Palo Alto Networks Cortex XSOAR V6

the palo alto networks cortex xsoar v6 connector allows for streamlined incident management and automation of response workflows, enhancing security operations palo alto networks cortex xsoar v6 is a leading security orchestration, automation, and response platform that enables security teams to manage incidents efficiently and respond to threats rapidly this connector allows swimlane turbine users to create or update incidents, search for incidents, and manage incident data directly within the swimlane platform by integrating with cortex xsoar v6, users can leverage its powerful incident management capabilities, automate complex workflows, and enhance their security posture with minimal manual intervention palo alto cortex xsoar is a comprehensive security orchestration, automation and response (soar) platform that unifies case management, automation, real time collaboration and threat intel management to serve security teams across the incident lifecycle prerequisites to integrate palo alto networks cortex xsoar v6 with swimlane turbine, ensure you have the following cortex custom auth url the base url of your cortex xsoar instance api key your unique api key for authenticating with the cortex xsoar api capabilities this connector provides the following capabilities create or update incident search incidents documentation this connector has been created using cortex xsoar v6 12 https //docs cortex paloaltonetworks com/r/cortex xsoar 6 api/create single incident https //docs cortex paloaltonetworks com/r/cortex xsoar 6 api/search incidents by filter configurations palo alto cortex xsoar authentication palo alto cortex xsoar authenticates using api key configuration parameters parameter description type required url a url to the target host string required api key the api key is your unique identifier string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions create or update incident create or update an incident in palo alto networks cortex xsoar v6 with the specified json body details endpoint url /incident method post input argument name type required description lastopen string optional parameter for create or update incident dbotcreatedby string optional parameter for create or update incident parent string optional parameter for create or update incident reason string optional the reason an incident was closed sourceinstance string optional parameter for create or update incident sizeinbytes number optional parameter for create or update incident closenotes string optional notes for closing the incident dbotmirrortags array optional the entry tags i want to sync to remote system duedate string optional date value linkedcount number optional count value synchash string optional parameter for create or update incident type string optional type of the resource closinguserid string optional the user id that closed this investigation rawphase string optional parameter for create or update incident modified string optional parameter for create or update incident xsoarreadonlyroles array optional parameter for create or update incident details string optional parameter for create or update incident closereason string optional he reason for closing the incident (select from existing predefined values) dbotmirrordirection string optional dbotmirrordirection of how to mirror the incident (in/out/both) rawcategory string optional parameter for create or update incident phase string optional parameter for create or update incident allreadwrite boolean optional parameter for create or update incident numericid number optional unique identifier sequencenumber number optional parameter for create or update incident previousallread boolean optional parameter for create or update incident input example {"lastopen" "string","dbotcreatedby" "string","parent" "string","sourceinstance" "string","sizeinbytes" 123,"closenotes" "string","dbotmirrortags" \["string"],"duedate" "string","linkedcount" 123,"synchash" "string","type" "string","closinguserid" "string","rawphase" "string","modified" "string","xsoarreadonlyroles" \["string"],"details" "string","closereason" "string","dbotmirrordirection" "string","rawcategory" "string","phase" "string","allreadwrite"\ true,"numericid" 123,"sequencenumber" 123,"previousallread"\ true,"investigationid" "string","todotaskids" \["string"],"created" "2024 01 01t00 00 00z","indexname" "example name","notifytime" "string","xsoarhasreadonlyrole"\ true,"sla" 123,"autime" 123,"rawjson" "string","version" 123,"labels" \[{"type" "string","value" "string"}],"dbotmirrorlastsync" "string","rawclosereason" "string","previousallreadwrite"\ true,"canvases" \["string"],"playbookid" "string","name" "example name","hasrole"\ true,"dbotcurrentdirtyfields" \["string"],"status" 123,"dbotdirtyfields" \["string"],"rawtype" "string","primaryterm" 123,"roles" \["string"],"isplayground"\ true} output parameter type description status code number http status code of the response reason string response reason phrase shardid number unique identifier account string count value activated string output field activated activatinginguserid string unique identifier allread boolean output field allread allreadwrite boolean output field allreadwrite attachment array output field attachment attachment file name string name of the resource attachment file string output field attachment file autime number time value cacheversn number output field cacheversn canvases array output field canvases category string output field category changestatus string status value closenotes string output field closenotes closereason string response reason phrase closed string output field closed closinguserid string unique identifier created string output field created dbotcreatedby string output field dbotcreatedby dbotcurrentdirtyfields array output field dbotcurrentdirtyfields dbotdirtyfields array output field dbotdirtyfields dbotmirrordirection string output field dbotmirrordirection output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"shardid" 9007199254740991,"account" "string","activated" "2019 08 24t14 15 22z","activatinginguserid" "string","allread"\ true,"allreadwrite"\ true,"attachment" \[],"autime" 9007199254740991,"cacheversn" 9007199254740991,"canvases" \["string"],"category" "string","changestatus" "string","closenotes" "string","closereason" "string","closed" "2019 08 24t14 15 22z"}} search incidents performs a comprehensive search for incidents in palo alto networks cortex xsoar v6, with filtering by various criteria endpoint url /incidents/search method post input argument name type required description filter object optional parameter for search incidents filter parent array optional parameter for search incidents filter reason array optional response reason phrase filter notinvestigation array optional parameter for search incidents filter totalonly boolean optional parameter for search incidents filter type array optional type of the resource filter fromactivateddate string optional date value filter notcategory array optional parameter for search incidents filter fromdatelicense string optional parameter for search incidents filter andop boolean optional parameter for search incidents filter searchafterelastic array optional efficient next page, pass max es sort value from previous page filter searchbefore array optional parameter for search incidents filter details string optional parameter for search incidents filter id array optional unique identifier filter toactivateddate string optional date value filter period object optional parameter for search incidents filter period fromvalue string optional value for the parameter filter period tovalue string optional value for the parameter filter period byfrom string optional parameter for search incidents filter period field string optional parameter for search incidents filter period by string optional by is used for legacty, and if exists it will override byto and byfrom filter period byto string optional parameter for search incidents filter searchaftermaporder object optional efficient next page, pass max sort value from previous page filter level array optional parameter for search incidents filter query string optional parameter for search incidents input example {"json body" {"filter" {"parent" \["parent","parent"],"reason" \["reason","reason"],"notinvestigation" \["notinvestigation","notinvestigation"],"totalonly"\ true,"type" \["type","type"],"fromactivateddate" "2000 01 23t04 56 07 000+00 00","notcategory" \["notcategory","notcategory"],"fromdatelicense" "2000 01 23t04 56 07 000+00 00","andop"\ true,"searchafterelastic" \["searchafterelastic","searchafterelastic"],"searchbefore" \["searchbefore","searchbefore"],"details" "details","id" \["id","id"],"toactivateddate" "2000 01 23t04 56 07 000+00 00","period" {"fromvalue" "fromvalue","tovalue" "tovalue","byfrom" "byfrom","field" "field","by" "by","byto" "byto"},"searchaftermaporder" {},"level" \[4,4],"query" "query","notstatus" \[2,2],"sort" \[{"asc"\ true,"field" "field","fieldtype" "fieldtype"}],"users" \["users","users"],"fromdate" "2000 01 23t04 56 07 000+00 00","size" 1,"fromreminder" "2000 01 23t04 56 07 000+00 00","name" \["name","name"],"files" \["files","files"],"searchafter" \["searchafter","searchafter"],"fromcloseddate" "2000 01 23t04 56 07 000+00 00","page" 0,"fields" \["fields","fields"],"cache" {},"status" \[2,2],"ignoreworkers"\ true,"filterobjectquery" "filterobjectquery","urls" \["urls","urls"],"systems" \["systems","systems"],"includetmp"\ true,"tocloseddate" "2000 01 23t04 56 07 000+00 00","searchaftermap" {"key" \["searchaftermap","searchaftermap"]},"toduedate" "2000 01 23t04 56 07 000+00 00","fromduedate" "2000 01 23t04 56 07 000+00 00","searchbeforeelastic" \["searchbeforeelastic","searchbeforeelastic"],"todate" "2000 01 23t04 56 07 000+00 00","trim events" 5,"toreminder" "2000 01 23t04 56 07 000+00 00","timeframe" 5,"investigation" \["investigation","investigation"],"accounts" {},"category" \["category","category"]},"userfilter"\ true}} output parameter type description status code number http status code of the response reason string response reason phrase data array response data data account string response data data activated string response data data activatinginguserid string response data data allread boolean response data data allreadwrite boolean response data data autime number response data data cacheversn number response data data category string response data data closenotes string response data data closereason string response data data closed string response data data closinguserid string response data data created string response data data dbotcreatedby string response data data dbotmirrordirection string response data data dbotmirrorid string response data data dbotmirrorinstance string response data total number output field total output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"data" \[{}],"total" 0}} response headers header description example content type the media type of the resource application/json date the date and time at which the message was originated thu, 01 jan 2024 00 00 00 gmt