Palo Alto Networks Cortex XDR

palo alto networks cortex xdr is a comprehensive detection and response platform that unifies endpoint, network, and cloud data to prevent and respond to threats palo alto networks cortex xdr is a comprehensive security platform that integrates endpoint, network, and cloud data to detect and respond to threats this connector allows swimlane turbine users to automate advanced threat response and policy management tasks, such as retrieving alerts, managing incidents, and isolating endpoints by integrating with cortex xdr, users can enhance their security operations with streamlined workflows and real time threat intelligence, improving incident response times and reducing manual effort prerequisites before you can use the palo alto networks cortex xdr connector for turbine, you'll need access to the cortex xdr api this requires the following cortex custom authentication using the following parameters url the endpoint url for accessing the cortex xdr api token a valid token for authenticating api requests cortex xdr api key id the unique identifier for your cortex xdr api key asset setup generating an api token instructions for generating an api token can be found here https //docs paloaltonetworks com/cortex/cortex xdr/cortex xdr api/cortex xdr api overview/get started with cortex xdr apis html capabilities this connector provides the following capabilities blacklist files get action status get alerts get all endpoints get endpoint get incident additional data get incidents get pcap packet get policy get script code get script metadata get scripts get violations get xql query isolate endpoints and so on notes get incidents filter syntax official filter syntax documentation https //docs paloaltonetworks com/cortex/cortex xdr/cortex xdr api/cortex xdr apis/incident management/get incidents this plugin was last tested against product version api v1 get alerts usage for filters creation time and server creation time , value should be passed as a string in the array the first element in value array is converted into integer before making the request input { "field" "creation time", "operator" "lte", "value" \["0"] } the above input converts to { "field" "creation time", "operator" "lte", "value" 0 } configurations palo alto cortex xdr authentication authenticates using cortex token and x xdr auth id configuration parameters parameter description type required url a url to the target host string required token api token string required x xdr auth id cortex xdr api key id string required verify ssl verify ssl certificate boolean optional advanced authentication advanced authentication boolean optional http proxy a proxy to route requests through string optional actions get action status retrieve the status of requested actions in palo alto networks cortex xdr using a specific action id and provided request data endpoint url /public api/v1/actions/get action status/ method post input argument name type required description request data object optional response data request data group action id string required response data input example {"request data" {"group action id" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase reply object output field reply reply data object response data reply data \<agent id> string response data output example {"reply" {"data" {"\<agent id>" "string"}}} get alerts obtain a comprehensive list of alerts from palo alto networks cortex xdr, potentially associated with multiple events endpoint url /public api/v1/alerts/get alerts multi events/ method post input argument name type required description parameters return as turbine schema boolean optional when true, alerts are mapped to normalized turbine schema alert objects and returned in the alerts field when false, the raw cortex xdr api response is returned parameters alert organization string optional optional organization name to include in the turbine schema alert used only when return as turbine schema is true parameters ioc types array optional list of observable types to extract supported ipv4 public, ipv4 private, ipv6 public, ipv6 private, domain, url, email, sha1, sha256, md5 if omitted or empty, all types are extracted parameters domains ignore list string optional comma separated domain values to exclude from observable extraction parameters ip cidr ignore list string optional comma separated cidr ranges to exclude from observable extraction parameters regex ignore string optional regex pattern — any observable value matching this pattern is excluded parameters ioc ignore paths array optional array of slash separated field paths to strip from each alert before extracting observables supports wildcards ( ) and nested paths example \["processcommandline", "context/ /ipaddress"] request data object optional response data request data filters array optional response data request data filters field string optional response data request data filters operator string optional response data request data filters value number optional response data request data search from number optional response data request data search to number optional response data request data sort object optional response data request data sort field string optional response data request data sort keyword string optional response data input example {"parameters" {"return as turbine schema"\ true,"alert organization" "string","ioc types" \["string"],"domains ignore list" "string","ip cidr ignore list" "string","regex ignore" "string","ioc ignore paths" \["string"]},"request data" {"filters" \[{"field" "string","operator" "string","value" 123}],"search from" 123,"search to" 123,"sort" {"field" "string","keyword" "string"}}} output parameter type description status code number http status code of the response reason string response reason phrase alerts array normalized turbine schema alerts (when return as turbine schema is true) total processed integer number of turbine schema alerts returned total count number count value result count number result of the operation output example {"alerts" \[],"total processed" 123,"total count" 123,"result count" 123} get alerts v2 obtain a comprehensive list of alerts with multiple events from palo alto networks cortex xdr using the v2 api endpoint endpoint url /public api/v2/alerts/get alerts multi events method post input argument name type required description parameters return as turbine schema boolean optional when true, alerts are mapped to normalized turbine schema alert objects and returned in the alerts field when false, the raw cortex xdr api response is returned parameters alert organization string optional optional organization name to include in the turbine schema alert used only when return as turbine schema is true parameters ioc types array optional list of observable types to extract supported ipv4 public, ipv4 private, ipv6 public, ipv6 private, domain, url, email, sha1, sha256, md5 if omitted or empty, all types are extracted parameters domains ignore list string optional comma separated domain values to exclude from observable extraction parameters ip cidr ignore list string optional comma separated cidr ranges to exclude from observable extraction parameters regex ignore string optional regex pattern — any observable value matching this pattern is excluded parameters ioc ignore paths array optional array of slash separated field paths to strip from each alert before extracting observables supports wildcards ( ) and nested paths example \["processcommandline", "context/ /ipaddress"] request data object optional response data request data filters array optional response data request data filters field string optional response data request data filters operator string optional response data request data filters value number optional response data request data search from number optional response data request data search to number optional response data request data sort object optional response data request data sort field string optional response data request data sort keyword string optional response data input example {"parameters" {"return as turbine schema"\ true,"alert organization" "string","ioc types" \["string"],"domains ignore list" "string","ip cidr ignore list" "string","regex ignore" "string","ioc ignore paths" \["string"]},"request data" {"filters" \[{"field" "string","operator" "string","value" 123}],"search from" 123,"search to" 123,"sort" {"field" "string","keyword" "string"}}} output parameter type description status code number http status code of the response reason string response reason phrase alerts array normalized turbine schema alerts (when return as turbine schema is true) total processed integer number of turbine schema alerts returned total count number count value result count number result of the operation resolution status string status value resolution comment string output field resolution comment output example {"alerts" \[],"total processed" 123,"total count" 123,"result count" 123,"resolution status" "active","resolution comment" "string"} allow list files add files to the allow list in palo alto networks cortex xdr using the provided request data endpoint url /public api/v1/hash exceptions/allowlist method post input argument name type required description request data object optional response data request data hash list array required response data request data comment string optional response data request data incident id number optional response data input example {"json body" {"request data" {"hash list" \["032196fb1a dfcf69e5d553f0","365296eb1b fcf29e5d553e4","365296eb1b fcf69e3d553e4","365296eb1b fcf69e5d553d4","365296eb1b fcf79e5d553d4"],"comment" "test","incident id" 5}}} output example {"json body" {}} get endpoint retrieve a list of endpoints from palo alto networks cortex xdr using specified request data endpoint url /public api/v1/endpoints/get endpoint/ method post input argument name type required description request data object optional response data request data search from number optional response data request data search to number optional response data request data sort object optional response data request data sort field string optional response data request data sort keyword string optional response data request data filters array optional response data request data filters field string optional response data request data filters operator string optional response data request data filters value array optional response data input example {"request data" {"search from" 123,"search to" 123,"sort" {"field" "string","keyword" "string"},"filters" \[{"field" "string","operator" "string","value" \["string"]}]}} output parameter type description status code number http status code of the response reason string response reason phrase reply object output field reply reply total count number count value reply result count number result of the operation reply endpoints array output field reply endpoints reply endpoints endpoint id string unique identifier reply endpoints endpoint name string name of the resource reply endpoints endpointtags string output field reply endpoints endpointtags reply endpoints endpoint type string type of the resource reply endpoints endpoint status string status value reply endpoints os type string type of the resource reply endpoints os version string output field reply endpoints os version reply endpoints ip array output field reply endpoints ip reply endpoints ipv6 array output field reply endpoints ipv6 reply endpoints ipv6 file name string name of the resource reply endpoints ipv6 file string output field reply endpoints ipv6 file reply endpoints public ip string output field reply endpoints public ip reply endpoints users array output field reply endpoints users reply endpoints domain string output field reply endpoints domain reply endpoints alias string output field reply endpoints alias reply endpoints first seen number output field reply endpoints first seen reply endpoints last seen number output field reply endpoints last seen reply endpoints content version string response content reply endpoints installation package string output field reply endpoints installation package output example {"reply" {"total count" 123,"result count" 123,"endpoints" \[{}]}} get all endpoints retrieve a comprehensive list of all endpoints from palo alto networks cortex xdr without requiring additional parameters endpoint url /public api/v1/endpoints/get endpoints/ method post output parameter type description status code number http status code of the response reason string response reason phrase reply array output field reply reply agent id string unique identifier reply agent status string status value reply host name string name of the resource reply agent type string type of the resource reply endpointtags string output field reply endpointtags reply ip string output field reply ip reply last seen number output field reply last seen reply tags object output field reply tags reply tags server tags array output field reply tags server tags reply tags server tags file name string name of the resource reply tags server tags file string output field reply tags server tags file reply tags endpoint tags array output field reply tags endpoint tags reply tags endpoint tags file name string name of the resource reply tags endpoint tags file string output field reply tags endpoint tags file reply users string output field reply users output example {"reply" \[{"agent id" "string","agent status" "active","host name" "example name","agent type" "string","endpointtags" "string","ip" "string","last seen" 123,"tags" {},"users" "string"}]} get incident extra data retrieve additional data, alerts, and artifacts for a specified incident in palo alto networks cortex xdr using the 'request data' parameter endpoint url /public api/v1/incidents/get incident extra data/ method post input argument name type required description request data object optional response data request data incident id string required response data request data alerts limit number required response data input example {"request data" {"incident id" "string","alerts limit" 123}} output parameter type description status code number http status code of the response reason string response reason phrase reply object output field reply reply incident object unique identifier reply incident incident id string unique identifier reply incident incident name string unique identifier reply incident creation time number unique identifier reply incident modification time number unique identifier reply incident detection time object unique identifier reply incident status string unique identifier reply incident severity string unique identifier reply incident description string unique identifier reply incident assigned user mail object unique identifier reply incident assigned user pretty name object unique identifier reply incident alert count number unique identifier reply incident low severity alert count number unique identifier reply incident med severity alert count number unique identifier reply incident high severity alert count number unique identifier reply incident critical severity alert count number unique identifier reply incident user count number unique identifier reply incident host count number unique identifier reply incident notes object unique identifier reply incident resolve comment object unique identifier reply incident manual severity object unique identifier reply incident manual description object unique identifier output example {"reply" {"incident" {"incident id" "string","incident name" "example name","creation time" 123,"modification time" 123,"detection time" {},"status" "active","severity" "string","description" "string","assigned user mail" {},"assigned user pretty name" {},"alert count" 123,"low severity alert count" 123,"med severity alert count" 123,"high severity alert count" 123,"critical severity alert count" 123},"alerts" {"total count" 123,"data" \[]},"network artifacts" {"total count" 123,"data" \[]},"file get incidents retrieve a filtered list of incidents from palo alto networks cortex xdr using specific criteria such as ids and timestamps requires request data in json body endpoint url /public api/v1/incidents/get incidents/ method post input argument name type required description parameters return as turbine schema boolean optional when true, incidents are mapped to normalized turbine schema alert objects and returned in the alerts field when false, the raw cortex xdr api response is returned parameters alert organization string optional optional organization name to include in the turbine schema alert used only when return as turbine schema is true parameters ioc types array optional list of observable types to extract supported ipv4 public, ipv4 private, ipv6 public, ipv6 private, domain, url, email, sha1, sha256, md5 if omitted or empty, all types are extracted parameters domains ignore list string optional comma separated domain values to exclude from observable extraction parameters ip cidr ignore list string optional comma separated cidr ranges to exclude from observable extraction parameters regex ignore string optional regex pattern — any observable value matching this pattern is excluded parameters ioc ignore paths array optional array of slash separated field paths to strip from each alert before extracting observables supports wildcards ( ) and nested paths example \["processcommandline", "context/ /ipaddress"] request data object optional response data request data filters array optional response data request data filters field string optional response data request data filters operator string optional response data request data filters value array optional response data request data search from number optional response data request data search to number optional response data request data sort object optional response data request data sort field string optional response data request data sort keyword string optional response data input example {"parameters" {"return as turbine schema"\ true,"alert organization" "string","ioc types" \["string"],"domains ignore list" "string","ip cidr ignore list" "string","regex ignore" "string","ioc ignore paths" \["string"]},"request data" {"filters" \[{"field" "string","operator" "string","value" \["string"]}],"search from" 123,"search to" 123,"sort" {"field" "string","keyword" "string"}}} output parameter type description status code number http status code of the response reason string response reason phrase alerts array normalized turbine schema alerts (when return as turbine schema is true) total processed integer number of turbine schema alerts returned total count number count value result count number result of the operation output example {"alerts" \[],"total processed" 123,"total count" 123,"result count" 123} isolate endpoints isolate up to 1000 endpoints on palo alto networks cortex xdr using the 'request data' parameter endpoint url /public api/v1/endpoints/isolate method post input argument name type required description request data object optional a dictionary containing the api request fields request data filters array required array of filtered fields for isolating a number of endpoints at once only required if isolating more than one endpoint request data filters field string required identifies a list the filters match filters are based on the endpoint id list keywords request data filters operator string required identifies the comparison operator you want to use for this filter valid keywords and values request data filters value array required value that this filter must match request data incident id string optional the incident id when included in the request, the isolate endpoints action will appear in the cortex xdr incident viewtimeline tab input example {"json body" {"request data" {"filters" \[{"field" "endpoint id list","operator" "in","value" \["id1 123ab","id2 123bc"]}],"incident id" "123a"}}} output parameter type description status code number http status code of the response reason string response reason phrase reply object output field reply reply action id string unique identifier reply status string status value reply endpoints count string count value output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"reply" {"action id" "\<action id>","status" "1","endpoints count" "673"}}} retrive pcap packet retrieve pcap packets linked to alert ids from palo alto networks ngfw using apis for detailed incident data requires request data in json body endpoint url /public api/v1/alerts/get alerts pcap/ method post input argument name type required description request data object optional response data request data filters array optional response data request data filters field string optional response data request data filters operator string optional response data request data filters value array optional response data request data search from number optional response data request data search to number optional response data request data sort object optional response data request data sort field string optional response data request data sort keyword string optional response data input example {"request data" {"filters" \[{"field" "string","operator" "string","value" \["string"]}],"search from" 123,"search to" 123,"sort" {"field" "string","keyword" "string"}}} output parameter type description status code number http status code of the response reason string response reason phrase reply array output field reply reply id number unique identifier reply pcap data string response data output example {"reply" \[{"id" 123,"pcap data" "string"}]} get policy retrieve the policy name for a specific endpoint in palo alto networks cortex xdr using the provided request data endpoint url /public api/v1/endpoints/get policy/ method post input argument name type required description request data object optional response data request data endpoint id string required response data input example {"request data" {"endpoint id" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase reply object output field reply reply policy name string name of the resource output example {"reply" {"policy name" "example name"}} quarantine files quarantine files on up to 1000 endpoints in cortex xdr if a file is not found, no action occurs verify quarantine status in the action center requires request data in json body endpoint url /public api/v1/endpoints/quarantine method post input argument name type required description request data object optional a dictionary containing the api request fields request data filters array required array of filter objects to select the endpoints to quarantine the file on filters are combined using and maximum result set size is 1000 request data filters field string required identifies the list the filter matches filters are based on the endpoint id list keyword request data filters operator string required identifies the comparison operator to use for this filter request data filters value array required value that this filter must match request data file path string required the full path to the file to quarantine on the endpoint request data file hash string required the hash value of the file to quarantine input example {"json body" {"request data" {"filters" \[{"field" "endpoint id list","operator" "in","value" \["\<endpoint id>"]}],"file path" "c \\\\\<file path>\\\test x64 msi","file hash" "\<hash value>"}}} output parameter type description reply object output field reply reply action id string id of the action to quarantine the selected endpoints use this id to track the action status in the cortex xdr action center or via the get action status api reply status string integer representing whether the action succeeded (1) or failed (0) reply endpoints count string number of endpoints included in the request output example {"json body" {"reply" {"action id" "\[id value]","status" "1","endpoints count" "673"}}} restore file restores a quarantined file on specified endpoints within palo alto networks cortex xdr using the provided request data endpoint url /public api/v1/endpoints/restore method post input argument name type required description request data object optional response data request data file hash string required response data request data incident id number optional response data input example {"json body" {"request data" {"file hash" "\<hash value>","incident id" 302}}} output parameter type description reply object output field reply reply action id string unique identifier reply status number status value reply endpoints count string count value output example {"json body" {"reply" {"action id" "\<action id>","status" 1,"endpoints count" "673"}}} get scripts retrieve all scripts from the palo alto networks cortex xdr library using specified request data endpoint url /public api/v1/scripts/get scripts/ method post input argument name type required description request data object optional response data request data filters array optional response data request data filters field string optional response data request data filters operator string optional response data request data filters value array optional response data input example {"request data" {"filters" \[{"field" "string","operator" "string","value" \["string"]}]}} output parameter type description status code number http status code of the response reason string response reason phrase reply object output field reply reply total count number count value reply result count number result of the operation reply scripts array output field reply scripts reply scripts script id string unique identifier reply scripts name string name of the resource reply scripts description string output field reply scripts description reply scripts modification date number date value reply scripts created by string output field reply scripts created by reply scripts is high risk boolean output field reply scripts is high risk reply scripts windows supported boolean output field reply scripts windows supported reply scripts linux supported boolean output field reply scripts linux supported reply scripts macos supported boolean output field reply scripts macos supported reply scripts script uid string unique identifier output example {"reply" {"total count" 123,"result count" 123,"scripts" \[{}]}} get script code retrieve the source code of a specified script from the palo alto networks cortex xdr library using request data endpoint url /public api/v1/scripts/get script code/ method post input argument name type required description request data object optional response data request data script uid string required response data input example {"request data" {"script uid" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase reply string output field reply output example {"reply" "string"} get script metadata retrieve script definitions from the palo alto networks cortex xdr library using specified request data endpoint url /public api/v1/scripts/get script metadata/ method post input argument name type required description request data object optional response data request data script uid string optional response data input example {"request data" {"script uid" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase reply object output field reply reply script id string unique identifier reply name string name of the resource reply description string output field reply description reply modification date number date value reply created by string output field reply created by reply is high risk boolean output field reply is high risk reply windows supported boolean output field reply windows supported reply linux supported boolean output field reply linux supported reply macos supported boolean output field reply macos supported reply script uid string unique identifier reply entry point string output field reply entry point reply script input array input data for the action reply script input name string input data for the action reply script input type string input data for the action reply script input friendly name string input data for the action reply script output type string type of the resource reply script output dictionary definitions array output field reply script output dictionary definitions reply script output dictionary definitions friendly name string name of the resource reply script output dictionary definitions name string name of the resource reply script output dictionary definitions type string type of the resource output example {"reply" {"script id" "string","name" "example name","description" "string","modification date" 123,"created by" "string","is high risk"\ true,"windows supported"\ true,"linux supported"\ true,"macos supported"\ true,"script uid" "string","entry point" "string","script input" \[{}],"script output type" "string","script output dictionary definitions" \[{}]}} unisolate endpoints reverses isolation for up to 1000 endpoints in palo alto networks cortex xdr using specified request data endpoint url /public api/v1/endpoints/unisolate method post input argument name type required description request data object optional a dictionary containing the api request fields request data filters array required an array of filter fields for unisolating a number of endpoints at once this field is only required if unisolating more than one endpoint request data filters field string required string that identifies a list the filters match filters are based on the endpoint id list keywords request data filters operator string required string that identifies the comparison operator you want to use for this filter valid keywords and values request data filters value array required value that this filter must match valid keywords request data incident id string optional response data input example {"json body" {"request data" {"filters" \[{"field" "endpoint id list","operator" "in","value" \["id1 123ab","id2 123bc"]}],"incident id" "123a"}}} output parameter type description status code number http status code of the response reason string response reason phrase reply object output field reply reply action id string unique identifier reply status string status value reply endpoints count string count value output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"reply" {"action id" "\<action id>","status" "1","endpoints count" "673"}}} update incident update specific incident fields in palo alto networks cortex xdr, ignoring missing fields use empty strings to unassign users or remove manual severity endpoint url /public api/v1/incidents/update incident method post input argument name type required description request data object optional a dictionary containing the api request fields request data incident id string required a string representing the incident id you want to update request data update data object optional the data to update the incident with you can also include custom incident fields as additional properties custom field names must be lowercase with no white spaces (e g "single select" becomes "singleselect") request data update data assigned user mail string optional email address of the user to assign the incident to must belong to a user that exists in the same cortex xdr tenant pass an empty string to unassign the incident request data update data manual severity string optional manually set severity for the incident valid values are informational, low, medium, high, critical pass an empty string to remove a manually set severity request data update data status string optional the status of the incident request data update data resolve comment string optional a comment explaining why the incident was resolved request data update data comment object optional add a comment to the incident request data update data comment comment action string optional the comment action must be 'add' request data update data comment value string optional the comment text request data update data notes string optional notes to add to the incident input example {"json body" {"request data" {"incident id" "2927","update data" {"assigned user mail" "username\@test com","manual severity" "low","status" "resolved other","resolve comment" "this incident is resolved"}}}} output example {"json body"\ false} get violations retrieve up to 100 device control violations from palo alto networks cortex xdr using specified request data filters endpoint url /public api/v1/device control/get violations/ method post input argument name type required description request data object optional response data request data filters array optional response data request data filters field string optional response data request data filters operator string optional response data request data filters value array optional response data request data search to number optional response data input example {"request data" {"filters" \[{"field" "string","operator" "string","value" \["string"]}],"search to" 123}} output parameter type description status code number http status code of the response reason string response reason phrase reply object output field reply reply total count number count value reply result count number result of the operation reply violations array output field reply violations reply violations hostname string name of the resource reply violations username string name of the resource reply violations ip string output field reply violations ip reply violations timestamp number output field reply violations timestamp reply violations violation id number unique identifier reply violations type string type of the resource reply violations vendor id string unique identifier reply violations vendor string output field reply violations vendor reply violations product id string unique identifier reply violations product string output field reply violations product reply violations serial string output field reply violations serial reply violations endpoint id string unique identifier output example {"reply" {"total count" 123,"result count" 123,"violations" \[{}]}} get xql query results retrieve results of a prior xql query in palo alto networks cortex xdr using the specified query id and request data endpoint url /public api/v1/xql/get query results/ method post input argument name type required description request data object optional response data request data query id string optional response data request data pending flag boolean optional response data request data limit number optional response data request data format string optional response data input example {"request data" {"query id" "string","pending flag"\ true,"limit" 123,"format" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase reply object output field reply reply status string status value reply number of results number result of the operation reply query cost object output field reply query cost reply query cost tenant id 1 number unique identifier reply remaining quota number output field reply remaining quota reply results object result of the operation reply results data array response data reply results data event id string response data reply results data vendor string response data reply results data product string response data reply results data insert timestamp number response data reply results data time number response data reply results data event type string response data reply results data event sub type string response data output example {"reply" {"status" "active","number of results" 123,"query cost" {"tenant id 1" 123},"remaining quota" 123,"results" {"data" \[]}}} response headers header description example cache control directives for caching mechanisms connection http response header connection content encoding http response header content encoding content type the media type of the resource application/json date the date and time at which the message was originated thu, 01 jan 2024 00 00 00 gmt ratelimit limit http response header ratelimit limit ratelimit remaining http response header ratelimit remaining ratelimit reset http response header ratelimit reset strict transport security http response header strict transport security transfer encoding http response header transfer encoding vary http response header vary x content type options http response header x content type options x frame options http response header x frame options x ratelimit limit 1800 http response header x ratelimit limit 1800 x ratelimit limit minute http response header x ratelimit limit minute x ratelimit limit second http response header x ratelimit limit second x ratelimit remaining 1800 http response header x ratelimit remaining 1800 x ratelimit remaining minute http response header x ratelimit remaining minute x ratelimit remaining second http response header x ratelimit remaining second x xss protection http response header x xss protection