Cortex XSIAM

the cortex xsiam connector enables automated interaction with palo alto networks' security operations platform, facilitating real time alert and incident management cortex xsiam is a cutting edge security operations and analytics platform that provides comprehensive visibility and control over your security environment this connector enables swimlane turbine users to automate alert and incident management by leveraging cortex xsiam's robust capabilities users can query alerts and incidents, update their statuses, and enrich security operations with detailed information, all within the swimlane turbine platform this integration streamlines processes, reduces response times, and enhances the overall efficiency of security operations teams using the cortex xsiam apis, you can integrate cortex xsiam with third party apps or services to ingest alerts and to leverage alert stitching and investigation capabilities the apis allows you to manage incidents in a ticketing or automation system of your choice by reviewing and editing the incident's details, status, and assignee prerequisites to effectively utilize the cortex xsiam connector with swimlane turbine, ensure you have the following prerequisites api key authentication url the endpoint url for the cortex xsiam api api key your personal authentication key to access the cortex xsiam api api key id the identifier associated with your api key, required for authentication capabilities this connector provides the following capabilities get alerts get incidents update alerts update incidents notes https //cortex panw\ stoplight io/docs/cortex xsiam/9o0gkfxm6b9mp cortex xsiam overview configurations cortex xsiam api key authentication authenticates using an api key and api key id for cortex xsiam configuration parameters parameter description type required url a url to the target host string required authorization the api key is your unique identifier depending on your desired security level, you can generate two types of api keys, advanced or standard, from your cortex xdr app string required x xdr auth id the api key id is your unique token used to authenticate the api key string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions get alerts obtain a list of alerts from cortex xsiam based on criteria specified in the json body input endpoint url /public api/v1/alerts/get alerts/ method post input argument name type required description request data object optional response data request data filters array optional an array of filter fields request data filters field string required identifies the alert field the filter is matching request data filters operator string required identifies the comparison operator you want to use for this filter request data filters value string required value that this filter must match the contents of this field will differ depending on the alert field that you specified for this filter request data search from number optional an integer representing the starting offset within the query result set from which you want alerts returned request data search to number optional an integer representing the end offset within the result set after which you do not want alerts returned request data sort object optional identifies the sort order for the result set request data sort field string optional identifies how to sort the result set, either according to severity or creation time request data sort keyword string required defines whether to sort the results in ascending (asc) or descending (desc) order input example {"json body" {"request data" {"filters" \[{"field" "alert id list","operator" "gte","value" "medium"}],"search from" 0,"search to" 100,"sort" {"field" "creation time","keyword" "desc"}}}} output parameter type description status code number http status code of the response reason string response reason phrase reply object output field reply reply total count number count value reply result count number result of the operation reply alerts array output field reply alerts reply alerts agent os sub type string type of the resource reply alerts fw app category object output field reply alerts fw app category reply alerts fw app id object unique identifier reply alerts fw app subcategory object output field reply alerts fw app subcategory reply alerts fw app technology object output field reply alerts fw app technology reply alerts causality actor process command line object output field reply alerts causality actor process command line reply alerts causality actor process image md5 object output field reply alerts causality actor process image md5 reply alerts causality actor process image name object name of the resource reply alerts causality actor process image path object output field reply alerts causality actor process image path reply alerts causality actor process image sha256 object output field reply alerts causality actor process image sha256 reply alerts causality actor process signature status string status value reply alerts causality actor process signature vendor object output field reply alerts causality actor process signature vendor reply alerts causality actor causality id object unique identifier reply alerts identity sub type object unique identifier reply alerts identity type object unique identifier reply alerts operation name object name of the resource reply alerts project object output field reply alerts project reply alerts cloud provider object unique identifier reply alerts referenced resource object output field reply alerts referenced resource output example {"reply" {"total count" 123,"result count" 123,"alerts" \[{}]}} get incidents retrieve a filtered list of incidents from cortex xsiam based on specific criteria such as incident ids, modification time, or creation time endpoint url /public api/v1/incidents/get incidents method post input argument name type required description request data object optional a dictionary containing the api request fields an empty dictionary returns all results request data filters array optional array of filter fields request data filters field string required identifies the incident field the filter is matching request data filters operator string required identifies the comparison operator you want to use for this filter request data filters value array required value that this filter must match the contents of this field will differ depending on the incident field that you specified for this filter request data search from number optional integer representing the starting offset within the query result set from which you want incidents returned request data search to number optional integer representing the end offset within the result set after which you do not want incidents returned request data sort object optional identifies the sort order for the result set request data sort field string required sort according to this field request data sort keyword string required sort in ascending or descending order input example {"json body" {"request data" {"filters" \[{"field" "incident id list","operator" "gte","value" \["incident id"]}],"search from" 0,"search to" 100,"sort" {"field" "creation time","keyword" "desc"}}}} output parameter type description status code number http status code of the response reason string response reason phrase reply object output field reply reply total count number count value reply result count number result of the operation reply incidents array unique identifier reply incidents incident id string unique identifier reply incidents incident name string unique identifier reply incidents creation time number unique identifier reply incidents modification time number unique identifier reply incidents detection time object unique identifier reply incidents status string unique identifier reply incidents severity string unique identifier reply incidents description string unique identifier reply incidents assigned user mail object unique identifier reply incidents assigned user pretty name object unique identifier reply incidents alert count number unique identifier reply incidents low severity alert count number unique identifier reply incidents med severity alert count number unique identifier reply incidents high severity alert count number unique identifier reply incidents critical severity alert count number unique identifier reply incidents user count number unique identifier reply incidents host count number unique identifier reply incidents notes object unique identifier reply incidents resolve comment object unique identifier output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "tue, 25 jun 2024 20 37 23 gmt"},"reason" "ok","json body" {"reply" {"total count" 1,"result count" 1,"incidents" \[],"restricted incident ids" \[]}}} update alerts update up to 100 alerts simultaneously within cortex xsiam using a json body payload endpoint url /public api/v1/alerts/update alerts method post input argument name type required description request data object optional response data request data alert id list array optional a list representing the alert ids you want to update request data update data object optional the data you want to update the alerts with request data update data severity string optional alert severity request data update data status string optional updated alert status request data update data comment string optional descriptive comment explaining the changes input example {"json body" {"request data" {"alert id list" \["list of ids"],"update data" {"severity" "medium","status" "resolved other","comment" "this incident is resolved"}}}} output parameter type description status code number http status code of the response reason string response reason phrase reply object output field reply reply alerts ids array unique identifier output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "tue, 25 jun 2024 20 37 23 gmt"},"reason" "ok","json body" {"reply" {"alerts ids" \[]}}} update incidents modify specific fields for an incident in cortex xsiam using a provided json body endpoint url /public api/v1/incidents/update incident method post input argument name type required description request data object optional response data request data incident id string required a string representing the incident id you want to update request data update data object required the data to update the incident with request data update data assigned user mail string optional updated email address of the incident assignee request data update data assigned user pretty name string optional updated full name of the incident assignee to supply a new value in this field, you must also supply a value for assigned user mail in the same request request data update data manual severity string optional administrator defined severity request data update data status string optional updated incident status request data update data resolve comment string optional descriptive comment explaining the incident change this can be set only for resolved incidents request data update data comment object optional add a comment to the incident request data update data comment comment action string required the comment action must be 'add' request data update data comment value string required the comment text input example {"json body" {"request data" {"incident id" "incident id","update data" {"assigned user mail" "username\@test com","assigned user pretty name" "hello world","manual severity" "medium","status" "resolved duplicate","resolve comment" "string","comment" {"comment action" "add","value" "string"}}}}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "tue, 25 jun 2024 20 37 23 gmt"},"reason" "ok","json body"\ true} response headers header description example content length the length of the response body in bytes 140 content type the media type of the resource application/json date the date and time at which the message was originated tue, 25 jun 2024 20 37 23 gmt