Palo Alto Networks Cortex XSOAR V6

the palo alto networks cortex xsoar v6 connector allows for streamlined incident management and automation of response workflows, enhancing security operations palo alto networks cortex xsoar v6 is a leading security orchestration, automation, and response platform that enables security teams to manage incidents efficiently and respond to threats rapidly this connector allows swimlane turbine users to create or update incidents, search for incidents, and manage incident data directly within the swimlane platform by integrating with cortex xsoar v6, users can leverage its powerful incident management capabilities, automate complex workflows, and enhance their security posture with minimal manual intervention palo alto cortex xsoar is a comprehensive security orchestration, automation and response (soar) platform that unifies case management, automation, real time collaboration and threat intel management to serve security teams across the incident lifecycle prerequisites to integrate palo alto networks cortex xsoar v6 with swimlane turbine, ensure you have the following cortex custom auth url the base url of your cortex xsoar instance api key your unique api key for authenticating with the cortex xsoar api capabilities this connector provides the following capabilities create or update incident search incidents documentation this connector has been created using cortex xsoar v6 12 create/update incident https //docs cortex paloaltonetworks com/r/cortex xsoar 6 api/create single incidentsearch incident https //docs cortex paloaltonetworks com/r/cortex xsoar 6 api/search incidents by filter configurations palo alto cortex xsoar authentication palo alto cortex xsoar authenticates using api key configuration parameters parameter description type required url a url to the target host string required api key the api key is your unique identifier string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions create or update incident create or update an incident in palo alto networks cortex xsoar v6 with the specified json body details endpoint url /incident method post input argument name type required description lastopen string optional parameter for create or update incident dbotcreatedby string optional parameter for create or update incident parent string optional parameter for create or update incident reason string optional the reason an incident was closed sourceinstance string optional parameter for create or update incident sizeinbytes number optional parameter for create or update incident closenotes string optional notes for closing the incident dbotmirrortags array optional the entry tags i want to sync to remote system duedate string optional date value linkedcount number optional count value synchash string optional parameter for create or update incident type string optional type of the resource closinguserid string optional the user id that closed this investigation rawphase string optional parameter for create or update incident modified string optional parameter for create or update incident xsoarreadonlyroles array optional parameter for create or update incident details string optional parameter for create or update incident closereason string optional he reason for closing the incident (select from existing predefined values) dbotmirrordirection string optional dbotmirrordirection of how to mirror the incident (in/out/both) rawcategory string optional parameter for create or update incident phase string optional parameter for create or update incident allreadwrite boolean optional parameter for create or update incident numericid number optional unique identifier sequencenumber number optional parameter for create or update incident previousallread boolean optional parameter for create or update incident output parameter type description status code number http status code of the response reason string response reason phrase shardid number unique identifier account string count value activated string output field activated activatinginguserid string unique identifier allread boolean output field allread allreadwrite boolean output field allreadwrite attachment array output field attachment file name string name of the resource file string output field file autime number time value cacheversn number output field cacheversn canvases array output field canvases category string output field category changestatus string status value closenotes string output field closenotes closereason string response reason phrase closed string output field closed closinguserid string unique identifier created string output field created dbotcreatedby string output field dbotcreatedby dbotcurrentdirtyfields array output field dbotcurrentdirtyfields dbotdirtyfields array output field dbotdirtyfields dbotmirrordirection string output field dbotmirrordirection example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "shardid" 9007199254740991, "account" "string", "activated" "2019 08 24t14 15 22z", "activatinginguserid" "string", "allread" true, "allreadwrite" true, "attachment" \[], "autime" 9007199254740991, "cacheversn" 9007199254740991, "canvases" \[], "category" "string", "changestatus" "string", "closenotes" "string", "closereason" "string", "closed" "2019 08 24t14 15 22z" } } ] search incidents performs a comprehensive search for incidents in palo alto networks cortex xsoar v6, with filtering by various criteria endpoint url /incidents/search method post input argument name type required description filter object optional parameter for search incidents parent array optional parameter for search incidents reason array optional response reason phrase notinvestigation array optional parameter for search incidents totalonly boolean optional parameter for search incidents type array optional type of the resource fromactivateddate string optional date value notcategory array optional parameter for search incidents fromdatelicense string optional parameter for search incidents andop boolean optional parameter for search incidents searchafterelastic array optional efficient next page, pass max es sort value from previous page searchbefore array optional parameter for search incidents details string optional parameter for search incidents id array optional unique identifier toactivateddate string optional date value period object optional parameter for search incidents fromvalue string optional value for the parameter tovalue string optional value for the parameter byfrom string optional parameter for search incidents field string optional parameter for search incidents by string optional by is used for legacty, and if exists it will override byto and byfrom byto string optional parameter for search incidents searchaftermaporder object optional efficient next page, pass max sort value from previous page level array optional parameter for search incidents query string optional parameter for search incidents output parameter type description status code number http status code of the response reason string response reason phrase data array response data account string count value activated string output field activated activatinginguserid string unique identifier allread boolean output field allread allreadwrite boolean output field allreadwrite autime number time value cacheversn number output field cacheversn category string output field category closenotes string output field closenotes closereason string response reason phrase closed string output field closed closinguserid string unique identifier created string output field created dbotcreatedby string output field dbotcreatedby dbotmirrordirection string output field dbotmirrordirection dbotmirrorid string unique identifier dbotmirrorinstance string output field dbotmirrorinstance total number output field total example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "data" \[], "total" 0 } } ]