Palo Alto Cortex XSOAR 2.0.0
App Vendor: Palo Alto
App Category: Case/Ticket Management
Connector Version: 2.0.0
API Version: 1.0.0
Note
After upgrading to a major version, reconfigure the app instance to ensure existing playbooks continue to work.
About App
The Palo Alto Cortex XSOAR app helps security teams manage security incidents by centralizing incident information and response workflows, enabling more efficient investigation and coordination across security operations.
The Palo Alto Cortex XSOAR app is configured with Cyware Orchestrate to perform the following actions:
Action Name | Description |
|---|---|
Close Incident | This action closes a specified incident. |
Create Incident | This action creates an incident in Cortex XSOAR. |
Create Indicator | This action creates an indicator in Cortex XSOAR. |
Generic Action | This is a generic action used to make requests to any Palo Alto Cortex XSOAR endpoint. |
Get All Reports | This action retrieves all reports available in Cortex XSOAR. |
Search Incidents | This action retrieves incidents from Cortex XSOAR based on the specified search filters. |
Search Indicators | This action retrieves a list of indicators based on the specified filter criteria. |
Update Incident | This action updates the details of an existing incident in Cortex XSOAR. |
Configuration Parameters
The following configuration parameters are required for the Palo Alto Cortex XSOAR app to communicate with the Palo Alto Cortex XSOAR enterprise application. The parameters can be configured by creating instances in the app.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Base URL | Enter the base URL to access Palo Alto Cortex Xsoar. Example: https://api-yourfqdn | Text | Required | |
API Key | Enter the API key used to authenticate API requests with the Palo Alto Cortex XSOAR instance. | Password | Required | |
API Key ID | Enter the API key ID associated with the API key. | Password | Required | |
Timeout | Enter the timeout value in seconds. This is the number of seconds that requests will wait to establish a connection with the Palo Alto Cortex XSOAR. | Integer | Optional | Allowed range: 15-120 seconds Default timeout: 15 seconds |
Verify | Choose your preference to verify SSL or TLS while making requests. It is recommended to set this option to yes. Passing no may result in connection errors. | Boolean | Optional | Allowed values: true and false By default, verification is enabled. |
Action: Close Incident
This action closes a specified incident.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Incident ID | Enter the incident ID to identify the specific incident to close. Example: 157447 | Text | Required | |
Close Notes | Enter the close notes to provide a summary or reason for closing the incident. Example: incident closed after resolution | Text | Required | |
Custom Fields | Enter the custom fields as key-value pairs to update additional incident data while closing the incident. Keys must be the field’s display name in lowercase without spaces. Example: {"scanip": "1.1.1.1"} | Key Value | Optional |
Example Request
[
{
"close_notes": "Closed Using playbooks",
"incident_id": "20",
"custom_fields": {}
}
]Action: Create Incident
This action creates an incident in Cortex XSOAR.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Incident Name | Enter the name to set the unique title for the incident. Example: suspicious login activity detected | Text | Required | |
Details | Enter the details to provide additional context for investigation and analysis. Example: multiple failed login attempts were detected from an unknown ip address. | Text | Optional | |
Playbook ID | Enter the playbook ID to associate a specific automation workflow with this incident. Example: playbook0 | Text | Optional | |
Severity | Enter the severity level to define the impact of the incident. Example: 3 | Float | Optional | Allowed values: Range from 0 to 4, where 0 is informational, 1 is low, 2 is medium, 3 is high, and 4 is critical. |
Incident Type | Enter the incident type to categorize the incident. Example: unclassified | Text | Optional | |
Create Investigation | Choose true to start the investigation process automatically upon creating the new incident. this will also run the appropriate playbook based on the incident type. | Boolean | Optional | |
Custom Fields | Enter the custom fields to include additional incident data during creation. keys must be the field’s display name in lowercase without spaces. Example: {"scanip": "1.1.1.1"}. | Key Value | Optional | |
Extra Fields | Enter the extra fields to include additional data associated with the incident. Example: {"closed": "2024-01-01t00:00:00z"}. | Key Value | Optional | Allowed keys: label, rawjson, closeNotes, modified, reason, and closeReason |
Example Request
[
{
"extra_fields": {},
"custom_fields": {},
"incident_name": "Incident using playbooks",
"create_investigation": false
}
]Action: Create Indicator
This action creates an indicator in Cortex XSOAR.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Indicator Value | Enter the indicator that you want to create in Cortex XSOAR. | Text | Required | |
Indicator Type | Enter the indicator type to categorize the value. | Text | Required | Allowed types: url, ip, domain, email, md5, sha-1, sha256, and more. For more information, see Indicator Fields. |
Indicator Score | Enter the indicator score between 0-3, where 0 means none, 1 is good, 2 is suspicious, and 3 is bad. | Integer | Optional | |
Incident IDs | Enter the IDs of the indicators to update them as a list. | List | Optional | |
Comment | Enter any comment associated with the indicators. | Text | Optional |
Example Request
[
{
"score": "1",
"comment": "Test Using Playbooks",
"indicator": "1.1.1.1",
"incident_ids": [
"19"
],
"indicator_type": "IP"
}
]Action: Get All Reports
This action retrieves all reports available in cortex xsoar.
Action Input Parameters
No input parameters are required for this action.
Action: Search Incidents
This action retrieves incidents from Cortex XSOAR based on the specified search filters.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Page Number | Enter the page number for a paginated response. Example: 10 | Integer | Optional | |
Page Size | Enter the page size for a paginated response. Example: 1000. | Integer | Optional | Allowed values: 1 to 10000 Default value: 25 |
Query | Enter the query to search for incidents. Example: id: 2 | Text | Optional | Note that if a query is provided, other filter fields will be ignored unless included within this string. |
Period By | Enter the sorting pattern of the time period for which you want to search incidents. | Text | Optional | Allowed values: days, months, years |
Period From | Enter the period from when you want to search the incident. Example: 7 | Integer | Optional | |
Extra Fields | Enter the extra fields to filter results. | Key Value | Optional | Allowed keys: category, details, files, fromDate, id, investigation, level, name, notInvestigation, reason, status, sort, , timeFrame, toDate, type, and urls. |
Example Request
[
{
"extra_fields": {
"type": [
"Unclassified"
]
}
}
]Action: Search Indicators
This action retrieves a list of indicators based on the specified filter criteria.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Page Size | Enter the number of indicators to return on each page. Example: 1000 | Integer | Optional | Allowed values: 1 to 10000 Default value: 100 |
Query | Enter the query to filter and search indicators based on attributes. Example: severity:high | Text | Required | |
Extra Fields | Enter the extra fields to filter results. | Key Value | Optional | Allowed keys: filterobjectquery, firstSeen, fromDate, lastSeen, period, sort, timeFrame, and toDate. |
Example Request
[
{
"size": "10",
"search_query": "*"
}
]Action: Update Incident
This action updates the details of an existing incident in Cortex XSOAR.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Incident ID | Enter the incident ID to identify the specific record to be updated. Example: 178791 | Text | Required | |
Incident Details | Enter the incident details that you want to update. Example: name | Text | Required | |
Custom Fields | Enter the custom fields as key-value pairs to update additional incident data. Keys must be the field’s display name in lowercase without spaces. Example: {"scanip": "1.1.1.1"}. | Key Value | Optional | |
Extra Fields | Enter additional incident fields that you want to update in key-value format. | Key Value | Optional | Allowed keys: labels, reason, severity, closeNotes, closeReason, closed, createInvestigation, modified, name, playbookId, rawJSON, and severity. |
Example Request
[
{
"inc_id": "20",
"inc_details": "Updated using playbooks",
"extra_fields": {},
"custom_fields": {}
}
]Action: Generic Action
This is a generic action used to make requests to any Palo Alto Cortex XSOAR endpoint.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Method | Enter the HTTP method to make the request. | Text | Required | Allowed values: GET, PUT, POST, and DELETE |
Endpoint | Enter the endpoint to make the request to. Example: xsoar/public/v1/contentpacks/metadata/installed | Text | Required | |
Query Params | Enter the query parameters to pass to the API. | Key Value | Optional | |
Payload | Enter the payload to pass to the API. | Any | Optional | |
Extra Fields | Enter the extra fields to pass to the API. | Key Value | Optional | Allowed keys: payload_json, headers, download, files, filename, retry_wait, retry_count, custom_output, and response_type |
Example Request
[
{
"method": "GET",
"endpoint": "xsoar/public/v1/contentpacks/metadata/installed",
"extra_fields": {},
"query_params": {}
}
]Changelogs
The following table shows the changelog for each app version:
Version | Changes |
|---|---|
v2.0.0 |
|