Palo Alto Networks Cortex XSOAR

the palo alto networks cortex xsoar connector allows for streamlined incident management and automated security workflows palo alto networks cortex xsoar is a comprehensive security orchestration, automation, and response platform that enables security teams to manage incidents efficiently this connector allows swimlane turbine users to create or update incidents and perform detailed searches within cortex xsoar directly from the swimlane platform by integrating with cortex xsoar, users can automate incident response workflows, streamline investigations, and leverage rich telemetry to enhance their security posture the connector's actions are designed to facilitate rapid incident management and response, ensuring that security teams can act swiftly to mitigate threats prerequisites to effectively utilize the palo alto networks cortex xsoar connector with swimlane turbine, ensure you have the following cortex custom authentication with the following parameters fqdn the fully qualified domain name of your cortex xsoar instance api key your unique authentication key for accessing the cortex xsoar api api key id the identifier associated with your api key capabilities this connector provides the following capabilities create or update incident search incidents get your cortex xsoar api key id in the api keys table, locate the id field note your corresponding id number this value represents the api key id in asset get your fqdn select your api key and click copy url documentation cortex xsoar 8 api documentation https //cortex panw\ stoplight io/docs/cortex xsoar 8/m0qlgh9inh4vk create or update an incident configurations palo alto cortex xsoar authentication palo alto cortex xsoar authenticates using api key and api key id configuration parameters parameter description type required fqdn the fqdn is a unique host and domain name associated with each tenant string required api key the api key is your unique identifier string required api key id the api key id is your unique token used to authenticate the api key string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions create or update incident create or update an incident in palo alto networks cortex xsoar with specified json body details endpoint url incident method post input argument name type required description closenotes string optional notes for closing the incident closereason string optional the reason for closing the incident (select from existing predefined values) closed string optional when was this closed createinvestigation boolean optional parameter for create or update incident details string optional the details of the incident reason, etc labels array optional labels related to incident each label is composed of a type and value type string optional type of the resource value string optional value for the parameter modified string optional parameter for create or update incident name string optional incident name given by user playbookid string optional the associated playbook for this incident rawjson string optional parameter for create or update incident reason string optional the reason an incident was closed severity number optional severity is the incident severity has to be >= 0 and <= 4 sla number optional slastate is the incident sla at closure time, in minutes status number optional incidentstatus is the status of the incident has to be >= 0 and <= 2 type string optional incident type output parameter type description status code number http status code of the response reason string response reason phrase shardid number unique identifier account string count value activated string output field activated activatinginguserid string unique identifier allread boolean output field allread allreadwrite boolean output field allreadwrite attachment array output field attachment file name string name of the resource file string output field file autime number time value cacheversn number output field cacheversn canvases array output field canvases category string output field category changestatus string status value closenotes string output field closenotes closereason string response reason phrase closed string output field closed closinguserid string unique identifier created string output field created dbotcreatedby string output field dbotcreatedby dbotcurrentdirtyfields array output field dbotcurrentdirtyfields dbotdirtyfields array output field dbotdirtyfields dbotmirrordirection string output field dbotmirrordirection example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "shardid" 9007199254740991, "account" "string", "activated" "2019 08 24t14 15 22z", "activatinginguserid" "string", "allread" true, "allreadwrite" true, "attachment" \[], "autime" 9007199254740991, "cacheversn" 9007199254740991, "canvases" \[], "category" "string", "changestatus" "string", "closenotes" "string", "closereason" "string", "closed" "2019 08 24t14 15 22z" } } ] search incidents performs a comprehensive search for incidents in palo alto networks cortex xsoar, with support for filtering by multiple criteria endpoint url incidents/search method post input argument name type required description filter object optional parameter for search incidents andop boolean optional parameter for search incidents category array optional parameter for search incidents details string optional parameter for search incidents fields array optional parameter for search incidents files array optional parameter for search incidents fromdate string optional date value id array optional unique identifier investigation array optional parameter for search incidents level array optional parameter for search incidents name array optional name of the resource notinvestigation array optional parameter for search incidents page number optional parameter for search incidents period object optional period holds the 'period' query, such as last 3 days, last 6 hours, between 6 days from now until 3 days from now by string optional parameter for search incidents byfrom string optional parameter for search incidents byto string optional parameter for search incidents field string optional parameter for search incidents fromvalue string optional value for the parameter tovalue string optional value for the parameter query string optional parameter for search incidents reason array optional response reason phrase size number optional parameter for search incidents sort array optional parameter for search incidents asc boolean optional parameter for search incidents output parameter type description status code number http status code of the response reason string response reason phrase data array response data account string count value activated string output field activated activatinginguserid string unique identifier allread boolean output field allread allreadwrite boolean output field allreadwrite attachment array output field attachment description string output field description istemppath boolean output field istemppath name string name of the resource path string output field path showmediafile boolean output field showmediafile type string type of the resource autime number time value cacheversn number output field cacheversn canvases array output field canvases category string output field category closenotes string output field closenotes closereason string response reason phrase closed string output field closed closinguserid string unique identifier created string output field created dbotcreatedby string output field dbotcreatedby example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "data" \[], "total" 0 } } ] notes get your cortex xsoar api key in cortex xsoar, navigate to settings & info > settings > integrations > api keys select + new key choose the type of api key you want to generate based on your desired security level advanced or standard the advanced api key hashes the key using a nonce, a random string, and a timestamp to prevent replay attacks curl does not support this but is suitable with scripts use the example script to create the advanced api authentication token if you want to define a time limit on the api key authentication, mark enable expiration date and select the expiration date and time navigate to settings & info > settings > integrations > api keys to track the expiration time field for each api key in addition, cortex xsoar displays an api key expiration notification in the notification center one week and one day prior to the defined expiration date provide a comment that describes the purpose for the api key, if desired select the desired level of access for this key you can select from the list of existing roles , or you can select custom to set the permissions on a more granular level roles are available according what was defined in the cortex gateway as described in manage roles https //docs cortex paloaltonetworks com/r/cortex xsoar/8/cortex xsoar administrator guide/manage roles in the cortex xsoar 8 administrator’s guide save the api key copy the api key, and then click done this value represents your unique api key in asset