Cortex Xsiam

the cortex xsiam connector enables seamless integration with palo alto networks' advanced security analytics and threat intelligence, enhancing incident response and management capabilities cortex xsiam is a cutting edge security platform that specializes in collecting telemetry and enabling extensive response capabilities across a wide range of security tools this connector allows swimlane turbine users to integrate with cortex xsiam, providing the ability to retrieve and manage alerts, incidents, cases, and artifacts directly within the swimlane platform by leveraging this integration, security teams can automate their response to threats, streamline case management, and enhance their overall security posture with enriched data and actionable insights from cortex xsiam using the cortex xsiam apis, you can integrate cortex xsiam with third party apps or services to ingest alerts and to leverage alert stitching and investigation capabilities the apis allows you to manage incidents in a ticketing or automation system of your choice by reviewing and editing the incident's details, status, and assignee prerequisites to effectively utilize the cortex xsiam connector within swimlane turbine, ensure you have the following prerequisites api key authentication for cortex xsiam with the following parameters url endpoint url for the cortex xsiam api api key unique identifier to authenticate requests to cortex xsiam api key id specific key id associated with your api key for additional verification capabilities this connector provides the following capabilities get alerts get incidents update alerts update incidents notes https //cortex panw\ stoplight io/docs/cortex xsiam/9o0gkfxm6b9mp cortex xsiam overview configurations cortex xsiam api key authentication authenticates using an api key and api key id for cortex xsiam configuration parameters parameter description type required url a url to the target host string required authorization the api key is your unique identifier depending on your desired security level, you can generate two types of api keys, advanced or standard, from your cortex xdr app string required x xdr auth id the api key id is your unique token used to authenticate the api key string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions get alerts retrieve a list of alerts from cortex xsiam using specified criteria in the provided json body input endpoint url /public api/v1/alerts/get alerts/ method post input argument name type required description request data object optional response data request data filters array optional an array of filter fields request data filters field string required identifies the alert field the filter is matching request data filters operator string required identifies the comparison operator you want to use for this filter request data filters value string required value that this filter must match the contents of this field will differ depending on the alert field that you specified for this filter request data search from number optional an integer representing the starting offset within the query result set from which you want alerts returned request data search to number optional an integer representing the end offset within the result set after which you do not want alerts returned request data sort object optional identifies the sort order for the result set request data sort field string optional identifies how to sort the result set, either according to severity or creation time request data sort keyword string required defines whether to sort the results in ascending (asc) or descending (desc) order input example {"json body" {"request data" {"filters" \[{"field" "alert id list","operator" "gte","value" "medium"}],"search from" 0,"search to" 100,"sort" {"field" "creation time","keyword" "desc"}}}} output parameter type description status code number http status code of the response reason string response reason phrase reply object output field reply reply total count number count value reply result count number result of the operation reply alerts array output field reply alerts reply alerts agent os sub type string type of the resource reply alerts fw app category object output field reply alerts fw app category reply alerts fw app id object unique identifier reply alerts fw app subcategory object output field reply alerts fw app subcategory reply alerts fw app technology object output field reply alerts fw app technology reply alerts causality actor process command line object output field reply alerts causality actor process command line reply alerts causality actor process image md5 object output field reply alerts causality actor process image md5 reply alerts causality actor process image name object name of the resource reply alerts causality actor process image path object output field reply alerts causality actor process image path reply alerts causality actor process image sha256 object output field reply alerts causality actor process image sha256 reply alerts causality actor process signature status string status value reply alerts causality actor process signature vendor object output field reply alerts causality actor process signature vendor reply alerts causality actor causality id object unique identifier reply alerts identity sub type object unique identifier reply alerts identity type object unique identifier reply alerts operation name object name of the resource reply alerts project object output field reply alerts project reply alerts cloud provider object unique identifier reply alerts referenced resource object output field reply alerts referenced resource output example {"reply" {"total count" 123,"result count" 123,"alerts" \[{}]}} get incidents retrieve a filtered list of incidents from cortex xsiam based on criteria like ids, modification or creation time endpoint url /public api/v1/incidents/get incidents method post input argument name type required description request data object optional a dictionary containing the api request fields an empty dictionary returns all results request data filters array optional array of filter fields request data filters field string required identifies the incident field the filter is matching request data filters operator string required identifies the comparison operator you want to use for this filter request data filters value array required value that this filter must match the contents of this field will differ depending on the incident field that you specified for this filter request data search from number optional integer representing the starting offset within the query result set from which you want incidents returned request data search to number optional integer representing the end offset within the result set after which you do not want incidents returned request data sort object optional identifies the sort order for the result set request data sort field string required sort according to this field request data sort keyword string required sort in ascending or descending order input example {"json body" {"request data" {"filters" \[{"field" "incident id list","operator" "gte","value" \["incident id"]}],"search from" 0,"search to" 100,"sort" {"field" "creation time","keyword" "desc"}}}} output parameter type description status code number http status code of the response reason string response reason phrase reply object output field reply reply total count number count value reply result count number result of the operation reply incidents array unique identifier reply incidents incident id string unique identifier reply incidents incident name string unique identifier reply incidents creation time number unique identifier reply incidents modification time number unique identifier reply incidents detection time object unique identifier reply incidents status string unique identifier reply incidents severity string unique identifier reply incidents description string unique identifier reply incidents assigned user mail object unique identifier reply incidents assigned user pretty name object unique identifier reply incidents alert count number unique identifier reply incidents low severity alert count number unique identifier reply incidents med severity alert count number unique identifier reply incidents high severity alert count number unique identifier reply incidents critical severity alert count number unique identifier reply incidents user count number unique identifier reply incidents host count number unique identifier reply incidents notes object unique identifier reply incidents resolve comment object unique identifier output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "tue, 25 jun 2024 20 37 23 gmt"},"reason" "ok","json body" {"reply" {"total count" 1,"result count" 1,"incidents" \[],"restricted incident ids" \[]}}} retrieve case artifacts by case id retrieve all artifacts associated with a specific case in cortex xsiam using the provided case id endpoint url /public api/v1/case/artifacts/{{case id}} method get input argument name type required description path parameters case id number required numeric id of the case input example {"path parameters" {"case id" 56}} output parameter type description status code number http status code of the response reason string response reason phrase reply object output field reply reply total count number count value reply filter count number count value reply data array response data reply data case id number response data reply data network artifacts object response data reply data network artifacts data array response data reply data network artifacts total count number response data reply data file artifacts object response data reply data file artifacts data array response data reply data file artifacts total count number response data output example {"status code" 200,"reason" "ok","json body" {"reply" {"total count" 0,"filter count" 0,"data" \[]}}} retrieve cases based on filters retrieve a list of cortex xsiam cases matching specified filter criteria using the 'request data' parameter endpoint url /public api/v1/case/search method post input argument name type required description request data object optional a dictionary containing the api request fields request data filters array optional list of filters to apply when retrieving cases request data filters field string optional specifies the field to filter cases by request data filters operator string optional comparison operator to use with the filter request data filters value array optional value(s) for filtering the cases request data search from number optional starting index for pagination request data search to number optional ending index for pagination request data sort object optional sort order (ascending or descending) request data sort field string optional field to sort by request data sort keyword string optional sort order (ascending or descending) input example {"json body" {"request data" {"filters" \[{"field" "case id","operator" "in","value" \[0]}],"search from" 0,"search to" 0,"sort" {"field" "case id","keyword" "asc"}}}} output parameter type description status code number http status code of the response reason string response reason phrase reply object output field reply reply total count number count value reply filter count number count value reply data array response data reply data case id string response data reply data creation time string response data reply data owner string response data reply data case domain string response data reply data auto resolve case boolean response data reply data custom fields object response data reply data custom fields priority string response data reply data custom fields incident id string response data reply data status progress string response data reply data resolve reason string response data reply data resolve comment string response data reply data last modified number response data reply data score number response data reply data severity string response data reply data description string response data reply data scoring type string response data reply data assigned to string response data reply data assigned to name string response data reply data is cloud boolean response data output example {"status code" 200,"reason" "ok","json body" {"reply" {"total count" 0,"filter count" 0,"data" \[]}}} retrieve issues based on filters retrieves a list of issues from cortex xsiam that match specified filter criteria using the provided json body endpoint url /public api/v1/issue/search method post input argument name type required description request data object optional request data for retrieving issues based on filters request data filters array optional list of filter criteria to apply request data filters field string optional specifies the field to filter issues by request data filters operator string optional comparison operator to use with the filter request data filters value array optional value(s) for filtering the issues request data search from number optional starting index for pagination request data search to number optional ending index for pagination request data sort object optional sorting criteria for the results request data sort field string optional field to sort the results by request data sort keyword string optional sort order (ascending or descending) include fields array optional a list of fields to include in the response input example {"json body" {"request data" {"filters" \[{"field" "case id","operator" "in","value" \[0]}],"search from" 0,"search to" 0,"sort" {"field" "case id","keyword" "asc"}},"include fields" \["normalized field","custom fields"]}} output parameter type description status code number http status code of the response reason string response reason phrase reply object output field reply reply total count number count value reply result count number result of the operation reply issues array output field reply issues reply issues insert time string time value reply issues owner string output field reply issues owner reply issues external id string unique identifier reply issues name string name of the resource reply issues description string output field reply issues description reply issues observation time number time value reply issues domain string output field reply issues domain reply issues detection method string http method to use reply issues detection rule id string unique identifier reply issues category string output field reply issues category reply issues finding ids array unique identifier reply issues asset ids array unique identifier reply issues mitre tactics array output field reply issues mitre tactics reply issues mitre techniques array output field reply issues mitre techniques reply issues type string type of the resource reply issues remediation string output field reply issues remediation reply issues extended description string output field reply issues extended description reply issues impact string output field reply issues impact reply issues issue id number unique identifier output example {"status code" 200,"reason" "ok","json body" {"reply" {"total count" 0,"result count" 0,"issues" \[]}}} update alerts update up to 100 alerts simultaneously in cortex xsiam using a specified json body payload endpoint url /public api/v1/alerts/update alerts method post input argument name type required description request data object optional response data request data alert id list array optional a list representing the alert ids you want to update request data update data object optional the data you want to update the alerts with request data update data severity string optional alert severity request data update data status string optional updated alert status request data update data comment string optional descriptive comment explaining the changes input example {"json body" {"request data" {"alert id list" \["list of ids"],"update data" {"severity" "medium","status" "resolved other","comment" "this incident is resolved"}}}} output parameter type description status code number http status code of the response reason string response reason phrase reply object output field reply reply alerts ids array unique identifier output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "tue, 25 jun 2024 20 37 23 gmt"},"reason" "ok","json body" {"reply" {"alerts ids" \[]}}} update existing case updates an existing case in cortex xsiam using the specified case id and request data provided endpoint url /public api/v1/case/update/{{case id}} method post input argument name type required description path parameters case id number required parameters for the update existing case action request data object optional data required to update the case request data update data object required fields to be updated for the case request data update data status progress string optional the new status of the case request data update data resolve reason string optional reason for resolving the case request data update data resolve comment string optional comment explaining the reason for resolving the case input example {"json body" {"request data" {"update data" {"status progress" "resolved","resolve reason" "resolved other","resolve comment" "case has been marked as a false positive "}}},"path parameters" {"case id" 56}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"reason" "ok","json body" "issues updated successfully"} update incidents modify specific fields for an incident in cortex xsiam using the provided json body endpoint url /public api/v1/incidents/update incident method post input argument name type required description request data object optional response data request data incident id string required a string representing the incident id you want to update request data update data object required the data to update the incident with request data update data assigned user mail string optional updated email address of the incident assignee request data update data assigned user pretty name string optional updated full name of the incident assignee to supply a new value in this field, you must also supply a value for assigned user mail in the same request request data update data manual severity string optional administrator defined severity request data update data status string optional updated incident status request data update data resolve comment string optional descriptive comment explaining the incident change this can be set only for resolved incidents request data update data comment object optional add a comment to the incident request data update data comment comment action string required the comment action must be 'add' request data update data comment value string required the comment text input example {"json body" {"request data" {"incident id" "incident id","update data" {"assigned user mail" "username\@test com","assigned user pretty name" "hello world","manual severity" "medium","status" "resolved duplicate","resolve comment" "string","comment" {"comment action" "add","value" "string"}}}}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "tue, 25 jun 2024 20 37 23 gmt"},"reason" "ok","json body"\ true} response headers header description example content length the length of the response body in bytes 140 content type the media type of the resource application/json date the date and time at which the message was originated thu, 01 jan 2024 00 00 00 gmt