Palo Alto Networks Cortex XDR

the palo alto networks cortex xdr connector enables seamless integration of advanced threat detection and response capabilities into the swimlane turbine platform palo alto networks cortex xdr is a comprehensive threat detection and response platform that extends protection across network, endpoint, and cloud environments the swimlane turbine integration with cortex xdr empowers users to automate critical security operations tasks, such as incident management, endpoint visibility, and threat mitigation by leveraging this connector, security teams can efficiently manage incidents, perform detailed analyses, and take decisive actions directly from the swimlane platform this integration enhances the soc's capabilities by providing streamlined access to cortex xdr's powerful features, enabling faster and more effective security automation workflows prerequisites to effectively utilize the palo alto networks cortex xdr connector with swimlane turbine, ensure you have the following prerequisites cortex custom authentication with the following parameters url the api endpoint for cortex xdr token your cortex xdr api token for authentication x xdr auth id a unique identifier for the api user asset setup generating an api token instructions for generating an api token can be found here https //docs paloaltonetworks com/cortex/cortex xdr/cortex xdr api/cortex xdr api overview/get started with cortex xdr apis html capabilities this connector provides the following capabilities blacklist files get action status get alerts get all endpoints get endpoint get incident additional data get incidents get pcap packet get policy get script code get script metadata get scripts get violations get xql query isolate endpoints and so on notes get incidents filter syntax official filter syntax documentation https //docs paloaltonetworks com/cortex/cortex xdr/cortex xdr api/cortex xdr apis/incident management/get incidents this plugin was last tested against product version api v1 get alerts usage for filters creation time and server creation time , value should be passed as a string in the array the first element in value array is converted into integer before making the request input { "field" "creation time", "operator" "lte", "value" \["0"] } the above input converts to { "field" "creation time", "operator" "lte", "value" 0 } configurations palo alto cortex xdr http bearer authentication authenticates using cortex token, and x xdr auth id configuration parameters parameter description type required url a url to the target host string required token api token string required x xdr auth id auth id string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions get action status retrieve the status of requested actions in palo alto networks cortex xdr using the action id provided in the request data endpoint url /public api/v1/actions/get action status/ method post input argument name type required description request data object required response data group action id string required unique identifier output parameter type description status code number http status code of the response reason string response reason phrase reply object output field reply data object response data \<agent id> string unique identifier example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "json body" { "reply" {} } } ] get alerts obtain a comprehensive list of alerts, each potentially associated with multiple events, from palo alto networks cortex xdr endpoint url /public api/v1/alerts/get alerts multi events/ method post input argument name type required description request data object optional response data filters array optional parameter for get alerts field string optional parameter for get alerts operator string optional parameter for get alerts value number optional value for the parameter search from number optional parameter for get alerts search to number optional parameter for get alerts sort object optional parameter for get alerts field string optional parameter for get alerts keyword string optional parameter for get alerts output parameter type description status code number http status code of the response reason string response reason phrase reply object output field reply total count number count value result count number result of the operation alerts array output field alerts external id string unique identifier severity string output field severity matching status string status value end match attempt ts number output field end match attempt ts local insert ts number output field local insert ts bioc indicator object output field bioc indicator matching service rule id object unique identifier attempt counter number output field attempt counter bioc category enum key object output field bioc category enum key is whitelisted boolean output field is whitelisted starred boolean output field starred deduplicate tokens object output field deduplicate tokens filter rule id object unique identifier mitre technique id and name array unique identifier mitre tactic id and name array unique identifier agent version string output field agent version agent device domain object output field agent device domain agent fqdn string output field agent fqdn agent os type string type of the resource example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "json body" { "reply" {} } } ] allow list files add files to the allow list in palo alto networks cortex xdr using specified request data endpoint url /public api/v1/hash exceptions/allowlist method post input argument name type required description request data object required response data hash list array required parameter for allow list files comment string optional parameter for allow list files incident id number optional unique identifier example \[ { "json body" {} } ] get endpoint obtains a list of endpoints from palo alto networks cortex xdr based on specified filters provided in the request data endpoint url /public api/v1/endpoints/get endpoint/ method post input argument name type required description request data object required response data search from number optional parameter for get endpoint search to number optional parameter for get endpoint sort object optional parameter for get endpoint field string optional parameter for get endpoint keyword string optional parameter for get endpoint filters array optional parameter for get endpoint field string optional parameter for get endpoint operator string optional parameter for get endpoint value array optional value for the parameter output parameter type description status code number http status code of the response reason string response reason phrase reply object output field reply total count number count value result count number result of the operation endpoints array output field endpoints endpoint id string unique identifier endpoint name string name of the resource endpointtags string output field endpointtags endpoint type string type of the resource endpoint status string status value os type string type of the resource os version string output field os version ip array output field ip ipv6 array output field ipv6 file name string name of the resource file string output field file public ip string output field public ip users array output field users domain string output field domain alias string output field alias first seen number output field first seen last seen number output field last seen content version string response content installation package string output field installation package example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "json body" { "reply" {} } } ] get all endpoints retrieve a comprehensive list of all endpoints from palo alto networks cortex xdr without requiring additional parameters endpoint url /public api/v1/endpoints/get endpoints/ method post input argument name type required description output parameter type description status code number http status code of the response reason string response reason phrase reply array output field reply agent id string unique identifier agent status string status value host name string name of the resource agent type string type of the resource endpointtags string output field endpointtags ip string output field ip last seen number output field last seen tags object output field tags server tags array output field server tags file name string name of the resource file string output field file endpoint tags array output field endpoint tags file name string name of the resource file string output field file users string output field users example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "json body" { "reply" \[] } } ] get incident extra data retrieve additional data fields, alerts, and key artifacts for a specified incident in palo alto networks cortex xdr endpoint url /public api/v1/incidents/get incident extra data/ method post input argument name type required description request data object required response data incident id string required unique identifier alerts limit number required parameter for get incident extra data output parameter type description status code number http status code of the response reason string response reason phrase reply object output field reply incident object unique identifier incident id string unique identifier incident name string unique identifier creation time number time value modification time number time value detection time object time value status string status value severity string output field severity description string output field description assigned user mail object output field assigned user mail assigned user pretty name object name of the resource alert count number count value low severity alert count number count value med severity alert count number count value high severity alert count number count value critical severity alert count number count value user count number count value host count number count value notes object output field notes resolve comment object output field resolve comment manual severity object output field manual severity manual description object output field manual description example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "json body" { "reply" {} } } ] get incidents obtain a filtered list of incidents from palo alto networks cortex xdr based on incident ids, modification time, or creation time endpoint url /public api/v1/incidents/get incidents/ method post input argument name type required description request data object required response data filters array optional parameter for get incidents field string optional parameter for get incidents operator string optional parameter for get incidents value array optional value for the parameter search from number optional parameter for get incidents search to number optional parameter for get incidents sort object optional parameter for get incidents field string optional parameter for get incidents keyword string optional parameter for get incidents output parameter type description status code number http status code of the response reason string response reason phrase reply object output field reply total count number count value result count number result of the operation incidents array unique identifier incident id string unique identifier incident name string unique identifier creation time number time value modification time number time value detection time object time value status string status value severity string output field severity description string output field description assigned user mail object output field assigned user mail assigned user pretty name object name of the resource alert count number count value low severity alert count number count value med severity alert count number count value high severity alert count number count value critical severity alert count number count value user count number count value host count number count value notes object output field notes resolve comment object output field resolve comment example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "json body" { "reply" {} } } ] isolate endpoints isolates multiple endpoints, up to 1000, in a single request using the palo alto networks cortex xdr platform endpoint url /public api/v1/endpoints/isolate method post input argument name type required description request data object required a dictionary containing the api request fields filters array required array of filtered fields for isolating a number of endpoints at once only required if isolating more than one endpoint field string required identifies a list the filters match filters are based on the endpoint id list keywords operator string required identifies the comparison operator you want to use for this filter valid keywords and values value array required value that this filter must match incident id string optional the incident id when included in the request, the isolate endpoints action will appear in the cortex xdr incident viewtimeline tab output parameter type description status code number http status code of the response reason string response reason phrase reply object output field reply action id string unique identifier status string status value endpoints count string count value example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "reply" {} } } ] retrive pcap packet retrieves pcap packets associated with alert ids for pan ngfw type alerts using the get alerts and get extra incident data api endpoint url /public api/v1/alerts/get alerts pcap/ method post input argument name type required description request data object required response data filters array optional parameter for retrive pcap packet field string optional parameter for retrive pcap packet operator string optional parameter for retrive pcap packet value array optional value for the parameter search from number optional parameter for retrive pcap packet search to number optional parameter for retrive pcap packet sort object optional parameter for retrive pcap packet field string optional parameter for retrive pcap packet keyword string optional parameter for retrive pcap packet output parameter type description status code number http status code of the response reason string response reason phrase reply array output field reply id number unique identifier pcap data string response data example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "json body" { "reply" \[] } } ] get policy retrieves the policy name associated with a specific endpoint in palo alto networks cortex xdr using provided request data endpoint url /public api/v1/endpoints/get policy/ method post input argument name type required description request data object required response data endpoint id string required unique identifier output parameter type description status code number http status code of the response reason string response reason phrase reply object output field reply policy name string name of the resource example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "json body" { "reply" {} } } ] restore file restores a quarantined file on specified endpoints in palo alto networks cortex xdr using provided request data endpoint url /public api/v1/endpoints/restore method post input argument name type required description request data object required response data file hash string required parameter for restore file incident id number optional unique identifier output parameter type description reply object output field reply action id string unique identifier status number status value endpoints count string count value example \[ { "json body" { "reply" {} } } ] get scripts retrieve a list of all scripts from the palo alto networks cortex xdr scripts library using specified request data endpoint url /public api/v1/scripts/get scripts/ method post input argument name type required description request data object required response data filters array optional parameter for get scripts field string optional parameter for get scripts operator string optional parameter for get scripts value array optional value for the parameter output parameter type description status code number http status code of the response reason string response reason phrase reply object output field reply total count number count value result count number result of the operation scripts array output field scripts script id string unique identifier name string name of the resource description string output field description modification date number date value created by string output field created by is high risk boolean output field is high risk windows supported boolean output field windows supported linux supported boolean output field linux supported macos supported boolean output field macos supported script uid string unique identifier example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "json body" { "reply" {} } } ] get script code retrieves the source code of a specified script from the palo alto networks cortex xdr script library using provided request data endpoint url /public api/v1/scripts/get script code/ method post input argument name type required description request data object required response data script uid string required unique identifier output parameter type description status code number http status code of the response reason string response reason phrase reply string output field reply example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "json body" { "reply" "string" } } ] get script metadata retrieve full definitions of a specific script from the palo alto networks cortex xdr scripts library using provided request data endpoint url /public api/v1/scripts/get script metadata/ method post input argument name type required description request data object required response data script uid string optional unique identifier output parameter type description status code number http status code of the response reason string response reason phrase reply object output field reply script id string unique identifier name string name of the resource description string output field description modification date number date value created by string output field created by is high risk boolean output field is high risk windows supported boolean output field windows supported linux supported boolean output field linux supported macos supported boolean output field macos supported script uid string unique identifier entry point string output field entry point script input array input data for the action name string name of the resource type string type of the resource friendly name string name of the resource script output type string type of the resource script output dictionary definitions array output field script output dictionary definitions friendly name string name of the resource name string name of the resource type string type of the resource example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "json body" { "reply" {} } } ] unisolate endpoints reverses the isolation of multiple endpoints in a single request, with a limit of 1000 endpoints per request endpoint url /public api/v1/endpoints/unisolate method post input argument name type required description request data object required a dictionary containing the api request fields filters array required an array of filter fields for unisolating a number of endpoints at once this field is only required if unisolating more than one endpoint field string required string that identifies a list the filters match filters are based on the endpoint id list keywords operator string required string that identifies the comparison operator you want to use for this filter valid keywords and values value array required value that this filter must match valid keywords incident id string optional unique identifier output parameter type description status code number http status code of the response reason string response reason phrase reply object output field reply action id string unique identifier status string status value endpoints count string count value example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "reply" {} } } ] get violations retrieves up to 100 device control violations from palo alto networks cortex xdr, filtered by selected fields specified in the request data endpoint url /public api/v1/device control/get violations/ method post input argument name type required description request data object required response data filters array optional parameter for get violations field string optional parameter for get violations operator string optional parameter for get violations value array optional value for the parameter search to number optional parameter for get violations output parameter type description status code number http status code of the response reason string response reason phrase reply object output field reply total count number count value result count number result of the operation violations array output field violations hostname string name of the resource username string name of the resource ip string output field ip timestamp number output field timestamp violation id number unique identifier type string type of the resource vendor id string unique identifier vendor string output field vendor product id string unique identifier product string output field product serial string output field serial endpoint id string unique identifier example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "json body" { "reply" {} } } ] get xql query results retrieve the results of a previously executed xql query in palo alto networks cortex xdr using the provided query id and request data endpoint url /public api/v1/xql/get query results/ method post input argument name type required description request data object required response data query id string optional unique identifier pending flag boolean optional parameter for get xql query results limit number optional parameter for get xql query results format string optional parameter for get xql query results output parameter type description status code number http status code of the response reason string response reason phrase reply object output field reply status string status value number of results number result of the operation query cost object output field query cost tenant id 1 number unique identifier remaining quota number output field remaining quota results object result of the operation data array response data event id string unique identifier vendor string output field vendor product string output field product insert timestamp number output field insert timestamp time number time value event type string type of the resource event sub type string type of the resource example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "json body" { "reply" {} } } ] response headers header description example cache control directives for caching mechanisms connection http response header connection content encoding http response header content encoding content type the media type of the resource application/json date the date and time at which the message was originated thu, 01 jan 2024 00 00 00 gmt ratelimit limit http response header ratelimit limit ratelimit remaining http response header ratelimit remaining ratelimit reset http response header ratelimit reset strict transport security http response header strict transport security transfer encoding http response header transfer encoding vary http response header vary x content type options http response header x content type options x frame options http response header x frame options x ratelimit limit 1800 http response header x ratelimit limit 1800 x ratelimit limit minute http response header x ratelimit limit minute x ratelimit limit second http response header x ratelimit limit second x ratelimit remaining 1800 http response header x ratelimit remaining 1800 x ratelimit remaining minute http response header x ratelimit remaining minute x ratelimit remaining second http response header x ratelimit remaining second x xss protection http response header x xss protection