Palo Alto Cortex Xpanse

the palo alto cortex xpanse connector facilitates the integration of swimlane turbine with cortex xpanse's attack surface management capabilities, enabling automated monitoring and management of internet facing assets palo alto cortex xpanse offers a comprehensive view of your organization's internet facing assets and potential security gaps this connector enables swimlane turbine users to automate asset management, incident response, and threat intelligence tasks by integrating with cortex xpanse's extensive telemetry data enhance your security posture by proactively managing alerts, assets, and vulnerabilities with streamlined workflows and real time data analysis limitations none to date prerequisites to effectively utilize the palo alto cortex xpanse connector within swimlane turbine, ensure you have the following cortex custom authentication with the following parameters fqdn the fully qualified domain name for the api endpoint api key your unique authentication key for accessing the cortex xpanse api api key id the identifier associated with your api key capabilities this connector provides the following capabilities create user defined ip range get alerts get asset details get business units get extra incident data get incidents remove assets update alerts upload assets update asset annotation update an incident create user defined ip range define an ip address range and assign a business unit (bu) or ip address tag (ipr) to that range cortex xpanse documentation for this action can be found https //docs cortex paloaltonetworks com/r/cortex xpanse rest api/create user defined ip range get alerts get a single alert or list of alerts with multiple events cortex xpanse documentation for this action can be found https //docs cortex paloaltonetworks com/r/cortex xpanse rest api/get alerts get asset details get asset details according to the asset id cortex xpanse documentation for this action can be found https //docs cortex paloaltonetworks com/r/cortex xpanse rest api/get asset details get business units fetches business unit information for all or a subset of the business units in your cortex xpanse tenant cortex xpanse documentation for this action can be found https //docs cortex paloaltonetworks com/r/cortex xpanse rest api/get business units get extra incident data get extra data fields for a specific incident including alerts and key artifacts cortex xpanse documentation for this action can be found https //docs cortex paloaltonetworks com/r/cortex xpanse rest api/get extra incident data get incidents get details for a single incident or a list of incidents filtered by a list of severity or creation time cortex xpanse documentation for this action can be found https //docs cortex paloaltonetworks com/r/cortex xpanse rest api/get incidents remove assets remove certificates, domains and ipv4 address ranges from your inventory cortex xpanse documentation for this action can be found https //docs cortex paloaltonetworks com/r/cortex xpanse rest api/remove assets update alerts update one or more alerts cortex xpanse documentation for this action can be found https //docs cortex paloaltonetworks com/r/cortex xpanse rest api/update alerts upload assets upload domains and ipv4 address ranges to your inventory cortex xpanse documentation for this action can be found https //docs cortex paloaltonetworks com/r/cortex xpanse rest api/upload assets update asset annotation adds an annotation to an asset or ip range cortex xpanse documentation for this action can be found https //docs cortex paloaltonetworks com/r/cortex xpanse rest api/update asset annotation update an incident update one or more fields of a specific incident cortex xpanse documentation for this action can be found https //docs cortex paloaltonetworks com/r/cortex xpanse rest api/update an incident notes get your cortex xpanse api key in cortex xpanse, navigate to settings & info > settings > integrations > api keys select + new key choose the type of api key you want to generate based on your desired security level advanced or standard the advanced api key hashes the key using a nonce, a random string, and a timestamp to prevent replay attacks curl does not support this but is suitable with scripts use the example script to create the advanced api authentication token if you want to define a time limit on the api key authentication, mark enable expiration date and select the expiration date and time navigate to settings & info > settings > integrations > api keys to track the expiration time field for each api key in addition, cortex xsoar displays an api key expiration notification in the notification center one week and one day prior to the defined expiration date provide a comment that describes the purpose for the api key, if desired select the desired level of access for this key you can select existing roles , or you can select custom to set the permissions on a more granular level be sure to select a role with view/edit access for the public api use the predefined instance administrator role or a create a custom role with public api permission roles are described in the manage roles section of the cortex xpanse user guide generate the api key copy the api key, and then click done this value represents your unique authorization {key} configurations palo alto cortex xpanse authentication palo alto cortex xpanse authenticates using api key and api key id configuration parameters parameter description type required fqdn the fqdn is a unique host and domain name associated with each tenant string required api key the api key is your unique identifier string required api key id the api key id is your unique token used to authenticate the api key string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions create user defined ip range create a user defined ip range in palo alto cortex xpanse and assign it to a specific business unit or tag endpoint url /v1/assets/create user defined ip range method post input argument name type required description request data object optional request body for creating a user defined ip range request data startip string optional first ip address of the range request data endip string optional ending ip address of the range request data cidrip string optional ip range in cidr notation request data butagids array optional list of business unit tag ids that will be applied to the ip range request data iprtagids array optional list of ip range tag ids (ipr) that will be applied to the ip range request data shouldreplace boolean optional boolean denoting whether to replace all previously applied business units on overlapping ranges input example {"json body" {"request data" {"startip" "x x x 24","endip" "x x x 25","cidrip" "null","butagids" \["bu\ af500527 9f45 4bd8 8eb5 e161d18a47b3"],"iprtagids" \["ipr\ cc1d6312306d48c79fb3023b93d69923"],"shouldreplace"\ false}}} output parameter type description status code number http status code of the response reason string response reason phrase reply object output field reply reply user defined ip range string output field reply user defined ip range output example {"status code" 200,"reason" "ok","json body" {"reply" {"user defined ip range" "succeeded"}}} get alerts obtain a specific alert or a collection of alerts from palo alto cortex xpanse, utilizing the provided request data endpoint url /v2/alerts/get alerts multi events method post input argument name type required description request data object optional request body for getting alerts request data search from number required an integer representing the starting offset within the query result set from which you want alerts returned request data next page token string required use string to page token into the next request to paginate the next set of data request data filters array required an array of filter fields request data filters field string required identifies the alert fields the filter is matching request data filters value object required value that this filter must match the contents of this field will differ based on the field request data filters operator string required string that identifies the comparison operator you want to use for this filter request data sort object required identifies the sort order for the result set request data sort field string required can either be severity or creation time request data sort keyword string required the sort order for the field can either be asc or desc request data search to number optional an integer representing the end offset within the result set after which you do not want alerts returned request data use page token boolean required a boolean value to paginate the response data input example {"json body" {"request data" {"search from" 0,"next page token" "next page token","filters" \[{"field" "business units list","value" "alertfilter value","operator" "gte"},{"field" "business units list","value" "alertfilter value","operator" "gte"}],"sort" {"field" "creation time","keyword" "desc"},"search to" 0,"use page token"\ true}}} output parameter type description status code number http status code of the response reason string response reason phrase reply object output field reply reply total count number count value reply result count number result of the operation reply alerts array output field reply alerts reply alerts category string output field reply alerts category reply alerts project string output field reply alerts project reply alerts cloud provider string unique identifier reply alerts resource sub type string type of the resource reply alerts resource type string type of the resource reply alerts action country array output field reply alerts action country reply alerts description string output field reply alerts description reply alerts events string output field reply alerts events reply alerts event type string type of the resource reply alerts is whitelisted boolean output field reply alerts is whitelisted reply alerts image name string name of the resource reply alerts action local ip string output field reply alerts action local ip reply alerts action local port string output field reply alerts action local port reply alerts mitre tactic id and name array unique identifier reply alerts mitre technique id and name array unique identifier reply alerts action external hostname string name of the resource reply alerts action remote ip array output field reply alerts action remote ip reply alerts action remote port array output field reply alerts action remote port reply alerts matching service rule id string unique identifier output example {"status code" 200,"reason" "ok","json body" {"reply" {"total count" 0,"result count" 0,"alerts" \[],"next page token" "next page token example"}}} get all assets retrieve a comprehensive or filtered list of assets from palo alto cortex xpanse using specified request data endpoint url /v1/assets/get assets internet exposure method post input argument name type required description request data object optional a dictionary containing the api request fields an empty dictionary returns all results request data search from number optional response data request data next page token string optional a token used to retrieve the next page of results request data filters array optional an array of filter fields request data filters field string required identifies the assetss field the filter is matching case sensitive request data filters value object required value depends on the filter field used request data filters operator string required identifies the comparison operator you want to use for this filter request data sort object optional identifies the sort order for the result set request data sort field string required the asset field by which to sort results request data sort keyword string required the sort order request data search to number optional an integer representing the start offset index of results request data use page token boolean optional boolean indicating whether to use pagination for the results input example {"json body" {"request data" {"search from" 0,"next page token" "next page token","filters" \[{"field" "name","value" "asmassetsfilter value","operator" "in"},{"field" "name","value" "asmassetsfilter value","operator" "in"}],"sort" {"field" "name","keyword" "asc"},"search to" 0,"use page token"\ true}}} output parameter type description status code number http status code of the response reason string response reason phrase reply object output field reply reply total count number count value reply result count number result of the operation reply assets internet exposure array output field reply assets internet exposure reply assets internet exposure agent id string unique identifier reply assets internet exposure annotation string output field reply assets internet exposure annotation reply assets internet exposure asm ids array unique identifier reply assets internet exposure asm va score number score value reply assets internet exposure asset explainers array output field reply assets internet exposure asset explainers reply assets internet exposure asset type string type of the resource reply assets internet exposure aws cloud tags array output field reply assets internet exposure aws cloud tags reply assets internet exposure azure cloud tags array output field reply assets internet exposure azure cloud tags reply assets internet exposure business units array output field reply assets internet exposure business units reply assets internet exposure business units 0 object output field reply assets internet exposure business units 0 reply assets internet exposure business units 0 creation time number time value reply assets internet exposure business units 0 family string output field reply assets internet exposure business units 0 family reply assets internet exposure business units 0 family alias string output field reply assets internet exposure business units 0 family alias reply assets internet exposure business units 0 id string unique identifier reply assets internet exposure business units 0 is active number output field reply assets internet exposure business units 0 is active reply assets internet exposure business units 0 name string name of the resource reply assets internet exposure business units 0 parent id string unique identifier reply assets internet exposure business units 0 update time number time value reply assets internet exposure certificate algorithm string output field reply assets internet exposure certificate algorithm output example {"status code" 200,"reason" "ok","json body" {"reply" {"total count" 0,"result count" 0,"assets internet exposure" \[],"next page token" "next page token example"}}} get all owned ip ranges retrieve a list of owned ip address ranges associated with specific business units and organization handles in palo alto cortex xpanse endpoint url /v1/assets/get external ip address ranges method post input argument name type required description request data object optional a dictionary containing the api request fields an empty dictionary returns all results request data search from number optional the starting index from which to return results request data next page token string optional a token to retrieve the next page of results request data filters array optional an array of filter fields request data filters field string required identifies the external ip ranges field the filter is matching request data filters value string required value depends on the filter field used request data filters operator string required identifies the comparison operator you want to use for this filter request data sort object optional a dictionary containing the sort field and keyword request data sort field string required the field by which to sort the results request data sort keyword string required the sort order, either ascending (asc) or descending (desc) request data search to number optional response data request data use page token boolean optional boolean indicating whether to use pagination for the results input example {"json body" {"request data" {"search from" 0,"next page token" "next page token","filters" \[{"field" "organization handles","value" "externalipaddressrangesfilter value","operator" "in"},{"field" "organization handles","value" "externalipaddressrangesfilter value","operator" "in"}],"sort" {"field" "first ip","keyword" "desc"},"search to" 0,"use page token"\ true}}} output parameter type description status code number http status code of the response reason string response reason phrase reply object output field reply reply total count number count value reply result count number result of the operation reply external ip address ranges array output field reply external ip address ranges reply external ip address ranges range id string unique identifier reply external ip address ranges first ip string output field reply external ip address ranges first ip reply external ip address ranges last ip string output field reply external ip address ranges last ip reply external ip address ranges ips count number count value reply external ip address ranges active responsive ips count number count value reply external ip address ranges date added number output field reply external ip address ranges date added reply external ip address ranges organization handles array output field reply external ip address ranges organization handles reply external ip address ranges ipaddress version number output field reply external ip address ranges ipaddress version reply external ip address ranges tags array output field reply external ip address ranges tags reply external ip address ranges first ipv6 string output field reply external ip address ranges first ipv6 reply external ip address ranges last ipv6 string output field reply external ip address ranges last ipv6 reply external ip address ranges annotation string output field reply external ip address ranges annotation reply external ip address ranges has bu overrides boolean unique identifier reply next page token string output field reply next page token output example {"status code" 200,"reason" "ok","json body" {"reply" {"total count" 0,"result count" 0,"external ip address ranges" \[],"next page token" "next page token example"}}} get all services retrieves a comprehensive or filtered list of all external services from palo alto cortex xpanse using specified request data endpoint url /v1/assets/get external services method post input argument name type required description request data object optional a dictionary containing the api request fields request data search from number optional an integer representing the start offset index of results request data next page token string optional a token to retrieve the next page of results request data vulnerability test results boolean optional includes vulnerability test results from the last 14 days for each service in the response request data filters array optional an array of filter fields request data filters field string required identifies the external service field the filter is matching request data filters value object required value depends on the filter field used request data filters operator string required identifies the comparison operator you want to use for this filter request data sort object optional sorts the results by the specified field and order request data sort field string required the field to sort by request data sort keyword string required the sort order, either 'asc' for ascending or 'desc' for descending request data search to number optional an integer representing the start offset index of results request data use page token boolean optional boolean indicating whether to use pagination for the results input example {"json body" {"request data" {"search from" 0,"next page token" "next page token","vulnerability test results"\ true,"filters" \[{"field" "service name","value" "externalservicesfilter value","operator" "in"},{"field" "service name","value" "externalservicesfilter value","operator" "in"}],"sort" {"field" "service name","keyword" "asc"},"search to" 0,"use page token"\ true}}} output parameter type description status code number http status code of the response reason string response reason phrase reply object output field reply reply total count number count value reply result count number result of the operation reply external services array output field reply external services reply external services service id string unique identifier reply external services service name string name of the resource reply external services service type string type of the resource reply external services ip address array output field reply external services ip address reply external services domain array output field reply external services domain reply external services domain file name string name of the resource reply external services domain file string output field reply external services domain file reply external services externally detected providers array unique identifier reply external services is active string output field reply external services is active reply external services first observed number output field reply external services first observed reply external services last observed number output field reply external services last observed reply external services port number output field reply external services port reply external services protocol string output field reply external services protocol reply external services active classifications array output field reply external services active classifications reply external services inactive classifications array output field reply external services inactive classifications reply external services inactive classifications file name string name of the resource reply external services inactive classifications file string output field reply external services inactive classifications file reply external services discovery type string type of the resource reply external services externally inferred vulnerability score string score value output example {"status code" 200,"reason" "ok","json body" {"reply" {"total count" 1,"result count" 1,"external services" \[]}}} get all websites retrieve a comprehensive or filtered list of public facing websites from palo alto cortex xpanse, requiring request data endpoint url /v1/assets/get external websites method post input argument name type required description request data object optional a dictionary containing the api request fields an empty dictionary returns all results request data search from number optional an integer representing the start offset index of results request data next page token string optional a string representing the page token from a previous response to retrieve the next page of results request data filters array optional response data request data filters field string required string that identifies the external service field the filter is matching request data filters value object required value depends on the filter field used for fields that support multiple values, provide an array of strings request data filters operator string required string that identifies the comparison operator you want to use for this filter request data sort object optional response data request data sort field string required the field by which to sort results request data sort keyword string required the direction in which to sort results request data search to number optional an integer representing the start offset index of results request data use page token boolean optional boolean indicating whether to use pagination for the results input example {"json body" {"request data" {"search from" 0,"next page token" "next page token","filters" \[{"field" "ips","value" "externalwebsitesfilter value","operator" "in"},{"field" "ips","value" "externalwebsitesfilter value","operator" "in"}],"sort" {"field" "host","keyword" "asc"},"search to" 0,"use page token"\ true}}} output parameter type description status code number http status code of the response reason string response reason phrase reply object output field reply reply total count number count value reply result count number result of the operation reply websites array output field reply websites reply websites website id string unique identifier reply websites host string output field reply websites host reply websites protocol string output field reply websites protocol reply websites is active string output field reply websites is active reply websites site categories array output field reply websites site categories reply websites technology ids array unique identifier reply websites first observed number output field reply websites first observed reply websites last observed number output field reply websites last observed reply websites provider names array unique identifier reply websites ips array output field reply websites ips reply websites port number output field reply websites port reply websites active service ids array unique identifier reply websites http type string type of the resource reply websites third party script domains array output field reply websites third party script domains reply websites security assessments array output field reply websites security assessments reply websites security assessments name string name of the resource reply websites security assessments priority number output field reply websites security assessments priority reply websites security assessments score number score value reply websites security assessments securityassessmentdetails object output field reply websites security assessments securityassessmentdetails output example {"status code" 200,"reason" "ok","json body" {"reply" {"total count" 0,"result count" 0,"websites" \[],"next page token" "next page token example"}}} get asset details retrieve detailed information for a specified asset in palo alto cortex xpanse using the asset id provided in the request data endpoint url /v1/assets/get asset internet exposure method post input argument name type required description request data object optional a dictionary containing the api request fields request data asm id list array required a list of string(s) representing the asset ids input example {"json body" {"request data" {"asm id list" \["asm id 1","asm id 2"]}}} output parameter type description status code number http status code of the response reason string response reason phrase reply object output field reply reply details array output field reply details reply details asm ids string unique identifier reply details name string name of the resource reply details type string type of the resource reply details last observed number output field reply details last observed reply details first observed number output field reply details first observed reply details externally detected providers array unique identifier reply details created number output field reply details created reply details ips array output field reply details ips reply details ips ip number output field reply details ips ip reply details ips ipv6 string output field reply details ips ipv6 reply details ips protocol string output field reply details ips protocol reply details ips provider string unique identifier reply details ips geolocation object output field reply details ips geolocation reply details ips geolocation latitude number output field reply details ips geolocation latitude reply details ips geolocation longitude number output field reply details ips geolocation longitude reply details ips geolocation countrycode string output field reply details ips geolocation countrycode reply details ips geolocation city string output field reply details ips geolocation city reply details ips geolocation regioncode string output field reply details ips geolocation regioncode reply details ips geolocation timezone string output field reply details ips geolocation timezone reply details ips activitystatus string status value reply details ips lastobserved number output field reply details ips lastobserved output example {"status code" 200,"reason" "ok","json body" {"reply" {"details" \[]}}} get assets last assessment retrieve the last assessment time and status for assets in palo alto cortex xpanse, requiring request data endpoint url /v1/assets/get assets internet exposure/last external assessment method post input argument name type required description request data string optional an empty dictionary returns the time and status of the last websites assessment input example {"json body" {"request data" "{}"}} output parameter type description status code number http status code of the response reason string response reason phrase last external assessment object output field last external assessment last external assessment status boolean status value last external assessment time string time value output example {"status code" 200,"reason" "ok","json body" {"last external assessment" {"status"\ false,"time" "time example"}}} get business units retrieves information for all or specific business units within your palo alto cortex xpanse tenant endpoint url /v1/assets/get business units method post input argument name type required description request data object optional a dictionary containing the api request fields an empty dictionary returns all results request data filters array required an array of filter fields request data filters field string required identifies the business unit field the filter is matching request data filters operator string required identifies the comparison operator you want to use for this filter request data filters value string required value depends on the filter field used request data use page token boolean optional boolean indicating whether to use pagination for the results request data next page token string optional token to retrieve the next page of results if pagination is enabled input example {"json body" {"request data" {"filters" \[{"field" "business unit id","operator" "contains","value" "string"}],"use page token"\ true,"next page token" "string"}}} output parameter type description status code number http status code of the response reason string response reason phrase reply object output field reply reply total count number count value reply result count number result of the operation reply business units array output field reply business units reply business units business unit id string unique identifier reply business units business unit name string name of the resource reply business units parent id string unique identifier output example {"status code" 200,"reason" "ok","json body" {"reply" {"total count" 0,"result count" 0,"business units" \[]}}} get extra incident data retrieve additional data fields for a specified incident, encompassing alerts and key artifacts in palo alto cortex xpanse endpoint url /v1/incidents/get incident extra data method post input argument name type required description request data object optional a dictionary containing the api request fields request data alerts limit number optional the maximum number of related alerts in the incident that you want to retrieve request data incident id string required the id of the incident for which you want to retrieve extra data input example {"json body" {"request data" {"alerts limit" 0,"incident id" "x0000001abc789"}}} output parameter type description status code number http status code of the response reason string response reason phrase reply object output field reply reply incident object unique identifier reply incident incident id string unique identifier reply incident is blocked boolean unique identifier reply incident incident name string unique identifier reply incident creation time number unique identifier reply incident modification time number unique identifier reply incident detection time number unique identifier reply incident status string unique identifier reply incident severity string unique identifier reply incident description string unique identifier reply incident assigned user mail string unique identifier reply incident assigned user pretty name string unique identifier reply incident alert count number unique identifier reply incident low severity alert count number unique identifier reply incident med severity alert count number unique identifier reply incident high severity alert count number unique identifier reply incident critical severity alert count number unique identifier reply incident user count number unique identifier reply incident host count number unique identifier reply incident notes string unique identifier reply incident resolve comment string unique identifier reply incident resolved timestamp number unique identifier output example {"status code" 200,"reason" "ok","json body" {"reply" {"incident" {},"alerts" {},"network artifacts" {},"file artifacts" {}}}} get incidents retrieve detailed information for a single incident or multiple incidents filtered by severity or creation time in palo alto cortex xpanse endpoint url /v1/incidents/get incidents method post input argument name type required description request data object optional a dictionary containing the api request fields request data search from number optional integer representing the starting offset within the query result set from which you want incidents returned request data filters array required array of filter fields request data filters field string required identifies the incident field the filter is matching request data filters value object required value that this filter must match the content of this field will differ depending on the field request data filters operator string required identifies the comparison operator you want to use for this filter request data sort object optional identifies the sort order for the results request data sort field string optional field to sort by request data sort keyword string optional sort order, either asc or desc request data search to number optional integer representing the end offset within the result set after which you do not want incidents returned input example {"json body" {"request data" {"search from" 0,"filters" \[{"field" "modification time","value" "incidentfilter value","operator" "in"},{"field" "modification time","value" "incidentfilter value","operator" "in"}],"sort" {"field" "modification time","keyword" "desc"},"search to" 0}}} output parameter type description status code number http status code of the response reason string response reason phrase reply object output field reply reply total count number count value reply result count number result of the operation reply incidents array unique identifier reply incidents incident id string unique identifier reply incidents is blocked boolean unique identifier reply incidents incident name string unique identifier reply incidents creation time number unique identifier reply incidents modification time number unique identifier reply incidents detection time number unique identifier reply incidents status string unique identifier reply incidents severity string unique identifier reply incidents description string unique identifier reply incidents assigned user mail string unique identifier reply incidents assigned user pretty name string unique identifier reply incidents alert count number unique identifier reply incidents low severity alert count number unique identifier reply incidents med severity alert count number unique identifier reply incidents high severity alert count number unique identifier reply incidents critical severity alert count number unique identifier reply incidents user count number unique identifier reply incidents host count number unique identifier reply incidents notes string unique identifier output example {"status code" 200,"reason" "ok","json body" {"reply" {"total count" 0,"result count" 0,"incidents" \[],"restricted incident ids" \[]}}} get ip address ranges last assessment retrieve the last assessment time and status for ip address ranges in palo alto cortex xpanse, requiring request data endpoint url /v1/assets/get external ip address ranges/last external assessment method post input argument name type required description request data string optional an empty dictionary returns the time and status of the last websites assessment input example {"json body" {"request data" "{}"}} output parameter type description status code number http status code of the response reason string response reason phrase last external assessment object output field last external assessment last external assessment status boolean status value last external assessment time string time value output example {"status code" 200,"reason" "ok","json body" {"last external assessment" {"status"\ false,"time" "time example"}}} get owned ip range details retrieve details for owned external ip address ranges using specified range ids in palo alto cortex xpanse endpoint url /v1/assets/get external ip address range method post input argument name type required description request data object optional a dictionary containing the api request fields request data range id list array required a string representing the range id for which you want to get the details input example {"json body" {"request data" {"range id list" \["range id list","range id list","range id list","range id list","range id list"]}}} output parameter type description status code number http status code of the response reason string response reason phrase reply object output field reply reply details array output field reply details reply details range id string unique identifier reply details first ip string output field reply details first ip reply details last ip string output field reply details last ip reply details ips count number count value reply details active responsive ips count number count value reply details date added number output field reply details date added reply details organization handles array output field reply details organization handles reply details details object output field reply details details reply details details networkrecords array output field reply details details networkrecords reply details details networkrecords firstip string output field reply details details networkrecords firstip reply details details networkrecords firstipv6 string output field reply details details networkrecords firstipv6 reply details details networkrecords handle string output field reply details details networkrecords handle reply details details networkrecords lastchanged number output field reply details details networkrecords lastchanged reply details details networkrecords lastip string output field reply details details networkrecords lastip reply details details networkrecords lastipv6 string output field reply details details networkrecords lastipv6 reply details details networkrecords name string name of the resource reply details details networkrecords organizationrecords array output field reply details details networkrecords organizationrecords reply details details networkrecords remarks string output field reply details details networkrecords remarks reply details details networkrecords whoisserver string output field reply details details networkrecords whoisserver reply details explainers array output field reply details explainers reply details ipaddress version number output field reply details ipaddress version output example {"status code" 200,"reason" "ok","json body" {"reply" {"details" \[]}}} get service details retrieve detailed information for a specific service in palo alto cortex xpanse using the service id provided in the request data endpoint url /v1/assets/get external service method post input argument name type required description request data object optional a dictionary containing the api request fields request data service id list array required a list of one or more service ids to retrieve details for input example {"json body" {"request data" {"service id list" \["service id 1","service id 2","service id 3"]}}} output parameter type description status code number http status code of the response reason string response reason phrase reply object output field reply reply details array output field reply details reply details service id string unique identifier reply details service name string name of the resource reply details service type string type of the resource reply details ip address array output field reply details ip address reply details domain array output field reply details domain reply details externally detected providers array unique identifier reply details is active string output field reply details is active reply details first observed number output field reply details first observed reply details last observed number output field reply details last observed reply details port number output field reply details port reply details protocol string output field reply details protocol reply details active classifications array output field reply details active classifications reply details inactive classifications array output field reply details inactive classifications reply details discovery type string type of the resource reply details externally inferred vulnerability score number score value reply details externally inferred cves array output field reply details externally inferred cves reply details details object output field reply details details reply details details servicekey string output field reply details details servicekey reply details details servicekeytype string type of the resource reply details details providerdetails array unique identifier reply details details providerdetails name string unique identifier output example {"status code" 200,"reason" "ok","json body" {"reply" {"details" \[],"pretty name" "pretty name example","groups" \[],"users" \[]}}} get services last assessment retrieves the last assessment time and status for services data in palo alto cortex xpanse, requiring request data in json body endpoint url /v1/assets/get external services/last external assessment method post input argument name type required description request data string optional an empty dictionary returns the time and status of the last websites assessment input example {"json body" {"request data" "{}"}} output parameter type description status code number http status code of the response reason string response reason phrase last external assessment object output field last external assessment last external assessment status boolean status value last external assessment time string time value output example {"status code" 200,"reason" "ok","json body" {"last external assessment" {"status"\ false,"time" "time example"}}} get website details retrieve detailed information about specific websites using their ids in palo alto cortex xpanse endpoint url /v1/assets/get external website method post input argument name type required description request data object optional a dictionary containing the api request fields request data website id list array required a string representing the website id you want to get details for limit is 20 website ids input example {"json body" {"request data" {"website id list" \["website id 1","website id 2","website id 3"]}}} output parameter type description status code number http status code of the response reason string response reason phrase reply object output field reply reply details array output field reply details reply details website id string unique identifier reply details host string output field reply details host reply details protocol string output field reply details protocol reply details is active string output field reply details is active reply details site categories array output field reply details site categories reply details technology ids array unique identifier reply details first observed number output field reply details first observed reply details last observed number output field reply details last observed reply details provider names array unique identifier reply details ips array output field reply details ips reply details port number output field reply details port reply details active service ids array unique identifier reply details http type string type of the resource reply details security assessments array output field reply details security assessments reply details security assessments name string name of the resource reply details security assessments priority number output field reply details security assessments priority reply details security assessments score number score value reply details security assessments securityassessmentdetails object output field reply details security assessments securityassessmentdetails reply details security assessments securityassessmentdetails pages array output field reply details security assessments securityassessmentdetails pages reply details security assessments securityassessmentdetails description string output field reply details security assessments securityassessmentdetails description reply details rootpagehttpstatuscode string status value output example {"status code" 200,"reason" "ok","json body" {"reply" {"details" \[]}}} get websites last assessment retrieve the latest assessment time and status for websites in palo alto cortex xpanse, requiring request data endpoint url /v1/assets/get external websites/last external assessment method post input argument name type required description request data string optional an empty dictionary returns the time and status of the last websites assessment input example {"json body" {"request data" "{}"}} output parameter type description status code number http status code of the response reason string response reason phrase last external assessment object output field last external assessment last external assessment status boolean status value last external assessment time string time value output example {"status code" 200,"reason" "ok","json body" {"last external assessment" {"status"\ false,"time" "time example"}}} remove alerts remove certificates, domains, and ipv4 address ranges from your palo alto cortex xpanse inventory endpoint url /public api/v1/asm management/remove asm data method post input argument name type required description data body object optional data body headers object optional request headers input example {"path parameters" {},"parameters" {},"data body" {},"headers" {}} remove assets removes specified certificates, domains, and ipv4 address ranges from the palo alto cortex xpanse inventory endpoint url /v1/asm management/remove asm data method post input argument name type required description request data object optional a dictionary containing the api request fields request data asset type string required the type of asset being removed request data asset identifiers array required a list of one or more assets you want to add to the inventory input example {"json body" {"request data" {"asset type" "certificate","asset identifiers" \["10 92 16 32"]}}} output parameter type description status code number http status code of the response reason string response reason phrase reply string output field reply output example {"status code" 200,"reason" "ok","json body" {"reply" "successfully removed assets "}} update alerts update one or more alerts in palo alto cortex xpanse using specified request data endpoint url /v1/alerts/update alerts method post input argument name type required description request data object optional a dictionary containing the api request fields an empty dictionary returns all results request data alert id list array optional a list of alert ids to update request data update data object optional a dictionary containing the fields to update for the specified alerts request data update data severity string optional the severity level to set for the alerts request data update data status string optional the status to set for the alerts request data update data comment string optional a comment to add to the alerts input example {"json body" {"request data" {"alert id list" \["string"],"update data" {"severity" "string","status" "string","comment" "string"}}}} output parameter type description status code number http status code of the response reason string response reason phrase reply object output field reply reply alerts ids array unique identifier output example {"status code" 200,"reason" "ok","json body" {"reply" {"alerts ids" \[]}}} update an incident updates specific fields of an incident in palo alto cortex xpanse using the provided request data endpoint url /v1/incidents/update incident method post input argument name type required description request data object optional response data request data incident id string optional response data request data update data object required response data request data update data assigned user mail string required updated email address of the incident assignee request data update data comment object required add a comment to the incident request data update data comment comment action string required action to perform on the comment request data update data comment value string required the content of the comment to be added request data update data assigned user pretty name string required updated full name of the incident assignee request data update data manual severity string required administrator defined severity request data update data status string required updated incident status request data update data resolve comment string required descriptive comment explaining the incident change input example {"json body" {"request data" {"incident id" "incident id","update data" {"assigned user mail" "assigned user mail","comment" {"comment action" "add","value" "value"},"assigned user pretty name" "assigned user pretty name","manual severity" "low","status" "resolved","resolve comment" "resolve comment"}}}} output parameter type description status code number http status code of the response reason string response reason phrase reply boolean output field reply warnings array output field warnings output example {"status code" 200,"reason" "ok","json body" {"reply"\ false,"warnings" \["warnings example"]}} update asset annotation adds an annotation to a specified asset or ip range in palo alto cortex xpanse using the provided request data endpoint url /v1/assets/assets internet exposure/annotation method post input argument name type required description request data object optional response data request data assets array required response data request data assets annotation string required annotation text request data assets entity type string required type of the entity being annotated request data assets entity id string required unique identifier for the entity being annotated request data should append boolean optional boolean indicating whether to append the annotation to existing annotations or replace them input example {"json body" {"request data" {"assets" \[{"annotation" "annotation","entity type" "asset","entity id" "entity id"},{"annotation" "annotation","entity type" "asset","entity id" "entity id"}],"should append"\ true}}} output parameter type description status code number http status code of the response reason string response reason phrase reply string output field reply output example {"status code" 200,"reason" "ok","json body" {"reply" "reply example"}} upload assets upload domains and ipv4 address ranges to your palo alto cortex xpanse inventory using the provided request data endpoint url /v1/asm management/upload asm data method post input argument name type required description request data object optional a dictionary containing the api request fields request data request type string required indicates that you want to add new assets to your inventory request data asset type string required the type of asset being added request data asset identifiers array required list of assets to be uploaded request data business units array required one or more business unit ids or business unit names to which the uploaded assets will be assigned input example {"json body" {"request data" {"request type" "addition","asset type" "ip range","asset identifiers" \["string"],"business units" \["bu 1","bu 2"]}}} output parameter type description status code number http status code of the response reason string response reason phrase reply object output field reply reply asset names array name of the resource reply errors array error message if any output example {"status code" 200,"reason" "ok","json body" {"reply" {"asset names" \[],"errors" \[]}}} response headers header description example content type the media type of the resource application/json date the date and time at which the message was originated thu, 01 jan 2024 00 00 00 gmt