint ID, file hash, and other input parameters specified.	restore_file Investigation
Retrieve File	Retrieves a file from specific endpoints from Palo Alto Cortex XDR based on the list of endpoint IDs, file path, and other input parameters specified. Note: You can retrieve up to 20 files from a maximum of 100 endpoints.	retrieve_file Investigation
Retrieve File Details	Retrieves details for a specific file from Palo Alto Cortex XDR based on the action ID specified.	retrieve_file_details Investigation

operation: Fetch Incidents

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list (of incidents) is returned.

Parameter	Description
Incident ID List	Specify the list of incident IDs that you want to retrieve from Palo Alto Cortex XDR. Each item in the list must be an incident ID. For example, `["1234","1235"]`
Created After	Select the DateTime using which you want to filter the incidents retrieved by this operation to include only those incidents that were created at the time specified or the time later than the time specified.
Created Before	Select the DateTime using which you want to filter the incidents retrieved by this operation to include only those incidents that were created at the time specified or the time earlier than the time specified.
Modified After	Select the DateTime using which you want to filter the incidents retrieved by this operation to include only those incidents that were modified at the time specified or the time later than the time specified.
Modified Before	Select the DateTime using which you want to filter the incidents retrieved by this operation to include only those incidents that were modified at the time specified or the time earlier than the time specified.
Alert Sources	Specify the sources which detected the alert and whose associated incidents you want to retrieve from Palo Alto Cortex XDR. For example, `["XDR Agent"]`
Status	Select the status using which you want to filter the incidents retrieved by this operation. You can choose from options such as New, Resolved Known Issue, Resolved Auto, etc.
Description	Specify the description of the incident you want to retrieve from Palo Alto Cortex XDR.
Search From	Specify the integer representing the starting offset within the query result set from which you want this operation to return incidents from Palo Alto Cortex XDR.
Search To	Specify the integer representing the end offset within the result set after which you do not want this operation to return incidents from Palo Alto Cortex XDR.
Sort by Field	Select the field by which you want to sort the incidents retrieved by this operation. You can choose between creation_time or modification_time.
Sort by Order	Select this option to order the incidents retrieved by this operation. You can choose between asc (ascending) or desc (Descending).

Output

The output contains the following populated JSON schema:
{
"reply": {
"total_count": "",
"result_count": "",
"incidents": [
{
"incident_id": "",
"creation_time": "",
"modification_time": "",
"detection_time": "",
"status": "",
"severity": "",
"description": "",
"assigned_user_mail": "",
"assigned_user_pretty_name": "",
"alert_count": "",
"low_severity_alert_count": "",
"med_severity_alert_count": "",
"high_severity_alert_count": "",
"user_count": "",
"host_count": "",
"notes": "",
"resolve_comment": "",
"manual_severity": "",
"manual_description": "",
"xdr_url": "",
"starred": "",
"hosts": [],
"users": [],
"incident_sources": []
}
]
}
}

operation: Get Incident Details

Input parameters

Parameter	Description
Incident ID	Specify the ID of the incident whose details (including related alerts and key artifacts) you want to retrieve from Palo Alto Cortex XDR.
Alerts Limit	(Optional) Specify the maximum number of alerts related to the specified incident you want to retrieve from Palo Alto Cortex XDR. By default, this is set to '1000'.

Output

The output contains the following populated JSON schema:
{
"reply": {
"incident": {
"incident_id": "",
"creation_time": "",
"modification_time": "",
"detection_time": "",
"status": "",
"severity": "",
"description": "",
"assigned_user_mail": "",
"assigned_user_pretty_name": "",
"alert_count": "",
"low_severity_alert_count": "",
"med_severity_alert_count": "",
"high_severity_alert_count": "",
"user_count": "",
"host_count": "",
"notes": "",
"resolve_comment": "",
"manual_severity": "",
"manual_description": "",
"xdr_url": "",
"starred": "",
"hosts": [],
"users": [],
"alert_sources": []
},
"alerts": {
"total_count": "",
"data": [
{
"alert_id": "",
"detection_timestamp": "",
"source": "",
"severity": "",
"name": "",
"category": "",
"action": "",
"action_pretty": "",
"endpoint_id": "",
"description": "",
"host_ip": "",
"host_name": "",
"user_name": "",
"event_type": "",
"actor_process_image_name": "",
"actor_process_command_line": "",
"fw_app_id": "",
"is_whitelisted": "",
"starred": ""
}
]
},
"network_artifacts": {
"total_count": "",
"data": [
{
"type": "",
"alert_count": "",
"is_manual": "",
"network_domain": "",
"network_remote_ip": "",
"network_remote_port": "",
"network_country": ""
}
]
},
"file_artifacts": {
"total_count": "",
"data": [
{
"type": "",
"alert_count": "",
"is_manual": "",
"is_malicious": "",
"is_process": "",
"file_name": "",
"file_sha256": "",
"file_signature_status": "",
"file_signature_vendor_name": "",
"file_wildfire_verdict": ""
}
]
}
}
}

operation: Update Incident

Input parameters

Parameter	Description
Incident ID	Specify the ID of the incident whose details you want to update in Palo Alto Cortex XDR.
Assigned User Mail	(Optional) Specify the email address of the assignee to whom you want to assign the specified incident in Palo Alto Cortex XDR.
Assigned User Pretty Name	(Optional) Specify the full name of the assignee to whom you want to assign the specified incident in Palo Alto Cortex XDR.
Manual Severity	(Optional) Select the severity level that you want to assign to the specified incident in Palo Alto Cortex XDR. You can choose from the following options: High, Medium, Low, Critical, or Informational.
Status	(Optional) Select the status level that you want to assign to the specified incident in Palo Alto Cortex XDR. You can choose from the following options: New, Under Investigation, Resolved Threat Handled, Resolved Know Issue, Resolved Duplicate, Resolved False Positive, or Resolved Other.
Comment	(Optional) Select this option if you want to include a comment that explains the updates made to the specified incident. If you select this option, then you must specify the following parameters: Comment Action: Specify the action that should be performed for the comments, i.e., enter '`add`' to add the comment to the specified incident. Value: Add the comment that explains the updates made to the specified incident.
Resolve Comment	(Optional) Add a descriptive comment that explains the updates made to the specified incident.

Output

The output contains the following populated JSON schema:
{
"message": "",
"status": ""
}

operation: Insert CEF Alerts

Input parameters

Parameter	Description
Alerts	Specify a comma-separated list of alerts in the CEF format that you want to add (upload) to Palo Alto Cortex XDR.

Output

The output contains the following populated JSON schema:
{
"reply": ""
}

operation: Insert Parsed Alerts

Input parameters

Note: Values that you specify in the following input parameters are used to upload alerts to Palo Alto Cortex XDR.

Parameter	Description
Alert Name	Specify the string defining the name of the alert that you want to upload to Palo Alto Cortex XDR.
Product	Specify the string value that defines the product related to the alert that you want to upload to Palo Alto Cortex XDR. For example, `VPN & Firewall-1`
Vendor	Specify the string value that defines the vendor related to the alert that you want to upload to Palo Alto Cortex XDR. For example, `Check Point`
Local Port	Specify the integer value for the source port related to the alert that you want to upload to Palo Alto Cortex XDR.
Remote IP	Specify the string value of the destination IP address related to the alert that you want to upload to Palo Alto Cortex XDR.
Remote Port	Specify the integer value for the destination port related to the alert that you want to upload to Palo Alto Cortex XDR.
Local IP	(Optional) Specify the string value for the source IP address related to the alert that you want to upload to Palo Alto Cortex XDR.
Event Timestamp	(Optional) Select the occurrence DateTime of the alert that you want to upload to Palo Alto Cortex XDR.
Severity	(Optional) Select the severity of the alert that you want to upload to Palo Alto Cortex XDR. You can choose from the following options: Informational, High, Medium, Low, or Unknown.
Alert Description	(Optional) Specify the string value that contains the description of the alert that you want to upload to Palo Alto Cortex XDR.
Action Status	(Optional) Specify the string value that defines the action status of the alert that you want to upload to Palo Alto Cortex XDR.

Output

The output contains the following populated JSON schema:
{
"reply": ""
}

operation: Isolate Endpoints

Input parameters

Parameter	Description
Unisolate Endpoint	Select whether you want to isolate one endpoint or multiple endpoints. If you select Isolate One Endpoint, then in the Endpoint ID field specify the ID of the endpoint you want to isolate on Palo Alto Cortex XDR. If you select Isolate More Than One Endpoint, then in the Endpoint ID List field specify a list of endpoint IDs you want to isolate on Palo Alto Cortex XDR.
Incident ID	(Optional) Specify the ID of the incident to include the Isolate Endpoints action in the Cortex XDR Incident ViewTimeline tab.

Parameter

Description

Unisolate Endpoint

Select whether you want to isolate one endpoint or multiple endpoints.

If you select Isolate One Endpoint, then in the Endpoint ID field specify the ID of the endpoint you want to isolate on Palo Alto Cortex XDR.
If you select Isolate More Than One Endpoint, then in the Endpoint ID List field specify a list of endpoint IDs you want to isolate on Palo Alto Cortex XDR.

Incident ID

(Optional) Specify the ID of the incident to include the Isolate Endpoints action in the Cortex XDR Incident ViewTimeline tab.

Output

The output contains the following populated JSON schema:
{
"reply": {
"action_id": []
}
}

operation: Unisolate Endpoints

Input parameters

Parameter	Description
Isolate Endpoint	Select whether you want to unisolate one endpoint or multiple endpoints. If you select Unisolate One Endpoint, then in the Endpoint ID field specify the ID of the endpoint you want to unisolate on Palo Alto Cortex XDR. If you select Unisolate More Than One Endpoint, then in the Endpoint ID List field specify a list of endpoint IDs you want to unisolate on Palo Alto Cortex XDR.
Incident ID	(Optional) Specify the ID of the incident to include the Unisolate Endpoints action in the Cortex XDR Incident ViewTimeline tab.

Parameter

Description

Isolate Endpoint

Select whether you want to unisolate one endpoint or multiple endpoints.

If you select Unisolate One Endpoint, then in the Endpoint ID field specify the ID of the endpoint you want to unisolate on Palo Alto Cortex XDR.
If you select Unisolate More Than One Endpoint, then in the Endpoint ID List field specify a list of endpoint IDs you want to unisolate on Palo Alto Cortex XDR.

Incident ID

(Optional) Specify the ID of the incident to include the Unisolate Endpoints action in the Cortex XDR Incident ViewTimeline tab.

Output

The output contains the following populated JSON schema:
{
"reply": {
"action_id": []
}
}

operation: Get All Endpoints

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
"reply": [
{
"agent_type": "",
"agent_id": "",
"host_name": "",
"agent_status": "",
"ip": ""
}
]
}

operation: Get Endpoints

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list (of endpoints) is returned.

Parameter	Description
Endpoint ID List	Specify the list of endpoint IDs that you want to retrieve from Palo Alto Cortex XDR.
Distribution Name	Specify the name of the distribution list or installation package name containing the endpoints to be retrieved from Palo Alto Cortex XDR.
Group Name	Specify the name of the group containing the endpoints to be retrieved from Palo Alto Cortex XDR.
Alias	Specify the alias of the endpoints to be retrieved from Palo Alto Cortex XDR.
Hostname	Specify the name of the host of the endpoints to be retrieved from Palo Alto Cortex XDR.
Username	Specify the name of the user associated with the endpoints to be retrieved from Palo Alto Cortex XDR.
Endpoint Status	Select the status of the endpoints to be retrieved from Palo Alto Cortex XDR. You can choose between Connected, Disconnected, Lost, or Uninstalled.
IP list	Specify the list of IP addresses containing the endpoints to be retrieved from Palo Alto Cortex XDR.
Platform	Select the type of operating system that contains the endpoints to be retrieved from Palo Alto Cortex XDR. You can choose between Windows, Linux, Macos, or Android.
Isolate	Select the isolation status of the endpoints to be retrieved from Palo Alto Cortex XDR. Select Isolated to retrieve endpoints that are isolated and Unisolated to retrieve endpoints that are unisolated.
Scan Status	Select the scan status of endpoints to be retrieved from Palo Alto Cortex XDR. You can choose between None, Pending, In Progress, Cancelled, Aborted, Pending Cancellation, Sucess, or Error.
First Seen After	Select the DateTime using which you want to filter the endpoints retrieved by this operation to include only those endpoints that were first seen at the time specified or the time later than the time specified.
First Seen Before	Select the DateTime using which you want to filter the endpoints retrieved by this operation to include only those endpoints that were first seen at the time specified or the time earlier than the time specified.
Last Seen After	Select the DateTime using which you want to filter the endpoints retrieved by this operation to include only those endpoints that were last seen at the time specified or the time later than the time specified.
Last Seen Before	Select the DateTime using which you want to filter the endpoints retrieved by this operation to include only those endpoints that were last seen at the time specified or the time earlier than the time specified.
Search From	Specify the integer representing the starting offset within the query result set from which you want this operation to return endpoints from Palo Alto Cortex XDR.
Search To	Specify the integer representing the end offset within the result set after which you do not want this operation to return endpoints from Palo Alto Cortex XDR.
Sort by Field	Select the field by which you want to sort the endpoints retrieved by this operation. You can choose between first_seen or last_seen.
Sort by Order	Select this option to order the endpoints retrieved by this operation. You can choose between asc (ascending) or desc (Descending).

Output

The output contains the following populated JSON schema:
{
"reply": {
"result_count": "",
"endpoints": [
{
"endpoint_id": "",
"endpoint_name": "",
"endpoint_type": "",
"endpoint_status": "",
"os_type": "",
"ip": "",
"users": [
""
],
"domain": "",
"alias": "",
"first_seen": "",
"last_seen": "",
"content_version": "",
"installation_package": "",
"active_directory": "",
"install_date": "",
"endpoint_version": "",
"is_isolated": "",
"group_name": ""
}
]
}
}

operation: Scan Endpoints

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list (of endpoints) is used for this operation.

Parameter	Description
Endpoint ID List	Specify the list of endpoint IDs that you want to scan on Palo Alto Cortex XDR.
Distribution Name	Specify the name of the distribution list containing the endpoints that you want to scan on Palo Alto Cortex XDR.
Group Name	Specify the name of the group containing the endpoints that you want to scan on Palo Alto Cortex XDR.
Alias	Specify the alias of the endpoints to be scanned on Palo Alto Cortex XDR.
Hostname	Specify the name of the host of the endpoints to be scanned on Palo Alto Cortex XDR
Username	Specify the name of the user associated with the endpoints to be scanned on Palo Alto Cortex XDR.
IP List	Specify the list of IP addresses containing the endpoints to be scanned on Palo Alto Cortex XDR.
Platform	Select the type of operating system that contains the endpoints to be scanned on Palo Alto Cortex XDR. You can choose between Windows, Linux, Macos, or Android.
Isolate	Select the isolation status of the endpoints to be scanned on Palo Alto Cortex XDR. Select Isolated to retrieve endpoints that are isolated and Unisolated to retrieve endpoints that are unisolated.
Scan Status	Select the scan status of endpoints to be scanned on Palo Alto Cortex XDR. You can choose between None, Pending, In Progress, Cancelled, Aborted, Pending Cancellation, Sucess, or Error.
First Seen After	Select the DateTime using which you want to filter the endpoints retrieved by this operation to include only those endpoints that were first seen at the time specified or the time later than the time specified.
First Seen Before	Select the DateTime using which you want to filter the endpoints retrieved by this operation to include only those endpoints that were first seen at the time specified or the time earlier than the time specified.
Last Seen After	Select the DateTime using which you want to filter the endpoints retrieved by this operation to include only those endpoints that were last seen at the time specified or the time later than the time specified.
Last Seen Before	Select the DateTime using which you want to filter the endpoints retrieved by this operation to include only those endpoints that were last seen at the time specified or the time earlier than the time specified.
Incident ID	Specify the ID of the incident to include the Scan Endpoints action in the Cortex XDR Incident ViewTimeline tab.

Output

The output contains the following populated JSON schema:
{
"reply": {
"action_id": []
}
}

operation: Cancel Scan Endpoints

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list (of endpoints) is used for this operation.

Parameter	Description
Endpoint ID List	Specify the list of endpoint IDs whose scan you want to cancel on Palo Alto Cortex XDR.
Distribution Name	Specify the name of the distribution list containing the endpoints whose scan you want to cancel on Palo Alto Cortex XDR.
Group Name	Specify the name of the group containing the endpoints whose scan you want to cancel on Palo Alto Cortex XDR.
Alias	Specify the alias of the endpoints whose scan you want to cancel on Palo Alto Cortex XDR.
Hostname	Specify the name of the host of the endpoints whose scan you want to cancel on Palo Alto Cortex XDR
Username	Specify the name of the user associated with the endpoints whose scan you want to cancel on Palo Alto Cortex XDR.
IP List	Specify the list of IP addresses containing the endpoints whose scan you want to cancel on Palo Alto Cortex XDR.
Platform	Select the type of operating system that contains the endpoints whose scan you want to cancel on Palo Alto Cortex XDR. You can choose between Windows, Linux, Macos, or Android.
Isolate	Select the isolation status of the endpoints whose scan you want to cancel on Palo Alto Cortex XDR. Select Isolated to retrieve endpoints that are isolated and Unisolated to retrieve endpoints that are unisolated.
Scan Status	Select the scan status of endpoints whose scan you want to cancel on Palo Alto Cortex XDR. You can choose between None, Pending, In Progress, Cancelled, Aborted, Pending Cancellation, Sucess, or Error.
First Seen After	Select the DateTime using which you want to filter the endpoints retrieved by this operation to include only those endpoints that were first seen at the time specified or the time later than the time specified.
First Seen Before	Select the DateTime using which you want to filter the endpoints retrieved by this operation to include only those endpoints that were first seen at the time specified or the time earlier than the time specified.
Last Seen After	Select the DateTime using which you want to filter the endpoints retrieved by this operation to include only those endpoints that were last seen at the time specified or the time later than the time specified.
Last Seen Before	Select the DateTime using which you want to filter the endpoints retrieved by this operation to include only those endpoints that were last seen at the time specified or the time earlier than the time specified.
Incident ID	Specify the ID of the incident to include the Cancel Scan Endpoints action in the Cortex XDR Incident ViewTimeline tab.

Output

The output contains the following populated JSON schema:
{
"reply": ""
}

operation: Delete Endpoints

Input parameters

Parameter	Description
Endpoint ID List:	Specify a list of endpoint IDs that you want to delete from the Palo Alto Cortex XDR app.

Output

The output contains the following populated JSON schema:
{
"reply": ""
}

operation: Get Policy

Input parameters

Parameter	Description
Endpoint ID	Specify a string that represents the endpoint ID for which you want to retrieve the policy from Palo Alto Cortex XDR. For example, `51588e4ce9214c63b39d054bd073b93a`

Output

The output contains the following populated JSON schema:
{
"reply": {
"policy_name": ""
}
}

operation: Get Device Violations

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list (of device violations) is returned.

Parameter	Description
Endpoint ID List	Specify the list of endpoint IDs based on which you want to retrieve violations from Palo Alto Cortex XDR.
Vendor	Specify the string value that defines the vendor whose associated violations are to be retrieved from Palo Alto Cortex XDR. For example, `Check Point`
Vendor ID	Specify the string value that defines the vendor ID whose associated violations are to be retrieved from Palo Alto Cortex XDR. For example, `0x0999`
Product	Specify the string value that defines the product whose associated violations are to be retrieved from Palo Alto Cortex XDR. For example, `VPN & Firewall-1`
Product ID	Specify the string value that defines the product ID whose associated violations are to be retrieved from Palo Alto Cortex XDR. For example, `0x10036`
Serial	Specify the string value that defines the serial number whose associated violations are to be retrieved from Palo Alto Cortex XDR. For example, `8888889`
Hostname	Specify the name of the host whose associated violations are to be retrieved from Palo Alto Cortex XDR.
Username	Specify the name of the user whose associated violations are to be retrieved from Palo Alto Cortex XDR.
Type	Select the type of violations that are to be retrieved from Palo Alto Cortex XDR. You can choose between CD ROM, Disk Drive, Floppy Disk, or Portable Device.
IP List	Specify the list of IP addresses whose associated violations are to be retrieved from Palo Alto Cortex XDR.
Violations ID List	Specify the list of violation IDs that you want to retrieve from Palo Alto Cortex XDR.
Timestamp After	Select the DateTime till when you want to retrieve violations from Palo Alto Cortex XDR. This operator will retrieve all violations whose timestamp matches the time specified or the time later than the time specified on Palo Alto Cortex XDR.
Timestamp Before	Select the DateTime till when you want to retrieve violations from Palo Alto Cortex XDR. This operator will retrieve all violations whose timestamp matches the time specified or the time earlier than the time specified on Palo Alto Cortex XDR.
Search From	Specify the integer representing the starting offset within the query result set from which you want this operation to return incidents from Palo Alto Cortex XDR.
Search To	Specify the integer representing the end offset within the result set after which you do not want this operation to return incidents from Palo Alto Cortex XDR.
Sort by Field	Select the field by which you want to sort the endpoints retrieved by this operation. You can from options such as serial, product, username, etc.
Sort by Order	Select this option to order the endpoints retrieved by this operation. You can choose between asc (ascending) or desc (Descending).

Output

The output contains the following populated JSON schema:
{
"reply": {
"result_count": "",
"violations": [
{
"hostname": "",
"username": "",
"ip": "",
"timestamp": "",
"violation_id": "",
"type": "",
"vendor_id": "",
"vendor": "",
"product_id": "",
"product": "",
"serial": "",
"endpoint_id": ""
}
]
}
}

operation: Get Distribution Version

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
"reply": {
"macos": [],
"linux": [],
"windows": []
}
}

operation: Create Distributions

Input parameters

Parameter Description

Name Specify the string representing the name of the installation package that you want to create on Palo Alto Cortex XDR.

Package Type

Parameter	Description
Name	Specify the string representing the name of the installation package that you want to create on Palo Alto Cortex XDR.
Package Type	Select the type of installation package that you want to create on Palo Alto Cortex XDR. You can choose from the following types: Standalone or Upgrade. If you choose the 'Standalone' operator, then from the Platform drop-down list, select the platform on which you want to create the installation package. You can choose the following: Windows, Linux, Macos, or Android. Also, if you choose 'Windows', 'Macos', or 'Linux', then in the Agent Version field, enter the version of the agent. For example, `5.0.7.16157` If you choose the 'Upgrade' operator, then in the Upgrade field, specify the version of an agent that you want to upgrade from ESM. You can specify the following values: `windows_version`, `linux_version`, or `macos_version`.
Description	Specify the string containing descriptive information about the installation package.

Select the type of installation package that you want to create on Palo Alto Cortex XDR. You can choose from the following types: Standalone or Upgrade.

If you choose the 'Standalone' operator, then from the Platform drop-down list, select the platform on which you want to create the installation package. You can choose the following: Windows, Linux, Macos, or Android. Also, if you choose 'Windows', 'Macos', or 'Linux', then in the Agent Version field, enter the version of the agent. For example, 5.0.7.16157
If you choose the 'Upgrade' operator, then in the Upgrade field, specify the version of an agent that you want to upgrade from ESM. You can specify the following values: windows_version, linux_version, or macos_version.

Description Specify the string containing descriptive information about the installation package.

Output

The output contains the following populated JSON schema:
{
"reply": {
"distribution_id": ""
}
}

operation: Get Distribution Status

Input parameters

Parameter	Description
Distribution ID	Specify the string representing the ID of the installation package whose status you want to retrieve from Palo Alto Cortex XDR.

Output

The output contains the following populated JSON schema:
{
"reply": {
"status": ""
}
}

operation: Get Distribution URL

Input parameters

Parameter	Description
Distribution ID	Specify the string representing the ID of the installation package whose distribution URL you want to retrieve from Palo Alto Cortex XDR.
Package Type	Select the type of installation package whose distribution URL you want to retrieve from Palo Alto Cortex XDR. You can choose from the following options: sh-For Linux, rpm-For Linux, deb-For Linux, pkg-For Mac, x86-For Windows, or x64-For Windows.

Output

The output contains the following populated JSON schema:
{
"reply": {
"distribution_url": ""
}
}

operation: Get Audit Management Logs

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list (of audit management logs) is returned.

Parameter	Description
Email	Specify the email address of the user whose audit management logs you want to retrieve from Palo Alto Cortex XDR.
Type	Specify the type of audit management logs you want to retrieve from Palo Alto Cortex XDR.
Sub Type	Specify the sub-type of the audit management logs you want to retrieve from Palo Alto Cortex XDR.
Result	Specify the result of the audit log using which you want to filter the audit log management logs retrieved from Palo Alto Cortex XDR. For example, `SUCCESS`.
Timestamp After	Select the DateTime of the log till when you want to retrieve audit management logs from Palo Alto Cortex XDR. This operator will retrieve all audit management logs whose timestamp matches the time specified or the time later than the time specified on Palo Alto Cortex XDR.
Timestamp Before	Select the DateTime of the log from when you want to retrieve audit management logs from Palo Alto Cortex XDR. This operator will retrieve all audit management logs whose timestamp matches the time specified or the time earlier than the time specified on Palo Alto Cortex XDR.
Search From	Specify an integer representing the starting offset within the query result set from which you want management logs returned.
Search To	Specify an integer representing the end offset within the result set after which you do not want management logs returned.
Sort by Field	Select the field by which you want to sort the audit management logs retrieved by this operation. You can choose between type, sub-type, or result.
Sort by Order	Select this option to order the audit management logs retrieved by this operation. You can choose between asc (ascending) or desc (Descending).

Output

The output contains the following populated JSON schema:
{
"reply": {
"data": [
{
"AUDIT_DESCRIPTION": "",
"AUDIT_HOSTNAME": "",
"AUDIT_SESSION_ID": "",
"AUDIT_ASSET_JSON": "",
"AUDIT_REASON": "",
"AUDIT_RESULT": "",
"AUDIT_OWNER_EMAIL": "",
"AUDIT_ENTITY": "",
"AUDIT_ASSET_NAMES": "",
"AUDIT_ID": "",
"AUDIT_ENTITY_SUBTYPE": "",
"AUDIT_CASE_ID": "",
"AUDIT_OWNER_NAME": "",
"AUDIT_INSERT_TIME": ""
}
],
"result_count": ""
}
}

operation: Get Audit Agent Report

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list (of audit agent reports) is returned.

Parameter	Description
Endpoint ID	Specify the string representing the ID of the endpoint whose associated audit agent reports you want to retrieve from Palo Alto Cortex XDR.
Endpoint Name	Specify the string representing the name of the endpoint whose associated audit agent reports you want to retrieve from Palo Alto Cortex XDR.
Type	Specify the type of audit agent reports you want to retrieve from Palo Alto Cortex XDR. For example, `Agent Status`
Sub Type	Specify the sub-type of the audit agent reports you want to retrieve from Palo Alto Cortex XDR. For example, `Fully Protected`
Result	Specify the result of the agent report using which you want to filter the audit agent reports retrieved from Palo Alto Cortex XDR. For example, `SUCCESS`
Domain	Specify the domain of the agent whose audit agent reports you want to retrieve from Palo Alto Cortex XDR. For example, `WORKGROUP`
xdr_version	Specify the XDR version for which you want to retrieve audit agent reports from Palo Alto Cortex XDR.
Category	Select the type of event category of the audit agent reports you want to retrieve from Palo Alto Cortex XDR. You can choose from the following options: Status, Audit, or Monitoring.
Timestamp After	Select the DateTime of the report till when you want to retrieve audit management logs from Palo Alto Cortex XDR. This operator will retrieve all audit agent reports whose timestamp matches the time specified or the time later than the time specified on Palo Alto Cortex XDR.
Timestamp Before	Select the DateTime of the report from when you want to retrieve audit management logs from Palo Alto Cortex XDR. This operator will retrieve all audit agent reports whose timestamp matches the time specified or the time earlier than the time specified on Palo Alto Cortex XDR.
Search From	Specify an integer representing the starting offset within the query result set from which you want this operation to return incidents from Palo Alto Cortex XDR.
Search To	Specify an integer representing the end offset within the result set after which you do not want this operation to return incidents from Palo Alto Cortex XDR.
Sort by Field	Select the field by which you want to sort the audit management logs retrieved by this operation. You can choose between type, category, trapsversion, timestamp, or domain.
Sort by Order	Select this option to order the audit management logs retrieved by this operation. You can choose between asc (ascending) or desc (Descending).

Output

The output contains the following populated JSON schema:
{
"reply": {
"data": [
{
"RESULT": "",
"REASON": "",
"SUBTYPE": "",
"CATEGORY": "",
"DOMAIN": "",
"TRAPSVERSION": "",
"RECEIVEDTIME": "",
"TIMESTAMP": "",
"DESCRIPTION": "",
"ENDPOINTNAME": "",
"ENDPOINTID": "",
"TYPE": ""
}
],
"result_count": ""
}
}

operation: Blacklist Files

Input parameters

Parameter	Description
Hash List	Specify a string that represents a list of file hash values you want to blacklist on Palo Alto Cortex XDR. Note: Hash must be a valid SHA256 value.
Comment	(Optional) Specify a string containing descriptive information about this action.
Incident ID	(Optional) Specify the ID of the incident related to the specified file hash to include the Blacklist Files action in the Cortex XDR Incident ViewTimeline tab.

Output

The output contains the following populated JSON schema:
{
"reply": ""
}

operation: Whitelist Files

Input parameters

Parameter	Description
Hash List	Specify a string that represents a list of file hash values you want to whitelist on Palo Alto Cortex XDR. Note: The hash must be a valid SHA256 value.
Comment	(Optional) Specify a string containing descriptive information about this action.
Incident ID	(Optional) Specify the ID of the incident related to the specified file hash to include the Blacklist Files action in the Cortex XDR Incident ViewTimeline tab.

Output

The output contains the following populated JSON schema:
{
"reply": ""
}

operation: Quarantine Files

Input parameters

Parameter	Description
Endpoint ID List	Specify a list of endpoint IDs representing the endpoints on which you want to quarantine files on Palo Alto Cortex XDR.
File Path	Specify the string representing the path of the file you want to quarantine on the specified endpoints on Palo Alto Cortex XDR.
File Hash	Specify the string representing the hash value of the file you want to quarantine on the specified endpoints on Palo Alto Cortex XDR. Note: The hash must be a valid SHA256 value.

Output

The output contains the following populated JSON schema:
{
"reply": {
"action_id": []
}
}

operation: Get Quarantine Status

Input parameters

Parameter	Description
Endpoint ID	Specify the string representing the endpoint ID whose associated files' quarantine status you want to retrieve from Palo Alto Cortex XDR.
File Hash	Specify the string representing the hash value of the file whose quarantine status you want to retrieve from Palo Alto Cortex XDR. Note: The hash must be a valid SHA256 value.
File Path	Specify the string representing the path of the file whose quarantine status you want to retrieve from Palo Alto Cortex XDR.

Output

The output contains the following populated JSON schema:
{
"reply": [
{
"endpoint_id": "",
"file_path": "",
"file_hash": "",
"status": ""
}
]
}

operation: Restore File

Input parameters

Parameter	Description
File Hash	Specify the string representing the hash value of the quarantined file that you want to restore on the specified endpoint on Palo Alto Cortex XDR. Note: The hash must be a valid SHA256 value.
Endpoint ID	Specify the string representing the endpoint ID on which you want to restore the specified quarantined file.
Incident ID	(Optional) Specify the ID of the incident related to the specified file hash to include the Restore Files action in the Cortex XDR Incident ViewTimeline tab.

Output

The output contains the following populated JSON schema:
{
"message": "",
"status": ""
}

operation: Retrieve File

Input parameters

Parameter	Description
Endpoint ID List	Specify the list of endpoint IDs whose associated files you want to retrieve from Palo Alto Cortex XDR.
Files	Select the type of operating system from which you want to retrieve files from Palo Alto Cortex XDR. You can choose between Windows, Linux, or Macos.
File Path	Specify the string representing the path of the file used to retrieve files from Palo Alto Cortex XDR.
Distribution Name	Specify the string representing the name of the distribution list containing the files you want to retrieve from Palo Alto Cortex XDR.
Group Name	Specify the string representing the name of the endpoint group containing the files you want to retrieve from Palo Alto Cortex XDR.
Alias	Specify the string representing the alias of the endpoints whose associated files you want to retrieve from Palo Alto Cortex XDR.
Hostname	Specify the string representing the name of the host of the endpoints whose associated files you want to retrieve from Palo Alto Cortex XDR.
IP list	Specify the string representing the list of IP addresses containing the endpoints whose associated files you want to retrieve from Palo Alto Cortex XDR.
Platform	Select the type of operating system that contains the endpoints whose associated files you want to retrieve from Palo Alto Cortex XDR. You can choose between Windows, Linux, Macos, or Android.
Isolate	Select the isolation status of the endpoints whose associated files you want to retrieve from Palo Alto Cortex XDR. Select Isolated to retrieve endpoints that are isolated and Unisolated to retrieve endpoints that are unisolated.
First Seen After	Select the DateTime using which you want to filter the endpoints, whose associated files you want to be retrieved by this operation to include only those endpoints that were first seen at the time specified or the time later than the time specified.
Last Seen After	Select the DateTime using which you want to filter the endpoints, whose associated files you want to be retrieved by this operation to include only those endpoints that were last seen at the time specified or the time later than the time specified.
First Seen Before	Select the DateTime using which you want to filter the endpoints, whose associated files you want to be retrieved by this operation to include only those endpoints that were first seen at the time specified or the time earlier than the time specified.
Last Seen Before	Select the DateTime using which you want to filter the endpoints, whose associated files you want to be retrieved by this operation to include only those endpoints that were last seen at the time specified or the time earlier than the time specified.

Output

The output contains the following populated JSON schema:
{
"reply": {
"action_id": []
}
}

operation: Retrieve File Details

Input parameters

Parameter	Description
Action ID	Specify the ID of the action ID whose associated file details you want to retrieve from Palo Alto Cortex XDR.

Output

The output contains the following populated JSON schema:
{
"reply": {
"data": {}
}
}

Included playbooks

The Sample - Palo Alto Cortex XDR - 1.1.0 playbook collection comes bundled with the Palo Alto Cortex XDR connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Palo Alto Cortex XDR connector.

Blacklist Files
Cancel Scan Endpoints
Cortex > Create Incident
Cortex > Fetch
Cortex > Ingest
Create Distributions
Delete Endpoints
Fetch Incidents
Get All Endpoints
Get Audit Agent Report
Get Audit Management Logs
Get Device Violations
Get Distribution Status
Get Distribution URL
Get Distribution Version
Get Endpoints
Get Incident Details
Get Policy
Get Quarantine Status
Insert CEF Alerts
Insert Parsed Alerts
Isolate Endpoints
Quarantine Files
Restore File
Retrieve File
Scan Endpoints
Unisolate Endpoints
Update Incident
Whitelist Files

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.

Data Ingestion Support

Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling incidents from Palo Alto Cortex XDR. Currently, "incidents" in Palo Alto Cortex XDR are mapped to "incidents" in FortiSOAR™. For more information on the Data Ingestion Wizard, see the "Connectors Guide" in the FortiSOAR™ product documentation.

Configure Data Ingestion

You can configure data ingestion using the “Data Ingestion Wizard” to seamlessly map the incoming Palo Alto Cortex XDR "Incidents" to FortiSOAR™ "Incidents".

The Data Ingestion Wizard enables you to configure the scheduled pulling of data from Palo Alto Cortex XDR into FortiSOAR™. It also lets you pull some sample data from Palo Alto Cortex XDR using which you can define the mapping of data between Palo Alto Cortex XDR and FortiSOAR™. The mapping of common fields is generally already done by the Data Ingestion Wizard; users are mostly required to only map any custom fields that are added to the Palo Alto Cortex XDR incident.

To begin configuring data ingestion, click Configure Data Ingestion on the Palo Alto Cortex XDR connector’s "Configurations" page.
Click Let’s Start by fetching some data, to open the “Fetch Sample Data” screen.

Sample data is required to create a field mapping between Palo Alto Cortex XDR data and FortiSOAR™. The sample data is pulled from connector actions or ingestion playbooks.
On the Fetch Data screen, provide the configurations required to fetch Palo Alto Cortex XDR data.
Users can pull data from Palo Alto Cortex XDR by specifying the number of minutes from when they want to retrieve incidents that were created or updated in Palo Alto Cortex XDR in the Pull Incidents From Last X Minutes field. Optionally you can also specify a list of incident IDs you want to retrieve from Palo Alto Cortex XDR in the Incident ID field. Each item in the list must be an incident ID, for example ["9834","7389"]. Additionally, you can filter incidents retrieved from Palo Alto Cortex XDR based on their Status, and also Limit the number of incidents to be retrieved from Palo Alto Cortex XDR.

The fetched data is used to create a mapping between the Palo Alto Cortex XDR data and FortiSOAR™ Incidents. Once you have completed specifying the configurations, click Fetch Data.
On the Field Mapping screen, map the fields of a Palo Alto Cortex XDR incident to the fields of an incident present in FortiSOAR™.
To map a field, click the key in the sample data to add the “jinja” value of the field. For example, to map the hosts parameter of a Palo Alto Cortex XDR incident to the Affected Host parameter of a FortiSOAR™ incident, click the Affected Host field and then click the hosts field to populate its keys:

For more information on field mapping, see the Data Ingestion chapter in the "Connectors Guide" in the FortiSOAR™ product documentation. Once you have completed the mapping of fields, click Save Mapping & Continue.
(Optional) Use the Scheduling screen to configure schedule-based ingestion, i.e., specify the polling frequency to Palo Alto Cortex XDR, so that the content gets pulled from the Palo Alto Cortex XDR integration into FortiSOAR™.
On the Scheduling screen, from the Do you want to schedule the ingestion? drop-down list, select Yes.
In the “Configure Schedule Settings” section, specify the Cron expression for the schedule. For example, if you want to pull data from Palo Alto Cortex XDR every morning at 5 am, click Daily, and in the hour box enter 5 , and in the minute box enter 0:

Once you have completed scheduling, click Save Settings & Continue.
The Summary screen displays a summary of the mapping done, and it also contains links to the Ingestion playbooks. Click Done to complete the data ingestion and exit the Data Ingestion Wizard.

About the connector

Cortex XDR applies machine learning at the cloud scale to rich networks, endpoints, and cloud data, so you can quickly find and stop targeted attacks, insider abuse, and compromised endpoints.

You can use FortiSOAR™'s Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling incidents from Palo Alto Cortex XDR. For more information, see the Data Ingestion Support section.

Version information

Connector Version: 1.1.0

Authored By: Fortinet

Certified: No

Release Notes for version 1.1.0

The following enhancements have been made to the Palo Alto Cortex XDR connector in version 1.1.0:

Updated the input parameters for all the actions in the Palo Alto Cortex XDR connector as the Palo Alto Cortex XDR APIs have been updated.
Added a new operation named "Retrieve File Details".
Added support for ingesting Palo Alto Cortex XDR incidents into FortiSOAR™ using the Data Ingestion Wizard.

Installing the connector

Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.

You can also use the yum command as a root user to install the connector:
yum install cyops-connector-paloalto-cortex-xdr

Prerequisites to configuring the connector

You must have the URL of the Palo Alto Cortex XDR server to which you will connect and perform automated operations and credentials (API Key ID and API Key) to access that server.
To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.

Minimum Permissions Required

Not applicable

Configuring the connector

For the procedure to configure a connector, click here

Configuration parameters

Parameter	Description
Server URL	Specify the URL of the Palo Alto Cortex XDR server to which you will connect and perform the automated operations.
API Key ID	Specify the ID of the API key configured for your account to access the Palo Alto Cortex XDR server to which you will connect and perform the automated operations.
API Key	Specify the API key configured for your account to access the Palo Alto Cortex XDR server to which you will connect and perform the automated operations. Note: You require a "Standard" security level API key.
Verify SSL	Specifies whether the SSL certificate for the server is to be verified or not.

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™:

Function	Description	Annotation and Category
Fetch Incidents	Retrieves all incidents or specific incidents from Palo Alto Cortex XDR based on the input parameters specified.	fetch_incidents Investigation
Get Incident Details	Retrieves details, including alerts and key artifacts, for a specific incident from Palo Alto Cortex XDR based on the incident ID and other input parameters specified.	get_incident_details Investigation
Update Incident	Updates incident fields like severity, status, etc. of a specific incident in Palo Alto Cortex XDR based on the incident ID and other input parameters specified.	update_incident Investigation
Insert CEF Alerts	Uploads alerts in the CEF format from external alert sources to Palo Alto Cortex XDR based on the list of alerts specified. Note: After you have mapped the CEF alert fields to Cortex XDR fields, Cortex XDR displays the alerts in related incidents and views.	insert_cef_alerts Investigation
Insert Parsed Alerts	Uploads alerts in the Cortex XDR format from external alert sources to Palo Alto Cortex XDR based on the product, vendor, and other input parameters specified. Cortex XDR displays alerts that are parsed successfully in related incidents and views.	insert_parsed_alerts Investigation
Isolate Endpoints	Isolates one or more endpoints in a single request on Palo Alto Cortex XDR based on the endpoint ID and other input parameters specified.	isolate_endpoints Investigation
Unisolate Endpoints	Unisolates one or more endpoints in a single request on Palo Alto Cortex XDR based on the endpoint ID and other input parameters specified.	unisolate_endpoints Investigation
Get All Endpoints	Retrieves a list of all your endpoints from Palo Alto Cortex XDR.	get_all_endpoints Investigation
Get Endpoints	Retrieves a list of filtered endpoints from Palo Alto Cortex XDR based on the input parameters specified.	get_endpoints Investigation
Scan Endpoints	Runs a scan on all endpoints or specified endpoints on Palo Alto Cortex XDR based on the list of endpoint IDs and other input parameters specified.	scan_endpoints Investigation
Cancel Scan Endpoints	Cancels a scan on all endpoints or specified endpoints on Palo Alto Cortex XDR based on the list of endpoint IDs and other input parameters specified.	cancel_scan_endpoints Investigation
Delete Endpoints	Deletes the specified endpoints from the Palo Alto Cortex XDR based on the list of endpoint IDs specified. Note: You can delete up to 100 endpoints.	delete_endpoints Investigation
Get Policy	Retrieves the policy for a specific endpoint from Palo Alto Cortex XDR based on the endpoint ID specified	get_policy Investigation
Get Device Violations	Retrieves a list of filtered device violations from Palo Alto Cortex XDR based on the input parameters specified.	get_device_violations Investigation
Get Distribution Version	Retrieves a list of all the agent versions that are used for creating a distribution list from Palo Alto Cortex XDR.	get_distribution_version Investigation
Create Distributions	Creates an installation package on Palo Alto Cortex XDR based on the distribution name and description, and the package type specified.	create_distributions Investigation
Get Distribution Status	Checks and retrieves the status of an installation package from Palo Alto Cortex XDR based on the distribution ID specified.	get_distribution_status Investigation
Get Distribution URL	Retrieves the distribution URL for downloading the installation package from Palo Alto Cortex XDR based on the distribution ID and package type specified.	get_distribution_url Investigation
Get Audit Management Logs	Retrieves audit management logs from Palo Alto Cortex XDR based on the input parameters specified.	get_audit_management_log Investigation
Get Audit Agent Report	Retrieves agent event reports from Palo Alto Cortex XDR based on the input parameters specified.	get_audit_agent_report Investigation
Blacklist Files	Blacklists the specified files that have not already been blacklisted on Palo Alto Cortex XDR based on the list of file hash values and other input parameters specified.	blacklist_files Investigation
Whitelist Files	Whitelists the specified files that have not already been whitelisted on Palo Alto Cortex XDR based on the list of file hash values and other input parameters specified.	whitelist_files Investigation
Quarantine Files	Quarantines files on specified endpoints on Palo Alto Cortex XDR based on the list of endpoint IDs, the file path, and the file hash specified.	quarantine_files Investigation
Get Quarantine Status	Retrieves the quarantine status for a specific file from Palo Alto Cortex XDR based on the endpoint ID, file path, and file hash specified.	get_quarantine_status Investigation
Restore File	Restores a quarantined file on a specified endpoint on Palo Alto Cortex XDR based on the endpoint ID, file hash, and other input parameters specified.	restore_file Investigation
Retrieve File	Retrieves a file from specific endpoints from Palo Alto Cortex XDR based on the list of endpoint IDs, file path, and other input parameters specified. Note: You can retrieve up to 20 files from a maximum of 100 endpoints.	retrieve_file Investigation
Retrieve File Details	Retrieves details for a specific file from Palo Alto Cortex XDR based on the action ID specified.	retrieve_file_details Investigation

operation: Fetch Incidents

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list (of incidents) is returned.

Parameter	Description
Incident ID List	Specify the list of incident IDs that you want to retrieve from Palo Alto Cortex XDR. Each item in the list must be an incident ID. For example, `["1234","1235"]`
Created After	Select the DateTime using which you want to filter the incidents retrieved by this operation to include only those incidents that were created at the time specified or the time later than the time specified.
Created Before	Select the DateTime using which you want to filter the incidents retrieved by this operation to include only those incidents that were created at the time specified or the time earlier than the time specified.
Modified After	Select the DateTime using which you want to filter the incidents retrieved by this operation to include only those incidents that were modified at the time specified or the time later than the time specified.
Modified Before	Select the DateTime using which you want to filter the incidents retrieved by this operation to include only those incidents that were modified at the time specified or the time earlier than the time specified.
Alert Sources	Specify the sources which detected the alert and whose associated incidents you want to retrieve from Palo Alto Cortex XDR. For example, `["XDR Agent"]`
Status	Select the status using which you want to filter the incidents retrieved by this operation. You can choose from options such as New, Resolved Known Issue, Resolved Auto, etc.
Description	Specify the description of the incident you want to retrieve from Palo Alto Cortex XDR.
Search From	Specify the integer representing the starting offset within the query result set from which you want this operation to return incidents from Palo Alto Cortex XDR.
Search To	Specify the integer representing the end offset within the result set after which you do not want this operation to return incidents from Palo Alto Cortex XDR.
Sort by Field	Select the field by which you want to sort the incidents retrieved by this operation. You can choose between creation_time or modification_time.
Sort by Order	Select this option to order the incidents retrieved by this operation. You can choose between asc (ascending) or desc (Descending).

Output

operation: Get Incident Details

Input parameters

Parameter	Description
Incident ID	Specify the ID of the incident whose details (including related alerts and key artifacts) you want to retrieve from Palo Alto Cortex XDR.
Alerts Limit	(Optional) Specify the maximum number of alerts related to the specified incident you want to retrieve from Palo Alto Cortex XDR. By default, this is set to '1000'.

Output

operation: Update Incident

Input parameters

Parameter	Description
Incident ID	Specify the ID of the incident whose details you want to update in Palo Alto Cortex XDR.
Assigned User Mail	(Optional) Specify the email address of the assignee to whom you want to assign the specified incident in Palo Alto Cortex XDR.
Assigned User Pretty Name	(Optional) Specify the full name of the assignee to whom you want to assign the specified incident in Palo Alto Cortex XDR.
Manual Severity	(Optional) Select the severity level that you want to assign to the specified incident in Palo Alto Cortex XDR. You can choose from the following options: High, Medium, Low, Critical, or Informational.
Status	(Optional) Select the status level that you want to assign to the specified incident in Palo Alto Cortex XDR. You can choose from the following options: New, Under Investigation, Resolved Threat Handled, Resolved Know Issue, Resolved Duplicate, Resolved False Positive, or Resolved Other.
Comment	(Optional) Select this option if you want to include a comment that explains the updates made to the specified incident. If you select this option, then you must specify the following parameters: Comment Action: Specify the action that should be performed for the comments, i.e., enter '`add`' to add the comment to the specified incident. Value: Add the comment that explains the updates made to the specified incident.
Resolve Comment	(Optional) Add a descriptive comment that explains the updates made to the specified incident.

Output

The output contains the following populated JSON schema:
{
"message": "",
"status": ""
}

operation: Insert CEF Alerts

Input parameters

Parameter	Description
Alerts	Specify a comma-separated list of alerts in the CEF format that you want to add (upload) to Palo Alto Cortex XDR.

Output

The output contains the following populated JSON schema:
{
"reply": ""
}

operation: Insert Parsed Alerts

Input parameters

Note: Values that you specify in the following input parameters are used to upload alerts to Palo Alto Cortex XDR.

Parameter	Description
Alert Name	Specify the string defining the name of the alert that you want to upload to Palo Alto Cortex XDR.
Product	Specify the string value that defines the product related to the alert that you want to upload to Palo Alto Cortex XDR. For example, `VPN & Firewall-1`
Vendor	Specify the string value that defines the vendor related to the alert that you want to upload to Palo Alto Cortex XDR. For example, `Check Point`
Local Port	Specify the integer value for the source port related to the alert that you want to upload to Palo Alto Cortex XDR.
Remote IP	Specify the string value of the destination IP address related to the alert that you want to upload to Palo Alto Cortex XDR.
Remote Port	Specify the integer value for the destination port related to the alert that you want to upload to Palo Alto Cortex XDR.
Local IP	(Optional) Specify the string value for the source IP address related to the alert that you want to upload to Palo Alto Cortex XDR.
Event Timestamp	(Optional) Select the occurrence DateTime of the alert that you want to upload to Palo Alto Cortex XDR.
Severity	(Optional) Select the severity of the alert that you want to upload to Palo Alto Cortex XDR. You can choose from the following options: Informational, High, Medium, Low, or Unknown.
Alert Description	(Optional) Specify the string value that contains the description of the alert that you want to upload to Palo Alto Cortex XDR.
Action Status	(Optional) Specify the string value that defines the action status of the alert that you want to upload to Palo Alto Cortex XDR.

Output

The output contains the following populated JSON schema:
{
"reply": ""
}

operation: Isolate Endpoints

Input parameters

Parameter	Description
Unisolate Endpoint	Select whether you want to isolate one endpoint or multiple endpoints. If you select Isolate One Endpoint, then in the Endpoint ID field specify the ID of the endpoint you want to isolate on Palo Alto Cortex XDR. If you select Isolate More Than One Endpoint, then in the Endpoint ID List field specify a list of endpoint IDs you want to isolate on Palo Alto Cortex XDR.
Incident ID	(Optional) Specify the ID of the incident to include the Isolate Endpoints action in the Cortex XDR Incident ViewTimeline tab.

Parameter

Description

Unisolate Endpoint

Select whether you want to isolate one endpoint or multiple endpoints.

If you select Isolate One Endpoint, then in the Endpoint ID field specify the ID of the endpoint you want to isolate on Palo Alto Cortex XDR.
If you select Isolate More Than One Endpoint, then in the Endpoint ID List field specify a list of endpoint IDs you want to isolate on Palo Alto Cortex XDR.

Incident ID

(Optional) Specify the ID of the incident to include the Isolate Endpoints action in the Cortex XDR Incident ViewTimeline tab.

Output

The output contains the following populated JSON schema:
{
"reply": {
"action_id": []
}
}

operation: Unisolate Endpoints

Input parameters

Parameter	Description
Isolate Endpoint	Select whether you want to unisolate one endpoint or multiple endpoints. If you select Unisolate One Endpoint, then in the Endpoint ID field specify the ID of the endpoint you want to unisolate on Palo Alto Cortex XDR. If you select Unisolate More Than One Endpoint, then in the Endpoint ID List field specify a list of endpoint IDs you want to unisolate on Palo Alto Cortex XDR.
Incident ID	(Optional) Specify the ID of the incident to include the Unisolate Endpoints action in the Cortex XDR Incident ViewTimeline tab.

Parameter

Description

Isolate Endpoint

Select whether you want to unisolate one endpoint or multiple endpoints.

If you select Unisolate One Endpoint, then in the Endpoint ID field specify the ID of the endpoint you want to unisolate on Palo Alto Cortex XDR.
If you select Unisolate More Than One Endpoint, then in the Endpoint ID List field specify a list of endpoint IDs you want to unisolate on Palo Alto Cortex XDR.

Incident ID

(Optional) Specify the ID of the incident to include the Unisolate Endpoints action in the Cortex XDR Incident ViewTimeline tab.

Output

The output contains the following populated JSON schema:
{
"reply": {
"action_id": []
}
}

operation: Get All Endpoints

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
"reply": [
{
"agent_type": "",
"agent_id": "",
"host_name": "",
"agent_status": "",
"ip": ""
}
]
}

operation: Get Endpoints

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list (of endpoints) is returned.

Parameter	Description
Endpoint ID List	Specify the list of endpoint IDs that you want to retrieve from Palo Alto Cortex XDR.
Distribution Name	Specify the name of the distribution list or installation package name containing the endpoints to be retrieved from Palo Alto Cortex XDR.
Group Name	Specify the name of the group containing the endpoints to be retrieved from Palo Alto Cortex XDR.
Alias	Specify the alias of the endpoints to be retrieved from Palo Alto Cortex XDR.
Hostname	Specify the name of the host of the endpoints to be retrieved from Palo Alto Cortex XDR.
Username	Specify the name of the user associated with the endpoints to be retrieved from Palo Alto Cortex XDR.
Endpoint Status	Select the status of the endpoints to be retrieved from Palo Alto Cortex XDR. You can choose between Connected, Disconnected, Lost, or Uninstalled.
IP list	Specify the list of IP addresses containing the endpoints to be retrieved from Palo Alto Cortex XDR.
Platform	Select the type of operating system that contains the endpoints to be retrieved from Palo Alto Cortex XDR. You can choose between Windows, Linux, Macos, or Android.
Isolate	Select the isolation status of the endpoints to be retrieved from Palo Alto Cortex XDR. Select Isolated to retrieve endpoints that are isolated and Unisolated to retrieve endpoints that are unisolated.
Scan Status	Select the scan status of endpoints to be retrieved from Palo Alto Cortex XDR. You can choose between None, Pending, In Progress, Cancelled, Aborted, Pending Cancellation, Sucess, or Error.
First Seen After	Select the DateTime using which you want to filter the endpoints retrieved by this operation to include only those endpoints that were first seen at the time specified or the time later than the time specified.
First Seen Before	Select the DateTime using which you want to filter the endpoints retrieved by this operation to include only those endpoints that were first seen at the time specified or the time earlier than the time specified.
Last Seen After	Select the DateTime using which you want to filter the endpoints retrieved by this operation to include only those endpoints that were last seen at the time specified or the time later than the time specified.
Last Seen Before	Select the DateTime using which you want to filter the endpoints retrieved by this operation to include only those endpoints that were last seen at the time specified or the time earlier than the time specified.
Search From	Specify the integer representing the starting offset within the query result set from which you want this operation to return endpoints from Palo Alto Cortex XDR.
Search To	Specify the integer representing the end offset within the result set after which you do not want this operation to return endpoints from Palo Alto Cortex XDR.
Sort by Field	Select the field by which you want to sort the endpoints retrieved by this operation. You can choose between first_seen or last_seen.
Sort by Order	Select this option to order the endpoints retrieved by this operation. You can choose between asc (ascending) or desc (Descending).

Output

operation: Scan Endpoints

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list (of endpoints) is used for this operation.

Parameter	Description
Endpoint ID List	Specify the list of endpoint IDs that you want to scan on Palo Alto Cortex XDR.
Distribution Name	Specify the name of the distribution list containing the endpoints that you want to scan on Palo Alto Cortex XDR.
Group Name	Specify the name of the group containing the endpoints that you want to scan on Palo Alto Cortex XDR.
Alias	Specify the alias of the endpoints to be scanned on Palo Alto Cortex XDR.
Hostname	Specify the name of the host of the endpoints to be scanned on Palo Alto Cortex XDR
Username	Specify the name of the user associated with the endpoints to be scanned on Palo Alto Cortex XDR.
IP List	Specify the list of IP addresses containing the endpoints to be scanned on Palo Alto Cortex XDR.
Platform	Select the type of operating system that contains the endpoints to be scanned on Palo Alto Cortex XDR. You can choose between Windows, Linux, Macos, or Android.
Isolate	Select the isolation status of the endpoints to be scanned on Palo Alto Cortex XDR. Select Isolated to retrieve endpoints that are isolated and Unisolated to retrieve endpoints that are unisolated.
Scan Status	Select the scan status of endpoints to be scanned on Palo Alto Cortex XDR. You can choose between None, Pending, In Progress, Cancelled, Aborted, Pending Cancellation, Sucess, or Error.
First Seen After	Select the DateTime using which you want to filter the endpoints retrieved by this operation to include only those endpoints that were first seen at the time specified or the time later than the time specified.
First Seen Before	Select the DateTime using which you want to filter the endpoints retrieved by this operation to include only those endpoints that were first seen at the time specified or the time earlier than the time specified.
Last Seen After	Select the DateTime using which you want to filter the endpoints retrieved by this operation to include only those endpoints that were last seen at the time specified or the time later than the time specified.
Last Seen Before	Select the DateTime using which you want to filter the endpoints retrieved by this operation to include only those endpoints that were last seen at the time specified or the time earlier than the time specified.
Incident ID	Specify the ID of the incident to include the Scan Endpoints action in the Cortex XDR Incident ViewTimeline tab.

Output

The output contains the following populated JSON schema:
{
"reply": {
"action_id": []
}
}

operation: Cancel Scan Endpoints

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list (of endpoints) is used for this operation.

Parameter	Description
Endpoint ID List	Specify the list of endpoint IDs whose scan you want to cancel on Palo Alto Cortex XDR.
Distribution Name	Specify the name of the distribution list containing the endpoints whose scan you want to cancel on Palo Alto Cortex XDR.
Group Name	Specify the name of the group containing the endpoints whose scan you want to cancel on Palo Alto Cortex XDR.
Alias	Specify the alias of the endpoints whose scan you want to cancel on Palo Alto Cortex XDR.
Hostname	Specify the name of the host of the endpoints whose scan you want to cancel on Palo Alto Cortex XDR
Username	Specify the name of the user associated with the endpoints whose scan you want to cancel on Palo Alto Cortex XDR.
IP List	Specify the list of IP addresses containing the endpoints whose scan you want to cancel on Palo Alto Cortex XDR.
Platform	Select the type of operating system that contains the endpoints whose scan you want to cancel on Palo Alto Cortex XDR. You can choose between Windows, Linux, Macos, or Android.
Isolate	Select the isolation status of the endpoints whose scan you want to cancel on Palo Alto Cortex XDR. Select Isolated to retrieve endpoints that are isolated and Unisolated to retrieve endpoints that are unisolated.
Scan Status	Select the scan status of endpoints whose scan you want to cancel on Palo Alto Cortex XDR. You can choose between None, Pending, In Progress, Cancelled, Aborted, Pending Cancellation, Sucess, or Error.
First Seen After	Select the DateTime using which you want to filter the endpoints retrieved by this operation to include only those endpoints that were first seen at the time specified or the time later than the time specified.
First Seen Before	Select the DateTime using which you want to filter the endpoints retrieved by this operation to include only those endpoints that were first seen at the time specified or the time earlier than the time specified.
Last Seen After	Select the DateTime using which you want to filter the endpoints retrieved by this operation to include only those endpoints that were last seen at the time specified or the time later than the time specified.
Last Seen Before	Select the DateTime using which you want to filter the endpoints retrieved by this operation to include only those endpoints that were last seen at the time specified or the time earlier than the time specified.
Incident ID	Specify the ID of the incident to include the Cancel Scan Endpoints action in the Cortex XDR Incident ViewTimeline tab.

Output

The output contains the following populated JSON schema:
{
"reply": ""
}

operation: Delete Endpoints

Input parameters

Parameter	Description
Endpoint ID List:	Specify a list of endpoint IDs that you want to delete from the Palo Alto Cortex XDR app.

Output

The output contains the following populated JSON schema:
{
"reply": ""
}

operation: Get Policy

Input parameters

Parameter	Description
Endpoint ID	Specify a string that represents the endpoint ID for which you want to retrieve the policy from Palo Alto Cortex XDR. For example, `51588e4ce9214c63b39d054bd073b93a`

Output

The output contains the following populated JSON schema:
{
"reply": {
"policy_name": ""
}
}

operation: Get Device Violations

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list (of device violations) is returned.

Parameter	Description
Endpoint ID List	Specify the list of endpoint IDs based on which you want to retrieve violations from Palo Alto Cortex XDR.
Vendor	Specify the string value that defines the vendor whose associated violations are to be retrieved from Palo Alto Cortex XDR. For example, `Check Point`
Vendor ID	Specify the string value that defines the vendor ID whose associated violations are to be retrieved from Palo Alto Cortex XDR. For example, `0x0999`
Product	Specify the string value that defines the product whose associated violations are to be retrieved from Palo Alto Cortex XDR. For example, `VPN & Firewall-1`
Product ID	Specify the string value that defines the product ID whose associated violations are to be retrieved from Palo Alto Cortex XDR. For example, `0x10036`
Serial	Specify the string value that defines the serial number whose associated violations are to be retrieved from Palo Alto Cortex XDR. For example, `8888889`
Hostname	Specify the name of the host whose associated violations are to be retrieved from Palo Alto Cortex XDR.
Username	Specify the name of the user whose associated violations are to be retrieved from Palo Alto Cortex XDR.
Type	Select the type of violations that are to be retrieved from Palo Alto Cortex XDR. You can choose between CD ROM, Disk Drive, Floppy Disk, or Portable Device.
IP List	Specify the list of IP addresses whose associated violations are to be retrieved from Palo Alto Cortex XDR.
Violations ID List	Specify the list of violation IDs that you want to retrieve from Palo Alto Cortex XDR.
Timestamp After	Select the DateTime till when you want to retrieve violations from Palo Alto Cortex XDR. This operator will retrieve all violations whose timestamp matches the time specified or the time later than the time specified on Palo Alto Cortex XDR.
Timestamp Before	Select the DateTime till when you want to retrieve violations from Palo Alto Cortex XDR. This operator will retrieve all violations whose timestamp matches the time specified or the time earlier than the time specified on Palo Alto Cortex XDR.
Search From	Specify the integer representing the starting offset within the query result set from which you want this operation to return incidents from Palo Alto Cortex XDR.
Search To	Specify the integer representing the end offset within the result set after which you do not want this operation to return incidents from Palo Alto Cortex XDR.
Sort by Field	Select the field by which you want to sort the endpoints retrieved by this operation. You can from options such as serial, product, username, etc.
Sort by Order	Select this option to order the endpoints retrieved by this operation. You can choose between asc (ascending) or desc (Descending).

Output

operation: Get Distribution Version

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
"reply": {
"macos": [],
"linux": [],
"windows": []
}
}

operation: Create Distributions

Input parameters

Parameter Description

Name Specify the string representing the name of the installation package that you want to create on Palo Alto Cortex XDR.

Package Type

Parameter	Description
Name	Specify the string representing the name of the installation package that you want to create on Palo Alto Cortex XDR.
Package Type	Select the type of installation package that you want to create on Palo Alto Cortex XDR. You can choose from the following types: Standalone or Upgrade. If you choose the 'Standalone' operator, then from the Platform drop-down list, select the platform on which you want to create the installation package. You can choose the following: Windows, Linux, Macos, or Android. Also, if you choose 'Windows', 'Macos', or 'Linux', then in the Agent Version field, enter the version of the agent. For example, `5.0.7.16157` If you choose the 'Upgrade' operator, then in the Upgrade field, specify the version of an agent that you want to upgrade from ESM. You can specify the following values: `windows_version`, `linux_version`, or `macos_version`.
Description	Specify the string containing descriptive information about the installation package.

Select the type of installation package that you want to create on Palo Alto Cortex XDR. You can choose from the following types: Standalone or Upgrade.

If you choose the 'Standalone' operator, then from the Platform drop-down list, select the platform on which you want to create the installation package. You can choose the following: Windows, Linux, Macos, or Android. Also, if you choose 'Windows', 'Macos', or 'Linux', then in the Agent Version field, enter the version of the agent. For example, 5.0.7.16157
If you choose the 'Upgrade' operator, then in the Upgrade field, specify the version of an agent that you want to upgrade from ESM. You can specify the following values: windows_version, linux_version, or macos_version.

Description Specify the string containing descriptive information about the installation package.

Output

The output contains the following populated JSON schema:
{
"reply": {
"distribution_id": ""
}
}

operation: Get Distribution Status

Input parameters

Parameter	Description
Distribution ID	Specify the string representing the ID of the installation package whose status you want to retrieve from Palo Alto Cortex XDR.

Output

The output contains the following populated JSON schema:
{
"reply": {
"status": ""
}
}

operation: Get Distribution URL

Input parameters

Parameter	Description
Distribution ID	Specify the string representing the ID of the installation package whose distribution URL you want to retrieve from Palo Alto Cortex XDR.
Package Type	Select the type of installation package whose distribution URL you want to retrieve from Palo Alto Cortex XDR. You can choose from the following options: sh-For Linux, rpm-For Linux, deb-For Linux, pkg-For Mac, x86-For Windows, or x64-For Windows.

Output

The output contains the following populated JSON schema:
{
"reply": {
"distribution_url": ""
}
}

operation: Get Audit Management Logs

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list (of audit management logs) is returned.

Parameter	Description
Email	Specify the email address of the user whose audit management logs you want to retrieve from Palo Alto Cortex XDR.
Type	Specify the type of audit management logs you want to retrieve from Palo Alto Cortex XDR.
Sub Type	Specify the sub-type of the audit management logs you want to retrieve from Palo Alto Cortex XDR.
Result	Specify the result of the audit log using which you want to filter the audit log management logs retrieved from Palo Alto Cortex XDR. For example, `SUCCESS`.
Timestamp After	Select the DateTime of the log till when you want to retrieve audit management logs from Palo Alto Cortex XDR. This operator will retrieve all audit management logs whose timestamp matches the time specified or the time later than the time specified on Palo Alto Cortex XDR.
Timestamp Before	Select the DateTime of the log from when you want to retrieve audit management logs from Palo Alto Cortex XDR. This operator will retrieve all audit management logs whose timestamp matches the time specified or the time earlier than the time specified on Palo Alto Cortex XDR.
Search From	Specify an integer representing the starting offset within the query result set from which you want management logs returned.
Search To	Specify an integer representing the end offset within the result set after which you do not want management logs returned.
Sort by Field	Select the field by which you want to sort the audit management logs retrieved by this operation. You can choose between type, sub-type, or result.
Sort by Order	Select this option to order the audit management logs retrieved by this operation. You can choose between asc (ascending) or desc (Descending).

Output

operation: Get Audit Agent Report

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list (of audit agent reports) is returned.

Parameter	Description
Endpoint ID	Specify the string representing the ID of the endpoint whose associated audit agent reports you want to retrieve from Palo Alto Cortex XDR.
Endpoint Name	Specify the string representing the name of the endpoint whose associated audit agent reports you want to retrieve from Palo Alto Cortex XDR.
Type	Specify the type of audit agent reports you want to retrieve from Palo Alto Cortex XDR. For example, `Agent Status`
Sub Type	Specify the sub-type of the audit agent reports you want to retrieve from Palo Alto Cortex XDR. For example, `Fully Protected`
Result	Specify the result of the agent report using which you want to filter the audit agent reports retrieved from Palo Alto Cortex XDR. For example, `SUCCESS`
Domain	Specify the domain of the agent whose audit agent reports you want to retrieve from Palo Alto Cortex XDR. For example, `WORKGROUP`
xdr_version	Specify the XDR version for which you want to retrieve audit agent reports from Palo Alto Cortex XDR.
Category	Select the type of event category of the audit agent reports you want to retrieve from Palo Alto Cortex XDR. You can choose from the following options: Status, Audit, or Monitoring.
Timestamp After	Select the DateTime of the report till when you want to retrieve audit management logs from Palo Alto Cortex XDR. This operator will retrieve all audit agent reports whose timestamp matches the time specified or the time later than the time specified on Palo Alto Cortex XDR.
Timestamp Before	Select the DateTime of the report from when you want to retrieve audit management logs from Palo Alto Cortex XDR. This operator will retrieve all audit agent reports whose timestamp matches the time specified or the time earlier than the time specified on Palo Alto Cortex XDR.
Search From	Specify an integer representing the starting offset within the query result set from which you want this operation to return incidents from Palo Alto Cortex XDR.
Search To	Specify an integer representing the end offset within the result set after which you do not want this operation to return incidents from Palo Alto Cortex XDR.
Sort by Field	Select the field by which you want to sort the audit management logs retrieved by this operation. You can choose between type, category, trapsversion, timestamp, or domain.
Sort by Order	Select this option to order the audit management logs retrieved by this operation. You can choose between asc (ascending) or desc (Descending).

Output

operation: Blacklist Files

Input parameters

Parameter	Description
Hash List	Specify a string that represents a list of file hash values you want to blacklist on Palo Alto Cortex XDR. Note: Hash must be a valid SHA256 value.
Comment	(Optional) Specify a string containing descriptive information about this action.
Incident ID	(Optional) Specify the ID of the incident related to the specified file hash to include the Blacklist Files action in the Cortex XDR Incident ViewTimeline tab.

Output

The output contains the following populated JSON schema:
{
"reply": ""
}

operation: Whitelist Files

Input parameters

Parameter	Description
Hash List	Specify a string that represents a list of file hash values you want to whitelist on Palo Alto Cortex XDR. Note: The hash must be a valid SHA256 value.
Comment	(Optional) Specify a string containing descriptive information about this action.
Incident ID	(Optional) Specify the ID of the incident related to the specified file hash to include the Blacklist Files action in the Cortex XDR Incident ViewTimeline tab.

Output

The output contains the following populated JSON schema:
{
"reply": ""
}

operation: Quarantine Files

Input parameters

Parameter	Description
Endpoint ID List	Specify a list of endpoint IDs representing the endpoints on which you want to quarantine files on Palo Alto Cortex XDR.
File Path	Specify the string representing the path of the file you want to quarantine on the specified endpoints on Palo Alto Cortex XDR.
File Hash	Specify the string representing the hash value of the file you want to quarantine on the specified endpoints on Palo Alto Cortex XDR. Note: The hash must be a valid SHA256 value.

Output

The output contains the following populated JSON schema:
{
"reply": {
"action_id": []
}
}

operation: Get Quarantine Status

Input parameters

Parameter	Description
Endpoint ID	Specify the string representing the endpoint ID whose associated files' quarantine status you want to retrieve from Palo Alto Cortex XDR.
File Hash	Specify the string representing the hash value of the file whose quarantine status you want to retrieve from Palo Alto Cortex XDR. Note: The hash must be a valid SHA256 value.
File Path	Specify the string representing the path of the file whose quarantine status you want to retrieve from Palo Alto Cortex XDR.

Output

The output contains the following populated JSON schema:
{
"reply": [
{
"endpoint_id": "",
"file_path": "",
"file_hash": "",
"status": ""
}
]
}

operation: Restore File

Input parameters

Parameter	Description
File Hash	Specify the string representing the hash value of the quarantined file that you want to restore on the specified endpoint on Palo Alto Cortex XDR. Note: The hash must be a valid SHA256 value.
Endpoint ID	Specify the string representing the endpoint ID on which you want to restore the specified quarantined file.
Incident ID	(Optional) Specify the ID of the incident related to the specified file hash to include the Restore Files action in the Cortex XDR Incident ViewTimeline tab.

Output

The output contains the following populated JSON schema:
{
"message": "",
"status": ""
}

operation: Retrieve File

Input parameters

Parameter	Description
Endpoint ID List	Specify the list of endpoint IDs whose associated files you want to retrieve from Palo Alto Cortex XDR.
Files	Select the type of operating system from which you want to retrieve files from Palo Alto Cortex XDR. You can choose between Windows, Linux, or Macos.
File Path	Specify the string representing the path of the file used to retrieve files from Palo Alto Cortex XDR.
Distribution Name	Specify the string representing the name of the distribution list containing the files you want to retrieve from Palo Alto Cortex XDR.
Group Name	Specify the string representing the name of the endpoint group containing the files you want to retrieve from Palo Alto Cortex XDR.
Alias	Specify the string representing the alias of the endpoints whose associated files you want to retrieve from Palo Alto Cortex XDR.
Hostname	Specify the string representing the name of the host of the endpoints whose associated files you want to retrieve from Palo Alto Cortex XDR.
IP list	Specify the string representing the list of IP addresses containing the endpoints whose associated files you want to retrieve from Palo Alto Cortex XDR.
Platform	Select the type of operating system that contains the endpoints whose associated files you want to retrieve from Palo Alto Cortex XDR. You can choose between Windows, Linux, Macos, or Android.
Isolate	Select the isolation status of the endpoints whose associated files you want to retrieve from Palo Alto Cortex XDR. Select Isolated to retrieve endpoints that are isolated and Unisolated to retrieve endpoints that are unisolated.
First Seen After	Select the DateTime using which you want to filter the endpoints, whose associated files you want to be retrieved by this operation to include only those endpoints that were first seen at the time specified or the time later than the time specified.
Last Seen After	Select the DateTime using which you want to filter the endpoints, whose associated files you want to be retrieved by this operation to include only those endpoints that were last seen at the time specified or the time later than the time specified.
First Seen Before	Select the DateTime using which you want to filter the endpoints, whose associated files you want to be retrieved by this operation to include only those endpoints that were first seen at the time specified or the time earlier than the time specified.
Last Seen Before	Select the DateTime using which you want to filter the endpoints, whose associated files you want to be retrieved by this operation to include only those endpoints that were last seen at the time specified or the time earlier than the time specified.

Output

The output contains the following populated JSON schema:
{
"reply": {
"action_id": []
}
}

operation: Retrieve File Details

Input parameters

Parameter	Description
Action ID	Specify the ID of the action ID whose associated file details you want to retrieve from Palo Alto Cortex XDR.

Output

The output contains the following populated JSON schema:
{
"reply": {
"data": {}
}
}

Included playbooks

Blacklist Files
Cancel Scan Endpoints
Cortex > Create Incident
Cortex > Fetch
Cortex > Ingest
Create Distributions
Delete Endpoints
Fetch Incidents
Get All Endpoints
Get Audit Agent Report
Get Audit Management Logs
Get Device Violations
Get Distribution Status
Get Distribution URL
Get Distribution Version
Get Endpoints
Get Incident Details
Get Policy
Get Quarantine Status
Insert CEF Alerts
Insert Parsed Alerts
Isolate Endpoints
Quarantine Files
Restore File
Retrieve File
Scan Endpoints
Unisolate Endpoints
Update Incident
Whitelist Files

Data Ingestion Support

Configure Data Ingestion

You can configure data ingestion using the “Data Ingestion Wizard” to seamlessly map the incoming Palo Alto Cortex XDR "Incidents" to FortiSOAR™ "Incidents".

To begin configuring data ingestion, click Configure Data Ingestion on the Palo Alto Cortex XDR connector’s "Configurations" page.
Click Let’s Start by fetching some data, to open the “Fetch Sample Data” screen.

Sample data is required to create a field mapping between Palo Alto Cortex XDR data and FortiSOAR™. The sample data is pulled from connector actions or ingestion playbooks.
On the Fetch Data screen, provide the configurations required to fetch Palo Alto Cortex XDR data.
Users can pull data from Palo Alto Cortex XDR by specifying the number of minutes from when they want to retrieve incidents that were created or updated in Palo Alto Cortex XDR in the Pull Incidents From Last X Minutes field. Optionally you can also specify a list of incident IDs you want to retrieve from Palo Alto Cortex XDR in the Incident ID field. Each item in the list must be an incident ID, for example ["9834","7389"]. Additionally, you can filter incidents retrieved from Palo Alto Cortex XDR based on their Status, and also Limit the number of incidents to be retrieved from Palo Alto Cortex XDR.

The fetched data is used to create a mapping between the Palo Alto Cortex XDR data and FortiSOAR™ Incidents. Once you have completed specifying the configurations, click Fetch Data.
On the Field Mapping screen, map the fields of a Palo Alto Cortex XDR incident to the fields of an incident present in FortiSOAR™.
To map a field, click the key in the sample data to add the “jinja” value of the field. For example, to map the hosts parameter of a Palo Alto Cortex XDR incident to the Affected Host parameter of a FortiSOAR™ incident, click the Affected Host field and then click the hosts field to populate its keys:

For more information on field mapping, see the Data Ingestion chapter in the "Connectors Guide" in the FortiSOAR™ product documentation. Once you have completed the mapping of fields, click Save Mapping & Continue.
(Optional) Use the Scheduling screen to configure schedule-based ingestion, i.e., specify the polling frequency to Palo Alto Cortex XDR, so that the content gets pulled from the Palo Alto Cortex XDR integration into FortiSOAR™.
On the Scheduling screen, from the Do you want to schedule the ingestion? drop-down list, select Yes.
In the “Configure Schedule Settings” section, specify the Cron expression for the schedule. For example, if you want to pull data from Palo Alto Cortex XDR every morning at 5 am, click Daily, and in the hour box enter 5 , and in the minute box enter 0:

Once you have completed scheduling, click Save Settings & Continue.
The Summary screen displays a summary of the mapping done, and it also contains links to the Ingestion playbooks. Click Done to complete the data ingestion and exit the Data Ingestion Wizard.