Palo Alto Networks Cortex XSOAR V6

the cortex xsoar v6 connector facilitates interaction with palo alto networks' security orchestration and automated response solution, enabling streamlined incident and indicator management palo alto networks cortex xsoar v6 is a powerful security orchestration, automation, and response (soar) platform that enables security teams to streamline their operations with this connector, users can automate the export, reanalysis, and management of indicators, as well as create and update incidents directly within swimlane turbine this integration empowers organizations to enhance their incident response capabilities, leverage extensive telemetry, and take decisive action against threats without manual intervention palo alto cortex xsoar is a comprehensive security orchestration, automation and response (soar) platform that unifies case management, automation, real time collaboration and threat intel management to serve security teams across the incident lifecycle prerequisites to integrate palo alto networks cortex xsoar v6 with swimlane turbine, ensure you have the following cortex custom authentication with the following parameters url the base url of your cortex xsoar instance api key your unique api key to authenticate with cortex xsoar capabilities this connector provides the following capabilities batch export indicators to csv batch export indicators to stix batch whitelist or delete indicators create indicators create or update incident edit indicator search incidents search indicators whitelists or deletes indicator documentation this connector has been created using cortex xsoar v6 12 https //docs cortex paloaltonetworks com/r/cortex xsoar 6 api/create single incident https //docs cortex paloaltonetworks com/r/cortex xsoar 6 api/search incidents by filter configurations palo alto cortex xsoar authentication palo alto cortex xsoar authenticates using api key configuration parameters parameter description type required url a url to the target host string required api key the api key is your unique identifier string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions batch export indicators to csv exports a batch of indicators to a csv file and provides the resulting file id for download endpoint url /indicators/batch/exporttocsv method post input argument name type required description all boolean optional all indicators columns array optional columns array donotwhitelist boolean optional do not whitelist flag filter object optional parameter for batch export indicators to csv filter cache object optional parameter for batch export indicators to csv filter cache additionalproperties array optional parameter for batch export indicators to csv filter accounts object optional parameter for batch export indicators to csv filter accounts additionalproperties object optional parameter for batch export indicators to csv filter earlytimeinpage string optional parameter for batch export indicators to csv filter fields array optional parameter for batch export indicators to csv filter filterobjectquery string optional parameter for batch export indicators to csv filter firstseen object optional parameter for batch export indicators to csv filter firstseen fromdate string optional date value filter firstseen fromdatelicense string optional parameter for batch export indicators to csv filter firstseen period object optional parameter for batch export indicators to csv filter firstseen period by string optional parameter for batch export indicators to csv filter firstseen period byfrom string optional parameter for batch export indicators to csv filter firstseen period byto string optional parameter for batch export indicators to csv filter firstseen period field string optional parameter for batch export indicators to csv filter firstseen period fromvalue string optional value for the parameter filter firstseen period tovalue string optional value for the parameter filter firstseen timeframe number optional parameter for batch export indicators to csv filter firstseen todate string optional date value filter fromdate string optional date value filter fromdatelicense string optional parameter for batch export indicators to csv input example {"json body" {"all"\ false,"columns" \["example"],"donotwhitelist"\ false,"filter" {"cache" {"additionalproperties" \["example"]},"accounts" {"additionalproperties" {}},"earlytimeinpage" "2020 01 01t12 00 00z","fields" \["example"],"filterobjectquery" "example","firstseen" {"fromdate" "2020 01 01t12 00 00z","fromdatelicense" "2020 01 01t12 00 00z","period" {"by" "example","byfrom" "example","byto" "example","field" "example","fromvalue" "duration string","tovalue" "duration string"},"timeframe" 0,"todate" "2020 01 01t12 00 00z"},"fromdate" "2020 01 01t12 00 00z","fromdatelicense" "2020 01 01t12 00 00z","ignoreworkers"\ false,"lastseen" {"fromdate" "2020 01 01t12 00 00z","fromdatelicense" "2020 01 01t12 00 00z","period" {"by" "example","byfrom" "example","byto" "example","field" "example","fromvalue" "duration string","tovalue" "duration string"},"timeframe" 0,"todate" "2020 01 01t12 00 00z"},"latertimeinpage" "2020 01 01t12 00 00z","page" 0,"period" {"by" "example","byfrom" "example","byto" "example","field" "example","fromvalue" "duration string","tovalue" "duration string"},"prevpage"\ false,"query" "example","searchafter" \["example"],"searchafterelastic" \["example"],"searchaftermap" {"additionalproperties" \["example"]},"searchaftermaporder" {"additionalproperties" 0},"searchbefore" \["example"],"searchbeforeelastic" \["example"],"size" 0,"sort" \[{"asc"\ false,"field" "example","fieldtype" "example"}],"timeframe" 0,"todate" "2020 01 01t12 00 00z","trim events" 0},"ids" \["example"],"reason" "example","reputations" \["example"]}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {},"reason" "ok","json body" "example file id"} batch export indicators to stix exports a batch of indicators from palo alto networks cortex xsoar v6 to a stix file and provides the resulting file id endpoint url /indicators/batch/export/stix method post input argument name type required description all boolean optional all indicators columns array optional columns array donotwhitelist boolean optional do not whitelist flag filter object optional indicatorfilter is a general filter that fetches entities using a query string query using the query value filter cache object optional cache of join functions filter cache additionalproperties array optional additional properties array filter accounts object optional accounts object filter accounts additionalproperties object optional additional properties object filter earlytimeinpage string optional early time in page filter fields array optional fields array filter filterobjectquery string optional query string filter firstseen object optional daterangefilter provides common fields for date filtering filter firstseen fromdate string optional from date filter firstseen fromdatelicense string optional from date license filter firstseen period object optional period object filter firstseen period by string optional by is used for legacy, and if exists it will override byto and byfrom filter firstseen period byfrom string optional by from filter firstseen period byto string optional by to filter firstseen period field string optional field filter firstseen period fromvalue string optional from value duration filter firstseen period tovalue string optional to value duration filter firstseen timeframe number optional a duration represents the elapsed time between two instants as an int64 nanosecond count the representation limits the largest representable duration to approximately 290 years filter firstseen todate string optional to date filter fromdate string optional from date filter fromdatelicense string optional from date license input example {"json body" {"all"\ false,"columns" \["example"],"donotwhitelist"\ false,"filter" {"cache" {"additionalproperties" \["example"]},"accounts" {"additionalproperties" {}},"earlytimeinpage" "2020 01 01t12 00 00z","fields" \["example"],"filterobjectquery" "example","firstseen" {"fromdate" "2020 01 01t12 00 00z","fromdatelicense" "2020 01 01t12 00 00z","period" {"by" "example","byfrom" "example","byto" "example","field" "example","fromvalue" "duration string","tovalue" "duration string"},"timeframe" 0,"todate" "2020 01 01t12 00 00z"},"fromdate" "2020 01 01t12 00 00z","fromdatelicense" "2020 01 01t12 00 00z","ignoreworkers"\ false,"lastseen" {"fromdate" "2020 01 01t12 00 00z","fromdatelicense" "2020 01 01t12 00 00z","period" {"by" "example","byfrom" "example","byto" "example","field" "example","fromvalue" "duration string","tovalue" "duration string"},"timeframe" 0,"todate" "2020 01 01t12 00 00z"},"latertimeinpage" "2020 01 01t12 00 00z","page" 0,"period" {"by" "example","byfrom" "example","byto" "example","field" "example","fromvalue" "duration string","tovalue" "duration string"},"prevpage"\ false,"query" "example","searchafter" \["example"],"searchafterelastic" \["example"],"searchaftermap" {"additionalproperties" \["example"]},"searchaftermaporder" {"additionalproperties" 0},"searchbefore" \["example"],"searchbeforeelastic" \["example"],"size" 0,"sort" \[{"asc"\ false,"field" "example","fieldtype" "example"}],"timeframe" 0,"todate" "2020 01 01t12 00 00z","trim events" 0},"ids" \["example"],"reason" "example","reputations" \["example"]}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {},"reason" "ok","json body" "example stix file name"} batch whitelist or delete indicators allows batch whitelisting or deletion of indicators in cortex xsoar v6 set 'donotwhitelist' to true for deletion only endpoint url /indicators/batchdelete method post input argument name type required description all boolean optional all indicators columns array optional columns array donotwhitelist boolean optional do not whitelist flag filter object optional indicatorfilter is a general filter that fetches entities using a query string query using the query value filter cache object optional cache of join functions filter cache additionalproperties array optional additional properties array filter accounts object optional accounts object filter accounts additionalproperties object optional additional properties object filter earlytimeinpage string optional early time in page filter fields array optional fields array filter filterobjectquery string optional query string filter firstseen object optional daterangefilter provides common fields for date filtering filter firstseen fromdate string optional from date filter firstseen fromdatelicense string optional from date license filter firstseen period object optional period object filter firstseen period by string optional by is used for legacy, and if exists it will override byto and byfrom filter firstseen period byfrom string optional by from filter firstseen period byto string optional by to filter firstseen period field string optional field filter firstseen period fromvalue string optional from value duration filter firstseen period tovalue string optional to value duration filter firstseen timeframe number optional a duration represents the elapsed time between two instants as an int64 nanosecond count the representation limits the largest representable duration to approximately 290 years filter firstseen todate string optional to date filter fromdate string optional from date filter fromdatelicense string optional from date license input example {"json body" {"all"\ false,"columns" \["example"],"donotwhitelist"\ false,"filter" {"cache" {"additionalproperties" \["example"]},"accounts" {"additionalproperties" {}},"earlytimeinpage" "2020 01 01t12 00 00z","fields" \["example"],"filterobjectquery" "example","firstseen" {"fromdate" "2020 01 01t12 00 00z","fromdatelicense" "2020 01 01t12 00 00z","period" {"by" "example","byfrom" "example","byto" "example","field" "example","fromvalue" "duration string","tovalue" "duration string"},"timeframe" 0,"todate" "2020 01 01t12 00 00z"},"fromdate" "2020 01 01t12 00 00z","fromdatelicense" "2020 01 01t12 00 00z","ignoreworkers"\ false,"lastseen" {"fromdate" "2020 01 01t12 00 00z","fromdatelicense" "2020 01 01t12 00 00z","period" {"by" "example","byfrom" "example","byto" "example","field" "example","fromvalue" "duration string","tovalue" "duration string"},"timeframe" 0,"todate" "2020 01 01t12 00 00z"},"latertimeinpage" "2020 01 01t12 00 00z","page" 0,"period" {"by" "example","byfrom" "example","byto" "example","field" "example","fromvalue" "duration string","tovalue" "duration string"},"prevpage"\ false,"query" "example","searchafter" \["example"],"searchafterelastic" \["example"],"searchaftermap" {"additionalproperties" \["example"]},"searchaftermaporder" {"additionalproperties" 0},"searchbefore" \["example"],"searchbeforeelastic" \["example"],"size" 0,"sort" \[{"asc"\ false,"field" "example","fieldtype" "example"}],"timeframe" 0,"todate" "2020 01 01t12 00 00z","trim events" 0},"ids" \["example"],"reason" "example","reputations" \["example"]}} output parameter type description status code number http status code of the response reason string response reason phrase notupdated number output field notupdated updatedids array unique identifier uppdated number output field uppdated output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"notupdated" 0,"updatedids" \["example"],"uppdated" 0}} create indicators create indicators in palo alto networks cortex xsoar v6 from a specified file a 'files' input is required endpoint url /indicators/upload method post input argument name type required description files object required file to create indicators from files file name string optional name of the resource files file string optional parameter for create indicators input example {"files" {"file name" "example name","file" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase output example \[] create or update incident create or update an incident in palo alto networks cortex xsoar v6 using the provided json body details endpoint url /incident method post input argument name type required description lastopen string optional parameter for create or update incident dbotcreatedby string optional parameter for create or update incident parent string optional parameter for create or update incident reason string optional the reason an incident was closed sourceinstance string optional parameter for create or update incident sizeinbytes number optional parameter for create or update incident closenotes string optional notes for closing the incident dbotmirrortags array optional the entry tags i want to sync to remote system duedate string optional date value linkedcount number optional count value synchash string optional parameter for create or update incident type string optional type of the resource closinguserid string optional the user id that closed this investigation rawphase string optional parameter for create or update incident modified string optional parameter for create or update incident xsoarreadonlyroles array optional parameter for create or update incident details string optional parameter for create or update incident closereason string optional he reason for closing the incident (select from existing predefined values) dbotmirrordirection string optional dbotmirrordirection of how to mirror the incident (in/out/both) rawcategory string optional parameter for create or update incident phase string optional parameter for create or update incident allreadwrite boolean optional parameter for create or update incident numericid number optional unique identifier sequencenumber number optional parameter for create or update incident previousallread boolean optional parameter for create or update incident input example {"lastopen" "string","dbotcreatedby" "string","parent" "string","sourceinstance" "string","sizeinbytes" 123,"closenotes" "string","dbotmirrortags" \["string"],"duedate" "string","linkedcount" 123,"synchash" "string","type" "string","closinguserid" "string","rawphase" "string","modified" "string","xsoarreadonlyroles" \["string"],"details" "string","closereason" "string","dbotmirrordirection" "string","rawcategory" "string","phase" "string","allreadwrite"\ true,"numericid" 123,"sequencenumber" 123,"previousallread"\ true,"investigationid" "string","todotaskids" \["string"],"created" "2024 01 01t00 00 00z","indexname" "example name","notifytime" "string","xsoarhasreadonlyrole"\ true,"sla" 123,"autime" 123,"rawjson" "string","version" 123,"labels" \[{"type" "string","value" "string"}],"dbotmirrorlastsync" "string","rawclosereason" "string","previousallreadwrite"\ true,"canvases" \["string"],"playbookid" "string","name" "example name","hasrole"\ true,"dbotcurrentdirtyfields" \["string"],"status" 123,"dbotdirtyfields" \["string"],"rawtype" "string","primaryterm" 123,"roles" \["string"],"isplayground"\ true} output parameter type description status code number http status code of the response reason string response reason phrase shardid number unique identifier account string count value activated string output field activated activatinginguserid string unique identifier allread boolean output field allread allreadwrite boolean output field allreadwrite attachment array output field attachment attachment file name string name of the resource attachment file string output field attachment file autime number time value cacheversn number output field cacheversn canvases array output field canvases category string output field category changestatus string status value closenotes string output field closenotes closereason string response reason phrase closed string output field closed closinguserid string unique identifier created string output field created dbotcreatedby string output field dbotcreatedby dbotcurrentdirtyfields array output field dbotcurrentdirtyfields dbotdirtyfields array output field dbotdirtyfields dbotmirrordirection string output field dbotmirrordirection output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"shardid" 9007199254740991,"account" "string","activated" "2019 08 24t14 15 22z","activatinginguserid" "string","allread"\ true,"allreadwrite"\ true,"attachment" \[],"autime" 9007199254740991,"cacheversn" 9007199254740991,"canvases" \["string"],"category" "string","changestatus" "string","closenotes" "string","closereason" "string","closed" "2019 08 24t14 15 22z"}} edit indicator modify an existing indicator entity in palo alto networks cortex xsoar v6, including updates to custom fields by using lowercase and removing spaces endpoint url /indicator/edit method post input argument name type required description customfields object optional the keys should be the field's display name all lower and without spaces for example scan ip > scanip to get the actual key name you can also go to cortex xsoar cli and run /incident add and look for the key that you would like to update customfields additionalproperties object optional additional properties object account string optional account aggregatedreliability string optional aggregated reliability cacheversn number optional cache version calculatedtime string optional calculated time comment string optional comment comments array optional comments array comments cacheversn number optional parameter for edit indicator comments category string optional parameter for edit indicator comments content string optional response content comments created string optional parameter for edit indicator comments entryid string optional unique identifier comments highlight object optional highlight object comments highlight additionalproperties array optional additional properties array comments id string optional unique identifier comments indexname string optional name of the resource comments modified string optional parameter for edit indicator comments numericid number optional unique identifier comments primaryterm number optional parameter for edit indicator comments sequencenumber number optional parameter for edit indicator comments sizeinbytes number optional parameter for edit indicator comments sortvalues array optional value for the parameter comments source string optional parameter for edit indicator comments synchash string optional parameter for edit indicator input example {"customfields" {"additionalproperties" {}},"account" "string","aggregatedreliability" "string","cacheversn" 123,"calculatedtime" "string","comment" "string","comments" \[{"cacheversn" 123,"category" "string","content" "string","created" "2024 01 01t00 00 00z","entryid" "string","highlight" {"additionalproperties" \["string"]},"id" "12345678 1234 1234 1234 123456789abc","indexname" "example name","modified" "string","numericid" 123,"primaryterm" 123,"sequencenumber" 123,"sizeinbytes" 123,"sortvalues" \["string"],"source" "string","synchash" "string","type" "string","user" "string","version" 123}],"created" "2024 01 01t00 00 00z","deletedfeedfetchtime" "string","expiration" "string","expirationsource" {"brand" "string","expirationinterval" 123,"expirationpolicy" "string","instance" "string","moduleid" "string","settime" "string","source" "string","user" "string"},"expirationstatus" "active","firstseen" "string","firstseenentryid" "string","highlight" {"additionalproperties" \["string"]},"id" "12345678 1234 1234 1234 123456789abc","indexname" "example name","indicator type" "string","insightcache" {"cacheversn" 123,"created" "2024 01 01t00 00 00z","highlight" {"additionalproperties" \["string"]},"id" "12345678 1234 1234 1234 123456789abc","indexname" "example name","modified" "string","numericid" 123,"primaryterm" 123,"scores" {"additionalproperties" {"content" "string","contentformat" "string","context" {},"istypedindicator"\ true,"reliability" "string","score" 123,"scorechangetimestamp" "string","timestamp" "2024 01 01t00 00 00z","type" "string"}},"sequencenumber" 123,"sizeinbytes" 123,"sortvalues" \["string"],"synchash" "string","version" 123},"investigationids" \["string"],"isdetectable"\ true,"ispreventable"\ true,"isshared"\ true,"lastreputationrun" "string","lastseen" "string","lastseenentryid" "string","manualexpirationtime" "string","manualscore"\ true,"manualsettime" "string","manuallyeditedfields" \["string"],"modified" "string","modifiedtime" "string","moduletofeedmap" {"additionalproperties" {"expirationsource" {"brand" "string","expirationinterval" 123,"expirationpolicy" "string","instance" "string","moduleid" "string","settime" "string","source" "string","user" "string"},"bypassexclusionlist"\ true,"classifierid" "string","classifierversion" 123,"comments" \[{"content" "string","created" "2024 01 01t00 00 00z","id" "12345678 1234 1234 1234 123456789abc","user" "string"}],"expirationinterval" 123,"expirationpolicy" "string","fetchtime" "string","fields" {"additionalproperties" {}},"isenrichment"\ true,"mapperid" "string","mapperversion" 123,"modifiedtime" "string","moduleid" "string","rawjson" {"additionalproperties" {}},"relationships" \[{"brand" "string","entitya" "string","entityafamily" "string","entityatype" "string","entityb" "string","entitybfamily" "string","entitybtype" "string","fields" {},"id" "12345678 1234 1234 1234 123456789abc","instance" "string","name" "example name","reliability" "string","reversename" "example name","starttime" "string","type" "string"}],"reliability" "string","score" 123,"sourcebrand" "string","sourceinstance" "string","timestamp" "2024 01 01t00 00 00z","type" "string","value" "string"}},"numericid" 123,"primaryterm" 123,"relatedinccount" 123,"score" 123,"sequencenumber" 123,"setby" "string","sizeinbytes" 123,"sortvalues" \["string"],"source" "string","sourcebrands" \["string"],"sourceinstances" \["string"],"synchash" "string","timestamp" "2024 01 01t00 00 00z","value" "string","version" 123} output parameter type description status code number http status code of the response reason string response reason phrase customfields object output field customfields customfields additionalproperties object output field customfields additionalproperties account string count value aggregatedreliability string output field aggregatedreliability cacheversn number output field cacheversn calculatedtime string time value comment string output field comment comments array output field comments comments cacheversn number output field comments cacheversn comments category string output field comments category comments content string response content comments created string output field comments created comments entryid string unique identifier comments highlight object output field comments highlight comments highlight additionalproperties array output field comments highlight additionalproperties comments id string unique identifier comments indexname string name of the resource comments modified string output field comments modified comments numericid number unique identifier comments primaryterm number output field comments primaryterm comments sequencenumber number output field comments sequencenumber comments sizeinbytes number output field comments sizeinbytes comments sortvalues array value for the parameter output example {"customfields" {"additionalproperties" {}},"account" "string","aggregatedreliability" "string","cacheversn" 123,"calculatedtime" "string","comment" "string","comments" \[{"cacheversn" 123,"category" "string","content" "string","created" "2024 01 01t00 00 00z","entryid" "string","highlight" {},"id" "12345678 1234 1234 1234 123456789abc","indexname" "example name","modified" "string","numericid" 123,"primaryterm" 123,"sequencenumber" 123,"sizeinbytes" 123,"sortvalues" \[],"source" "string"}],"creat search incidents performs a comprehensive search for incidents in palo alto networks cortex xsoar v6, allowing filtering by various criteria endpoint url /incidents/search method post input argument name type required description filter object optional parameter for search incidents filter parent array optional parameter for search incidents filter reason array optional response reason phrase filter notinvestigation array optional parameter for search incidents filter totalonly boolean optional parameter for search incidents filter type array optional type of the resource filter fromactivateddate string optional date value filter notcategory array optional parameter for search incidents filter fromdatelicense string optional parameter for search incidents filter andop boolean optional parameter for search incidents filter searchafterelastic array optional efficient next page, pass max es sort value from previous page filter searchbefore array optional parameter for search incidents filter details string optional parameter for search incidents filter id array optional unique identifier filter toactivateddate string optional date value filter period object optional parameter for search incidents filter period fromvalue string optional value for the parameter filter period tovalue string optional value for the parameter filter period byfrom string optional parameter for search incidents filter period field string optional parameter for search incidents filter period by string optional by is used for legacty, and if exists it will override byto and byfrom filter period byto string optional parameter for search incidents filter searchaftermaporder object optional efficient next page, pass max sort value from previous page filter level array optional parameter for search incidents filter query string optional parameter for search incidents input example {"json body" {"filter" {"parent" \["parent","parent"],"reason" \["reason","reason"],"notinvestigation" \["notinvestigation","notinvestigation"],"totalonly"\ true,"type" \["type","type"],"fromactivateddate" "2000 01 23t04 56 07 000+00 00","notcategory" \["notcategory","notcategory"],"fromdatelicense" "2000 01 23t04 56 07 000+00 00","andop"\ true,"searchafterelastic" \["searchafterelastic","searchafterelastic"],"searchbefore" \["searchbefore","searchbefore"],"details" "details","id" \["id","id"],"toactivateddate" "2000 01 23t04 56 07 000+00 00","period" {"fromvalue" "fromvalue","tovalue" "tovalue","byfrom" "byfrom","field" "field","by" "by","byto" "byto"},"searchaftermaporder" {},"level" \[4,4],"query" "query","notstatus" \[2,2],"sort" \[{"asc"\ true,"field" "field","fieldtype" "fieldtype"}],"users" \["users","users"],"fromdate" "2000 01 23t04 56 07 000+00 00","size" 1,"fromreminder" "2000 01 23t04 56 07 000+00 00","name" \["name","name"],"files" \["files","files"],"searchafter" \["searchafter","searchafter"],"fromcloseddate" "2000 01 23t04 56 07 000+00 00","page" 0,"fields" \["fields","fields"],"cache" {},"status" \[2,2],"ignoreworkers"\ true,"filterobjectquery" "filterobjectquery","urls" \["urls","urls"],"systems" \["systems","systems"],"includetmp"\ true,"tocloseddate" "2000 01 23t04 56 07 000+00 00","searchaftermap" {"key" \["searchaftermap","searchaftermap"]},"toduedate" "2000 01 23t04 56 07 000+00 00","fromduedate" "2000 01 23t04 56 07 000+00 00","searchbeforeelastic" \["searchbeforeelastic","searchbeforeelastic"],"todate" "2000 01 23t04 56 07 000+00 00","trim events" 5,"toreminder" "2000 01 23t04 56 07 000+00 00","timeframe" 5,"investigation" \["investigation","investigation"],"accounts" {},"category" \["category","category"]},"userfilter"\ true}} output parameter type description status code number http status code of the response reason string response reason phrase data array response data data account string response data data activated string response data data activatinginguserid string response data data allread boolean response data data allreadwrite boolean response data data autime number response data data cacheversn number response data data category string response data data closenotes string response data data closereason string response data data closed string response data data closinguserid string response data data created string response data data dbotcreatedby string response data data dbotmirrordirection string response data data dbotmirrorid string response data data dbotmirrorinstance string response data total number output field total output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"data" \[{}],"total" 0}} search indicators performs a search for indicators within palo alto networks cortex xsoar v6 using specified filters endpoint url indicators/search method post input argument name type required description cache object optional cache of join functions cache additionalproperties array optional parameter for search indicators accounts object optional accounts to search for accounts additionalproperties object optional parameter for search indicators earlytimeinpage string optional early time in page fields array optional fields to search for filterobjectquery string optional filter object query firstseen object optional date range filter provides common fields for date filtering firstseen fromdate string optional start date for the date range filter firstseen fromdatelicense string optional start date for the date range filter firstseen period object optional period for the date range filter firstseen period by string optional by is used for legacy, and if exists it will override byto and byfrom firstseen period byfrom string optional start date for the date range filter firstseen period byto string optional end date for the date range filter firstseen period field string optional field to filter on firstseen period fromvalue string optional from value for the date range filter firstseen period tovalue string optional to value for the date range filter firstseen timeframe number optional a duration represents the elapsed time between two instants as an int64 nanosecond count the representation limits the largest representable duration to approximately 290 years firstseen todate string optional end date for the date range filter fromdate string optional start date for the date range filter fromdatelicense string optional start date for the date range filter ignoreworkers boolean optional do not use workers mechanism while searching bleve lastseen object optional date range filter provides common fields for date filtering lastseen fromdate string optional start date for the date range filter lastseen fromdatelicense string optional start date for the date range filter input example {"cache" {"additionalproperties" \["string"]},"accounts" {"additionalproperties" {}},"earlytimeinpage" "string","fields" \["string"],"filterobjectquery" "string","firstseen" {"fromdate" "string","fromdatelicense" "string","period" {"by" "string","byfrom" "string","byto" "string","field" "string","fromvalue" "string","tovalue" "string"},"timeframe" 123,"todate" "string"},"fromdate" "string","fromdatelicense" "string","ignoreworkers"\ true,"lastseen" {"fromdate" "string","fromdatelicense" "string","period" {"by" "string","byfrom" "string","byto" "string","field" "string","fromvalue" "string","tovalue" "string"},"timeframe" 123,"todate" "string"},"latertimeinpage" "string","page" 123,"period" {"by" "string","byfrom" "string","byto" "string","field" "string","fromvalue" "string","tovalue" "string"},"prevpage"\ true,"query" "string","searchafter" \["string"],"searchafterelastic" \["string"],"searchaftermap" {"additionalproperties" \["string"]},"searchaftermaporder" {"additionalproperties" 123},"searchbefore" \["string"],"searchbeforeelastic" \["string"],"size" 123,"sort" \[{"asc"\ true,"field" "string","fieldtype" "string"}],"timeframe" 123,"todate" "string","trim events" 123} output parameter type description status code number http status code of the response reason string response reason phrase accounterrors array error message if any iocobjects array output field iocobjects iocobjects customfields object output field iocobjects customfields iocobjects customfields additionalproperties object output field iocobjects customfields additionalproperties iocobjects account string count value iocobjects aggregatedreliability string output field iocobjects aggregatedreliability iocobjects cacheversn number output field iocobjects cacheversn iocobjects calculatedtime string time value iocobjects comment string output field iocobjects comment iocobjects comments array output field iocobjects comments iocobjects comments cacheversn number output field iocobjects comments cacheversn iocobjects comments category string output field iocobjects comments category iocobjects comments content string response content iocobjects comments created string output field iocobjects comments created iocobjects comments entryid string unique identifier iocobjects comments highlight object output field iocobjects comments highlight iocobjects comments highlight additionalproperties array output field iocobjects comments highlight additionalproperties iocobjects comments id string unique identifier iocobjects comments indexname string name of the resource iocobjects comments modified string output field iocobjects comments modified iocobjects comments numericid number unique identifier iocobjects comments primaryterm number output field iocobjects comments primaryterm iocobjects comments sequencenumber number output field iocobjects comments sequencenumber output example {"accounterrors" \["string"],"iocobjects" \[{"customfields" {},"account" "string","aggregatedreliability" "string","cacheversn" 123,"calculatedtime" "string","comment" "string","comments" \[],"created" "2024 01 01t00 00 00z","deletedfeedfetchtime" "string","expiration" "string","expirationsource" {},"expirationstatus" "active","firstseen" "string","firstseenentryid" "string","highlight" {}}],"total" 123,"totalaccounts" 123} whitelists or deletes indicator whitelists or deletes an indicator in cortex xsoar v6 to delete without whitelisting, set the donotwhitelist field to true endpoint url /indicator/whitelist method post input argument name type required description investigationid string optional the investigation id donotwhitelist boolean optional do not whitelist the indicator entryid string optional the entry id manualscore boolean optional manual score the indicator reason string optional the reason for the whitelist or delete reputation number optional the reputation of the indicator reputations array optional the reputations of the indicator value string optional the value of the indicator input example {"json body" {"investigationid" "example","donotwhitelist"\ false,"entryid" "example","manualscore"\ false,"reason" "example","reputation" 0,"reputations" \["example"],"value" "example"}} output parameter type description status code number http status code of the response reason string response reason phrase notupdated number output field notupdated updatedids array unique identifier uppdated number output field uppdated output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"notupdated" 0,"updatedids" \["example"],"uppdated" 0}} response headers header description example content type the media type of the resource application/json date the date and time at which the message was originated thu, 01 jan 2024 00 00 00 gmt