Palo Alto Networks Cortex XDR

the palo alto networks cortex xdr connector enables seamless integration with swimlane turbine, allowing users to automate threat detection and response activities palo alto networks cortex xdr is a comprehensive threat detection and response platform that extends protection across network, endpoint, and cloud environments this connector enables swimlane turbine users to automate key security operations tasks, such as incident response, endpoint isolation, and threat intelligence enrichment by integrating with cortex xdr, users can streamline their security workflows, rapidly respond to incidents, and enhance their overall security posture with minimal manual intervention prerequisites to effectively utilize the palo alto networks cortex xdr connector with swimlane turbine, ensure you have the following prerequisites cortex custom authentication with the following parameters url the base url for the cortex xdr api endpoint token your cortex xdr api token for secure access cortex xdr api key id the unique identifier for your api key asset setup generating an api token instructions for generating an api token can be found https //docs paloaltonetworks com/cortex/cortex xdr/cortex xdr api/cortex xdr api overview/get started with cortex xdr apis html capabilities this connector provides the following capabilities blacklist files get action status get alerts get all endpoints get endpoint get incident additional data get incidents get pcap packet get policy get script code get script metadata get scripts get violations get xql query isolate endpoints and so on notes get incidents filter syntax https //docs paloaltonetworks com/cortex/cortex xdr/cortex xdr api/cortex xdr apis/incident management/get incidents this plugin was last tested against product version api v1 get alerts usage for filters creation time and server creation time , value should be passed as a string in the array the first element in value array is converted into integer before making the request input { "field" "creation time", "operator" "lte", "value" \["0"] } the above input converts to { "field" "creation time", "operator" "lte", "value" 0 } configurations palo alto cortex xdr authentication authenticates using cortex token, and x xdr auth id configuration parameters parameter description type required url a url to the target host string required token api token string required x xdr auth id cortex xdr api key id string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions get action status retrieve the status of requested actions in palo alto networks cortex xdr using the provided action id endpoint url /public api/v1/actions/get action status/ method post input argument name type required description request data object optional response data request data group action id string required response data input example {"request data" {"group action id" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase reply object output field reply reply data object response data reply data \<agent id> string response data output example {"reply" {"data" {"\<agent id>" "string"}}} get alerts obtain a comprehensive list of alerts from palo alto networks cortex xdr, potentially associated with multiple events endpoint url /public api/v1/alerts/get alerts multi events/ method post input argument name type required description request data object optional response data request data filters array optional response data request data filters field string optional response data request data filters operator string optional response data request data filters value number optional response data request data search from number optional response data request data search to number optional response data request data sort object optional response data request data sort field string optional response data request data sort keyword string optional response data input example {"request data" {"filters" \[{"field" "string","operator" "string","value" 123}],"search from" 123,"search to" 123,"sort" {"field" "string","keyword" "string"}}} output parameter type description status code number http status code of the response reason string response reason phrase reply object output field reply reply total count number count value reply result count number result of the operation reply alerts array output field reply alerts reply alerts external id string unique identifier reply alerts severity string output field reply alerts severity reply alerts matching status string status value reply alerts end match attempt ts number output field reply alerts end match attempt ts reply alerts local insert ts number output field reply alerts local insert ts reply alerts bioc indicator object output field reply alerts bioc indicator reply alerts matching service rule id object unique identifier reply alerts attempt counter number output field reply alerts attempt counter reply alerts bioc category enum key object output field reply alerts bioc category enum key reply alerts is whitelisted boolean output field reply alerts is whitelisted reply alerts starred boolean output field reply alerts starred reply alerts deduplicate tokens object output field reply alerts deduplicate tokens reply alerts filter rule id object unique identifier reply alerts mitre technique id and name array unique identifier reply alerts mitre tactic id and name array unique identifier reply alerts agent version string output field reply alerts agent version reply alerts agent device domain object output field reply alerts agent device domain reply alerts agent fqdn string output field reply alerts agent fqdn reply alerts agent os type string type of the resource output example {"reply" {"total count" 123,"result count" 123,"alerts" \[{}]}} allow list files add files to the allow list in palo alto networks cortex xdr using the provided request data endpoint url /public api/v1/hash exceptions/allowlist method post input argument name type required description request data object optional response data request data hash list array required response data request data comment string optional response data request data incident id number optional response data input example {"json body" {"request data" {"hash list" \["032196fb1a dfcf69e5d553f0","365296eb1b fcf29e5d553e4","365296eb1b fcf69e3d553e4","365296eb1b fcf69e5d553d4","365296eb1b fcf79e5d553d4"],"comment" "test","incident id" 5}}} output example {"json body" {}} get endpoint obtains a filtered list of endpoints from palo alto networks cortex xdr using specified request data endpoint url /public api/v1/endpoints/get endpoint/ method post input argument name type required description request data object optional response data request data search from number optional response data request data search to number optional response data request data sort object optional response data request data sort field string optional response data request data sort keyword string optional response data request data filters array optional response data request data filters field string optional response data request data filters operator string optional response data request data filters value array optional response data input example {"request data" {"search from" 123,"search to" 123,"sort" {"field" "string","keyword" "string"},"filters" \[{"field" "string","operator" "string","value" \["string"]}]}} output parameter type description status code number http status code of the response reason string response reason phrase reply object output field reply reply total count number count value reply result count number result of the operation reply endpoints array output field reply endpoints reply endpoints endpoint id string unique identifier reply endpoints endpoint name string name of the resource reply endpoints endpointtags string output field reply endpoints endpointtags reply endpoints endpoint type string type of the resource reply endpoints endpoint status string status value reply endpoints os type string type of the resource reply endpoints os version string output field reply endpoints os version reply endpoints ip array output field reply endpoints ip reply endpoints ipv6 array output field reply endpoints ipv6 reply endpoints ipv6 file name string name of the resource reply endpoints ipv6 file string output field reply endpoints ipv6 file reply endpoints public ip string output field reply endpoints public ip reply endpoints users array output field reply endpoints users reply endpoints domain string output field reply endpoints domain reply endpoints alias string output field reply endpoints alias reply endpoints first seen number output field reply endpoints first seen reply endpoints last seen number output field reply endpoints last seen reply endpoints content version string response content reply endpoints installation package string output field reply endpoints installation package output example {"reply" {"total count" 123,"result count" 123,"endpoints" \[{}]}} get all endpoints retrieve a comprehensive list of all endpoints from palo alto networks cortex xdr without requiring additional parameters endpoint url /public api/v1/endpoints/get endpoints/ method post output parameter type description status code number http status code of the response reason string response reason phrase reply array output field reply reply agent id string unique identifier reply agent status string status value reply host name string name of the resource reply agent type string type of the resource reply endpointtags string output field reply endpointtags reply ip string output field reply ip reply last seen number output field reply last seen reply tags object output field reply tags reply tags server tags array output field reply tags server tags reply tags server tags file name string name of the resource reply tags server tags file string output field reply tags server tags file reply tags endpoint tags array output field reply tags endpoint tags reply tags endpoint tags file name string name of the resource reply tags endpoint tags file string output field reply tags endpoint tags file reply users string output field reply users output example {"reply" \[{"agent id" "string","agent status" "active","host name" "example name","agent type" "string","endpointtags" "string","ip" "string","last seen" 123,"tags" {},"users" "string"}]} get incident extra data retrieve additional data, alerts, and artifacts for a specified incident in palo alto networks cortex xdr using the 'request data' parameter endpoint url /public api/v1/incidents/get incident extra data/ method post input argument name type required description request data object optional response data request data incident id string required response data request data alerts limit number required response data input example {"request data" {"incident id" "string","alerts limit" 123}} output parameter type description status code number http status code of the response reason string response reason phrase reply object output field reply reply incident object unique identifier reply incident incident id string unique identifier reply incident incident name string unique identifier reply incident creation time number unique identifier reply incident modification time number unique identifier reply incident detection time object unique identifier reply incident status string unique identifier reply incident severity string unique identifier reply incident description string unique identifier reply incident assigned user mail object unique identifier reply incident assigned user pretty name object unique identifier reply incident alert count number unique identifier reply incident low severity alert count number unique identifier reply incident med severity alert count number unique identifier reply incident high severity alert count number unique identifier reply incident critical severity alert count number unique identifier reply incident user count number unique identifier reply incident host count number unique identifier reply incident notes object unique identifier reply incident resolve comment object unique identifier reply incident manual severity object unique identifier reply incident manual description object unique identifier output example {"reply" {"incident" {"incident id" "string","incident name" "example name","creation time" 123,"modification time" 123,"detection time" {},"status" "active","severity" "string","description" "string","assigned user mail" {},"assigned user pretty name" {},"alert count" 123,"low severity alert count" 123,"med severity alert count" 123,"high severity alert count" 123,"critical severity alert count" 123},"alerts" {"total count" 123,"data" \[]},"network artifacts" {"total count" 123,"data" \[]},"file get incidents obtain a filtered list of incidents from palo alto networks cortex xdr using specific criteria such as incident ids, modification time, or creation time endpoint url /public api/v1/incidents/get incidents/ method post input argument name type required description request data object optional response data request data filters array optional response data request data filters field string optional response data request data filters operator string optional response data request data filters value array optional response data request data search from number optional response data request data search to number optional response data request data sort object optional response data request data sort field string optional response data request data sort keyword string optional response data input example {"request data" {"filters" \[{"field" "string","operator" "string","value" \["string"]}],"search from" 123,"search to" 123,"sort" {"field" "string","keyword" "string"}}} output parameter type description status code number http status code of the response reason string response reason phrase reply object output field reply reply total count number count value reply result count number result of the operation reply incidents array unique identifier reply incidents incident id string unique identifier reply incidents incident name string unique identifier reply incidents creation time number unique identifier reply incidents modification time number unique identifier reply incidents detection time object unique identifier reply incidents status string unique identifier reply incidents severity string unique identifier reply incidents description string unique identifier reply incidents assigned user mail object unique identifier reply incidents assigned user pretty name object unique identifier reply incidents alert count number unique identifier reply incidents low severity alert count number unique identifier reply incidents med severity alert count number unique identifier reply incidents high severity alert count number unique identifier reply incidents critical severity alert count number unique identifier reply incidents user count number unique identifier reply incidents host count number unique identifier reply incidents notes object unique identifier reply incidents resolve comment object unique identifier output example {"reply" {"total count" 123,"result count" 123,"incidents" \[{}]}} isolate endpoints isolates up to 1000 endpoints in a single request on the palo alto networks cortex xdr platform, requiring 'request data' endpoint url /public api/v1/endpoints/isolate method post input argument name type required description request data object optional a dictionary containing the api request fields request data filters array required array of filtered fields for isolating a number of endpoints at once only required if isolating more than one endpoint request data filters field string required identifies a list the filters match filters are based on the endpoint id list keywords request data filters operator string required identifies the comparison operator you want to use for this filter valid keywords and values request data filters value array required value that this filter must match request data incident id string optional the incident id when included in the request, the isolate endpoints action will appear in the cortex xdr incident viewtimeline tab input example {"json body" {"request data" {"filters" \[{"field" "endpoint id list","operator" "in","value" \["id1 123ab","id2 123bc"]}],"incident id" "123a"}}} output parameter type description status code number http status code of the response reason string response reason phrase reply object output field reply reply action id string unique identifier reply status string status value reply endpoints count string count value output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"reply" {"action id" "\<action id>","status" "1","endpoints count" "673"}}} retrive pcap packet retrieves pcap packets linked to specific alert ids from palo alto networks ngfw, utilizing the get alerts and get extra incident data api endpoint url /public api/v1/alerts/get alerts pcap/ method post input argument name type required description request data object optional response data request data filters array optional response data request data filters field string optional response data request data filters operator string optional response data request data filters value array optional response data request data search from number optional response data request data search to number optional response data request data sort object optional response data request data sort field string optional response data request data sort keyword string optional response data input example {"request data" {"filters" \[{"field" "string","operator" "string","value" \["string"]}],"search from" 123,"search to" 123,"sort" {"field" "string","keyword" "string"}}} output parameter type description status code number http status code of the response reason string response reason phrase reply array output field reply reply id number unique identifier reply pcap data string response data output example {"reply" \[{"id" 123,"pcap data" "string"}]} get policy retrieves the policy name for a specific endpoint in palo alto networks cortex xdr using the provided request data endpoint url /public api/v1/endpoints/get policy/ method post input argument name type required description request data object optional response data request data endpoint id string required response data input example {"request data" {"endpoint id" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase reply object output field reply reply policy name string name of the resource output example {"reply" {"policy name" "example name"}} restore file restores a quarantined file on specified endpoints within palo alto networks cortex xdr using the provided request data endpoint url /public api/v1/endpoints/restore method post input argument name type required description request data object optional response data request data file hash string required response data request data incident id number optional response data input example {"json body" {"request data" {"file hash" "\<hash value>","incident id" 302}}} output parameter type description reply object output field reply reply action id string unique identifier reply status number status value reply endpoints count string count value output example {"json body" {"reply" {"action id" "\<action id>","status" 1,"endpoints count" "673"}}} get scripts retrieve all scripts from the palo alto networks cortex xdr library using provided request data endpoint url /public api/v1/scripts/get scripts/ method post input argument name type required description request data object optional response data request data filters array optional response data request data filters field string optional response data request data filters operator string optional response data request data filters value array optional response data input example {"request data" {"filters" \[{"field" "string","operator" "string","value" \["string"]}]}} output parameter type description status code number http status code of the response reason string response reason phrase reply object output field reply reply total count number count value reply result count number result of the operation reply scripts array output field reply scripts reply scripts script id string unique identifier reply scripts name string name of the resource reply scripts description string output field reply scripts description reply scripts modification date number date value reply scripts created by string output field reply scripts created by reply scripts is high risk boolean output field reply scripts is high risk reply scripts windows supported boolean output field reply scripts windows supported reply scripts linux supported boolean output field reply scripts linux supported reply scripts macos supported boolean output field reply scripts macos supported reply scripts script uid string unique identifier output example {"reply" {"total count" 123,"result count" 123,"scripts" \[{}]}} get script code retrieves the source code of a specified script from the palo alto networks cortex xdr library using request data endpoint url /public api/v1/scripts/get script code/ method post input argument name type required description request data object optional response data request data script uid string required response data input example {"request data" {"script uid" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase reply string output field reply output example {"reply" "string"} get script metadata retrieve full definitions of a specific script from the palo alto networks cortex xdr scripts library using provided request data endpoint url /public api/v1/scripts/get script metadata/ method post input argument name type required description request data object optional response data request data script uid string optional response data input example {"request data" {"script uid" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase reply object output field reply reply script id string unique identifier reply name string name of the resource reply description string output field reply description reply modification date number date value reply created by string output field reply created by reply is high risk boolean output field reply is high risk reply windows supported boolean output field reply windows supported reply linux supported boolean output field reply linux supported reply macos supported boolean output field reply macos supported reply script uid string unique identifier reply entry point string output field reply entry point reply script input array input data for the action reply script input name string input data for the action reply script input type string input data for the action reply script input friendly name string input data for the action reply script output type string type of the resource reply script output dictionary definitions array output field reply script output dictionary definitions reply script output dictionary definitions friendly name string name of the resource reply script output dictionary definitions name string name of the resource reply script output dictionary definitions type string type of the resource output example {"reply" {"script id" "string","name" "example name","description" "string","modification date" 123,"created by" "string","is high risk"\ true,"windows supported"\ true,"linux supported"\ true,"macos supported"\ true,"script uid" "string","entry point" "string","script input" \[{}],"script output type" "string","script output dictionary definitions" \[{}]}} unisolate endpoints reverses the isolation of up to 1000 endpoints per request in palo alto networks cortex xdr using specified request data endpoint url /public api/v1/endpoints/unisolate method post input argument name type required description request data object optional a dictionary containing the api request fields request data filters array required an array of filter fields for unisolating a number of endpoints at once this field is only required if unisolating more than one endpoint request data filters field string required string that identifies a list the filters match filters are based on the endpoint id list keywords request data filters operator string required string that identifies the comparison operator you want to use for this filter valid keywords and values request data filters value array required value that this filter must match valid keywords request data incident id string optional response data input example {"json body" {"request data" {"filters" \[{"field" "endpoint id list","operator" "in","value" \["id1 123ab","id2 123bc"]}],"incident id" "123a"}}} output parameter type description status code number http status code of the response reason string response reason phrase reply object output field reply reply action id string unique identifier reply status string status value reply endpoints count string count value output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"reply" {"action id" "\<action id>","status" "1","endpoints count" "673"}}} get violations retrieves up to 100 device control violations from palo alto networks cortex xdr, filtered by fields in the request data endpoint url /public api/v1/device control/get violations/ method post input argument name type required description request data object optional response data request data filters array optional response data request data filters field string optional response data request data filters operator string optional response data request data filters value array optional response data request data search to number optional response data input example {"request data" {"filters" \[{"field" "string","operator" "string","value" \["string"]}],"search to" 123}} output parameter type description status code number http status code of the response reason string response reason phrase reply object output field reply reply total count number count value reply result count number result of the operation reply violations array output field reply violations reply violations hostname string name of the resource reply violations username string name of the resource reply violations ip string output field reply violations ip reply violations timestamp number output field reply violations timestamp reply violations violation id number unique identifier reply violations type string type of the resource reply violations vendor id string unique identifier reply violations vendor string output field reply violations vendor reply violations product id string unique identifier reply violations product string output field reply violations product reply violations serial string output field reply violations serial reply violations endpoint id string unique identifier output example {"reply" {"total count" 123,"result count" 123,"violations" \[{}]}} get xql query results retrieve results of a prior xql query in palo alto networks cortex xdr using a specific query id and request data endpoint url /public api/v1/xql/get query results/ method post input argument name type required description request data object optional response data request data query id string optional response data request data pending flag boolean optional response data request data limit number optional response data request data format string optional response data input example {"request data" {"query id" "string","pending flag"\ true,"limit" 123,"format" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase reply object output field reply reply status string status value reply number of results number result of the operation reply query cost object output field reply query cost reply query cost tenant id 1 number unique identifier reply remaining quota number output field reply remaining quota reply results object result of the operation reply results data array response data reply results data event id string response data reply results data vendor string response data reply results data product string response data reply results data insert timestamp number response data reply results data time number response data reply results data event type string response data reply results data event sub type string response data output example {"reply" {"status" "active","number of results" 123,"query cost" {"tenant id 1" 123},"remaining quota" 123,"results" {"data" \[]}}} response headers header description example cache control directives for caching mechanisms connection http response header connection content encoding http response header content encoding content type the media type of the resource application/json date the date and time at which the message was originated thu, 01 jan 2024 00 00 00 gmt ratelimit limit http response header ratelimit limit ratelimit remaining http response header ratelimit remaining ratelimit reset http response header ratelimit reset strict transport security http response header strict transport security transfer encoding http response header transfer encoding vary http response header vary x content type options http response header x content type options x frame options http response header x frame options x ratelimit limit 1800 http response header x ratelimit limit 1800 x ratelimit limit minute http response header x ratelimit limit minute x ratelimit limit second http response header x ratelimit limit second x ratelimit remaining 1800 http response header x ratelimit remaining 1800 x ratelimit remaining minute http response header x ratelimit remaining minute x ratelimit remaining second http response header x ratelimit remaining second x xss protection http response header x xss protection