Cortex XSIAM

the cortex xsiam connector enables automated interaction with palo alto networks' security operations platform, facilitating real time alert and incident management cortex xsiam is a cutting edge security operations and analytics platform that provides comprehensive visibility and control over your security environment this connector enables swimlane turbine users to automate alert and incident management by leveraging cortex xsiam's robust capabilities users can query alerts and incidents, update their statuses, and enrich security operations with detailed information, all within the swimlane turbine platform this integration streamlines processes, reduces response times, and enhances the overall efficiency of security operations teams using the cortex xsiam apis, you can integrate cortex xsiam with third party apps or services to ingest alerts and to leverage alert stitching and investigation capabilities the apis allows you to manage incidents in a ticketing or automation system of your choice by reviewing and editing the incident's details, status, and assignee prerequisites to effectively utilize the cortex xsiam connector with swimlane turbine, ensure you have the following prerequisites api key authentication url the endpoint url for the cortex xsiam api api key your personal authentication key to access the cortex xsiam api api key id the identifier associated with your api key, required for authentication capabilities this connector provides the following capabilities get alerts get incidents update alerts update incidents configurations cortex xsiam api key authentication authenticates using an api key and api key id for cortex xsiam configuration parameters parameter description type required url a url to the target host string required authorization the api key is your unique identifier depending on your desired security level, you can generate two types of api keys, advanced or standard, from your cortex xdr app string required x xdr auth id the api key id is your unique token used to authenticate the api key string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions get alerts obtain a list of alerts from cortex xsiam based on criteria specified in the json body input endpoint url /public api/v1/alerts/get alerts/ method post input argument name type required description request data object optional response data filters array optional an array of filter fields field string required identifies the alert field the filter is matching operator string required identifies the comparison operator you want to use for this filter value string required value that this filter must match the contents of this field will differ depending on the alert field that you specified for this filter search from number optional an integer representing the starting offset within the query result set from which you want alerts returned search to number optional an integer representing the end offset within the result set after which you do not want alerts returned sort object optional identifies the sort order for the result set field string optional identifies how to sort the result set, either according to severity or creation time keyword string required defines whether to sort the results in ascending (asc) or descending (desc) order output parameter type description status code number http status code of the response reason string response reason phrase reply object output field reply total count number count value result count number result of the operation alerts array output field alerts agent os sub type string type of the resource fw app category object output field fw app category fw app id object unique identifier fw app subcategory object output field fw app subcategory fw app technology object output field fw app technology causality actor process command line object output field causality actor process command line causality actor process image md5 object output field causality actor process image md5 causality actor process image name object name of the resource causality actor process image path object output field causality actor process image path causality actor process image sha256 object output field causality actor process image sha256 causality actor process signature status string status value causality actor process signature vendor object output field causality actor process signature vendor causality actor causality id object unique identifier identity sub type object unique identifier identity type object unique identifier operation name object name of the resource project object output field project cloud provider object unique identifier referenced resource object output field referenced resource example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "json body" { "reply" {} } } ] get incidents retrieve a filtered list of incidents from cortex xsiam based on specific criteria such as incident ids, modification time, or creation time endpoint url /public api/v1/incidents/get incidents method post input argument name type required description request data object optional a dictionary containing the api request fields an empty dictionary returns all results filters array optional array of filter fields field string required identifies the incident field the filter is matching operator string required identifies the comparison operator you want to use for this filter value array required value that this filter must match the contents of this field will differ depending on the incident field that you specified for this filter search from number optional integer representing the starting offset within the query result set from which you want incidents returned search to number optional integer representing the end offset within the result set after which you do not want incidents returned sort object optional identifies the sort order for the result set field string required sort according to this field keyword string required sort in ascending or descending order output parameter type description status code number http status code of the response reason string response reason phrase reply object output field reply total count number count value result count number result of the operation incidents array unique identifier incident id string unique identifier incident name string unique identifier creation time number time value modification time number time value detection time object time value status string status value severity string output field severity description string output field description assigned user mail object output field assigned user mail assigned user pretty name object name of the resource alert count number count value low severity alert count number count value med severity alert count number count value high severity alert count number count value critical severity alert count number count value user count number count value host count number count value notes object output field notes resolve comment object output field resolve comment example \[ { "status code" 200, "response headers" { "content length" "140", "content type" "application/json", "date" "tue, 25 jun 2024 20 37 23 gmt" }, "reason" "ok", "json body" { "reply" {} } } ] update alerts update up to 100 alerts simultaneously within cortex xsiam using a json body payload endpoint url /public api/v1/alerts/update alerts method post input argument name type required description request data object optional response data alert id list array optional a list representing the alert ids you want to update update data object optional the data you want to update the alerts with severity string optional alert severity status string optional updated alert status comment string optional descriptive comment explaining the changes output parameter type description status code number http status code of the response reason string response reason phrase reply object output field reply alerts ids array unique identifier example \[ { "status code" 200, "response headers" { "content length" "140", "content type" "application/json", "date" "tue, 25 jun 2024 20 37 23 gmt" }, "reason" "ok", "json body" { "reply" {} } } ] update incidents modify specific fields for an incident in cortex xsiam using a provided json body endpoint url /public api/v1/incidents/update incident method post input argument name type required description request data object optional response data incident id string required a string representing the incident id you want to update update data object required the data to update the incident with assigned user mail string optional updated email address of the incident assignee assigned user pretty name string optional updated full name of the incident assignee to supply a new value in this field, you must also supply a value for assigned user mail in the same request manual severity string optional administrator defined severity status string optional updated incident status resolve comment string optional descriptive comment explaining the incident change this can be set only for resolved incidents comment object optional add a comment to the incident comment action string required the comment action must be 'add' value string required the comment text output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" { "content length" "140", "content type" "application/json", "date" "tue, 25 jun 2024 20 37 23 gmt" }, "reason" "ok", "json body" true } ] response headers header description example content length the length of the response body in bytes 140 content type the media type of the resource application/json date the date and time at which the message was originated tue, 25 jun 2024 20 37 23 gmt notes link to docs https //cortex panw\ stoplight io/docs/cortex xsiam/9o0gkfxm6b9mp cortex xsiam overview