Palo Alto Networks Cortex XSOAR

the palo alto networks cortex xsoar connector allows for streamlined incident management and automated security workflows palo alto networks cortex xsoar is a comprehensive security orchestration, automation, and response platform that enables security teams to manage incidents efficiently this connector allows swimlane turbine users to create or update incidents and perform detailed searches within cortex xsoar directly from the swimlane platform by integrating with cortex xsoar, users can automate incident response workflows, streamline investigations, and leverage rich telemetry to enhance their security posture the connector's actions are designed to facilitate rapid incident management and response, ensuring that security teams can act swiftly to mitigate threats prerequisites to effectively utilize the palo alto networks cortex xsoar connector with swimlane turbine, ensure you have the following cortex custom authentication with the following parameters fqdn the fully qualified domain name of your cortex xsoar instance api key your unique authentication key for accessing the cortex xsoar api api key id the identifier associated with your api key capabilities this connector provides the following capabilities create or update incident search incidents notes get your cortex xsoar api key in cortex xsoar, navigate to settings & info > settings > integrations > api keys select + new key choose the type of api key you want to generate based on your desired security level advanced or standard the advanced api key hashes the key using a nonce, a random string, and a timestamp to prevent replay attacks curl does not support this but is suitable with scripts use the example script to create the advanced api authentication token if you want to define a time limit on the api key authentication, mark enable expiration date and select the expiration date and time navigate to settings & info > settings > integrations > api keys to track the expiration time field for each api key in addition, cortex xsoar displays an api key expiration notification in the notification center one week and one day prior to the defined expiration date provide a comment that describes the purpose for the api key, if desired select the desired level of access for this key you can select from the list of existing roles , or you can select custom to set the permissions on a more granular level roles are available according what was defined in the cortex gateway as described in https //docs cortex paloaltonetworks com/r/cortex xsoar/8/cortex xsoar administrator guide/manage roles in the cortex xsoar 8 administrator’s guide save the api key copy the api key, and then click done this value represents your unique api key in asset get your cortex xsoar api key id in the api keys table, locate the id field note your corresponding id number this value represents the api key id in asset get your fqdn select your api key and click copy url documentation https //cortex panw\ stoplight io/docs/cortex xsoar 8/m0qlgh9inh4vk create or update an incident configurations palo alto cortex xsoar authentication palo alto cortex xsoar authenticates using api key and api key id configuration parameters parameter description type required fqdn the fqdn is a unique host and domain name associated with each tenant string required api key the api key is your unique identifier string required api key id the api key id is your unique token used to authenticate the api key string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions create or update incident create or update an incident in palo alto networks cortex xsoar with specified json body details endpoint url incident method post input argument name type required description closenotes string optional notes for closing the incident closereason string optional the reason for closing the incident (select from existing predefined values) closed string optional when was this closed createinvestigation boolean optional parameter for create or update incident details string optional the details of the incident reason, etc labels array optional labels related to incident each label is composed of a type and value labels type string optional type of the resource labels value string optional value for the parameter modified string optional parameter for create or update incident name string optional incident name given by user playbookid string optional the associated playbook for this incident rawjson string optional parameter for create or update incident reason string optional the reason an incident was closed severity number optional severity is the incident severity has to be >= 0 and <= 4 sla number optional slastate is the incident sla at closure time, in minutes status number optional incidentstatus is the status of the incident has to be >= 0 and <= 2 type string optional incident type input example {"json body" {"closenotes" "string","closereason" "string","closed" "2019 08 24t14 15 22z","createinvestigation"\ true,"details" "string","labels" \[{"type" "string","value" "string"}],"modified" "2019 08 24t14 15 22z","name" "string","playbookid" "string","rawjson" "string","reason" "string","severity" 2,"sla" 0,"status" 2,"type" "unclassified"}} output parameter type description status code number http status code of the response reason string response reason phrase shardid number unique identifier account string count value activated string output field activated activatinginguserid string unique identifier allread boolean output field allread allreadwrite boolean output field allreadwrite attachment array output field attachment attachment file name string name of the resource attachment file string output field attachment file autime number time value cacheversn number output field cacheversn canvases array output field canvases category string output field category changestatus string status value closenotes string output field closenotes closereason string response reason phrase closed string output field closed closinguserid string unique identifier created string output field created dbotcreatedby string output field dbotcreatedby dbotcurrentdirtyfields array output field dbotcurrentdirtyfields dbotdirtyfields array output field dbotdirtyfields dbotmirrordirection string output field dbotmirrordirection output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"shardid" 9007199254740991,"account" "string","activated" "2019 08 24t14 15 22z","activatinginguserid" "string","allread"\ true,"allreadwrite"\ true,"attachment" \[],"autime" 9007199254740991,"cacheversn" 9007199254740991,"canvases" \["string"],"category" "string","changestatus" "string","closenotes" "string","closereason" "string","closed" "2019 08 24t14 15 22z"}} search incidents performs a comprehensive search for incidents in palo alto networks cortex xsoar, with support for filtering by multiple criteria endpoint url incidents/search method post input argument name type required description filter object optional parameter for search incidents filter andop boolean optional parameter for search incidents filter category array optional parameter for search incidents filter details string optional parameter for search incidents filter fields array optional parameter for search incidents filter files array optional parameter for search incidents filter fromdate string optional date value filter id array optional unique identifier filter investigation array optional parameter for search incidents filter level array optional parameter for search incidents filter name array optional name of the resource filter notinvestigation array optional parameter for search incidents filter page number optional parameter for search incidents filter period object optional period holds the 'period' query, such as last 3 days, last 6 hours, between 6 days from now until 3 days from now filter period by string optional parameter for search incidents filter period byfrom string optional parameter for search incidents filter period byto string optional parameter for search incidents filter period field string optional parameter for search incidents filter period fromvalue string optional value for the parameter filter period tovalue string optional value for the parameter filter query string optional parameter for search incidents filter reason array optional response reason phrase filter size number optional parameter for search incidents filter sort array optional parameter for search incidents filter sort asc boolean optional parameter for search incidents input example {"json body" {"filter" {"andop"\ true,"category" \["string"],"details" "string","fields" \["string"],"files" \["string"],"fromdate" "2019 08 24t14 15 22z","id" \["string"],"investigation" \["string"],"level" \[2],"name" \["string"],"notinvestigation" \["string"],"page" 0,"period" {"by" "string","byfrom" "string","byto" "string","field" "string","fromvalue" "string","tovalue" "string"},"query" "string","reason" \["string"],"size" 25,"sort" \[{"asc"\ true,"field" "string","fieldtype" "string"}],"status" \[2],"timeframe" 0,"todate" "2019 08 24t14 15 22z","type" \["string"],"urls" \["string"]}}} output parameter type description status code number http status code of the response reason string response reason phrase data array response data data account string response data data activated string response data data activatinginguserid string response data data allread boolean response data data allreadwrite boolean response data data attachment array response data data attachment description string response data data attachment istemppath boolean response data data attachment name string response data data attachment path string response data data attachment showmediafile boolean response data data attachment type string response data data autime number response data data cacheversn number response data data canvases array response data data category string response data data closenotes string response data data closereason string response data data closed string response data data closinguserid string response data data created string response data data dbotcreatedby string response data output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"data" \[{}],"total" 0}} response headers header description example content type the media type of the resource application/json date the date and time at which the message was originated thu, 01 jan 2024 00 00 00 gmt