Palo Alto Cortex XSOAR
App Vendor: Palo Alto Cortex XSOAR
App Category: Case/Ticket Management
Connector Version: 1.0.2
API Version: 1.0.0
About App
Cortex XSOAR is a comprehensive security orchestration, automation, and response (SOAR) platform that unifies case management, automation, real-time collaboration, and threat intelligence management to serve security teams across the incident lifecycle. Cortex XSOAR ingests aggregated alerts and indicators of compromise (IOCs) from detection sources such as security information and event management (SIEM) solutions, network security tools, threat intelligence feeds, and mailboxes before executing automatable, process-driven playbooks to enrich and respond to these incidents.
The Palo Alto Cortex XSOAR app is configured with the Orchestrate application to perform the following actions:
Action Name | Description |
|---|---|
Close an Incident | This action closes an incident in the Cortex XSOAR application. |
Create an Incident | This action creates an incident in the Cortex XSOAR application. |
Create an Indicator | This action creates an indicator in the Cortex SOAR application. |
Get Reports | This action retrieves all reports from the Cortex XSOAR application. |
Search Incident | This action searches for an incident in the Cortex XSOAR application. |
Search Indicators | This action searches for indicators in the Cortex XSOAR application. |
Replace an Incident | This action replaces an incident in the Cortex XSOAR application. |
Update Incident details | This action updates the details of an incident on the Cortex XSOAR application. |
Configuration Parameters
The following configuration parameters are required for the Palo Alto Cortex XSOAR app to communicate with the Palo Alto Cortex XSOAR enterprise application. The parameters can be configured by creating instances in the app.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Base URL | Enter the base URL for Cortex XSOAR. Example: "https://<host>/<port>" | Text | Required | |
API Key | Enter the API key for your Palo Alto application. Example: "1MXXXXv2xxXXXXm5" | Password | Required | |
TLS verification | Enter your preference to either verify or skip the TLS certificate. | Boolean | Optional | Allowed values:
Default value:
|
Action: Close an Incident
This action closes an incident in the Cortex XSOAR application.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Incident ID | Enter the incident ID. Example: "1030458" | Text | Required | |
Close reason | Enter the reason for closing the incident. Example: "resolved" | Text | Required | Allowed values:
|
Close notes | Enter the closing notes for the incident. Example: "Incident resolved and closed" | Text | Required |
Action: Create an Incident
This action creates an incident in the Cortex XSOAR application.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Incident name | Enter the incident name. Example: "Phishing Incident" | Text | Required | |
Incident details/description | Enter the incident details or incident description. Example: "Sample Incident Description' | Text | Optional | |
Incident occurrence time | Enter the incident occurrence date time in ISO format. Example: "2020-05-28t10:20:06.597597711z". | Text | Optional | |
Incident owner | Enter the incident owner. Example: "Admin" | Text | Optional | |
Incident phase | Enter the phase for the incident. Example: "triage" | Text | Optional | Allowed values:
|
Playbook name | Enter the playbook name. Example: "Phishing Email Playbook" | Text | Optional | |
Role | Enter the assigned role. Example: "Analyst" | Text | Optional | |
Severity | Enter the severity level for the incident. | Float | Optional | Allowed values:
|
Incident type | Enter the incident type. Example: "Unclassified" | Text | Optional | |
Custom fields | Enter any custom fields as required. Example: "userID" : "2354789" | Key Value | Optional |
Action: Create an Indicator
This action creates an indicator in the Cortex SOAR application.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Indicator value | Enter the indicator value. Example: "1.1.1.1" | Text | Required | |
Indicator type | Enter the indicator type. Example: "url" | Text | Required | Allowed values:
|
Indicator score | Enter the indicator score. Example: "1" | Integer | Optional | Allowed values:
|
Incident IDs | Enter the incident IDs to update this indicator in the form of a list. Example: {"1", "2" ,"3"}. | Any | Optional | |
Comment | Enter the indicator comment. Example: "Malicious Indicator" | Text | Optional |
Action: Get Reports
This action retrieves all reports from the Cortex XSOAR application.
Action Input Parameters
This action does not require any input parameter.
Action: Search Incident
This action searches for an incident in the Cortex XSOAR application.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Page number | Enter the page number for the paginated response. Example: "10" | Integer | Required | |
Page size | Enter the page size for the paginated response. Example: "6" | Integer | Required | |
Query | Enter the query to search for the incident. Example: {"status": "closed", "category": "job"}. | Text | Required | |
Period by | Enter the sorting pattern of the time period for which you want to search incidents. allowed values: - days - months - years | Text | Required | Allowed values:
|
Period from | Enter the time period from which you want to search the incident. Example: "7" | Integer | Required |
Action: Search Indicators
This action searches for indicators in the Cortex XSOAR application.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Page number | Enter the page number for the paginated response. Example: "10" | Integer | Required | |
Page size | Enter the page size for the paginated response. Example: "10" | Integer | Required | |
Search query | Enter the query to search for the indicator. Example: {"name": "malware infection"} | Text | Required |
Action: Replace an Incident
This action replaces an incident in the Cortex XSOAR application.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Incident ID | Enter the incident ID to replace. | Text | Required | |
Fields to update | Enter the fields to update in the replaced incident in the form of key-value pairs. Example: {"name": "insider threat"}. | Key Value | Optional | |
Custom fields | Enter any custom fields to update. | Key Value | Optional |
Action: Update Incident details
This action updates the details of an incident on the Cortex XSOAR application.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Incident ID | Enter the incident ID to update the details. | Text | Required | |
Incident details | Enter the incident details to update. Example: "Incident Name" | Text | Required |