Palo Alto Cortex XDR
App Vendor: Palo Alto
App Category: Endpoint
Connector Version: 1.2.0
API Version: 6.6
About App
Cortex XDR integrates endpoint, network, and cloud data for detection and response to stop sophisticated attacks.
The Palo Alto Cortex XDR connector app is configured with the CSOL application to perform the following actions:
Action Name | Description |
|---|---|
List All Incidents | This action retrieves the list of all incidents. |
Get Incidents | This action retrieves incidents filtered by a list of incident IDs, modification time, or creation time. |
List All Alerts | This action retrieves a list of all the alerts. |
Get Alerts | This action retrieves a list of alerts with multiple events. |
List All Endpoints | This action retrieves a list of host endpoints. |
Get Filtered Endpoints | This action retrieves endpoints filtered by the specified fields. |
Isolate Endpoints | This action isolates more than one endpoint. |
Unisolate Endpoint | This action removes an endpoint from isolation. |
Quarantine Files | This action quarantines files on selected endpoints. You can select up to 1000 endpoints. |
Restore Files | This action restores a quarantined file on requested endpoints. |
Upload Indicators in CSV Format | This action uploads a list of indicators in a CSV format. |
Upload Indicators in JSON Format | This action uploads indicators in a JSON format. You can also upload as an array of JSON objects. |
Generic Action | This is a generic action performs any additional use case that you want on Cortex XDR. |
Start a XQL Query | This action starts a new XQL query. |
Get XQL Query Result Stream | This action retrieves XQL query results with more than 1000 results. |
Get XQL Query Result | This action retrieves the results of an executed XQL query. |
Get Extra Incident Data | This action retrieves extra data fields of a specific incident including alerts and key artifacts. |
Configuration Parameters
The following configuration parameters are required for the Palo Alto Cortex XDR connector app to communicate with the Palo Alto Cortex XDR enterprise application. The parameters can be configured by creating instances in the connector app.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Base URL | Enter the base URL. Example: "https://api-{fqdn}.xdr.in.paloaltonetworks.com" | Text | Required |
|
API Key | Enter the API key. | Password | Required |
|
API ID Key | Enter the API key ID. The key ID is your unique token to authenticate the API endpoint. | Text | Required |
|
Verify | Enter your preference to either verify or skip the TLS certificate verification. Example: Yes/No | Boolean | Optional | Allowed values:
Default value:
|
Timeout | Enter the timeout values in seconds. | Integer | Optional | Allowed values: 15-120 secs Default value: 15 secs |
Action: List All Incidents
This action retrieves the list of all incidents.
Action Input Parameters
This action does not require any input parameter.
Action: Get Incidents
This action retrieves incidents filtered by a list of incident IDs, modification time, or creation time.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Incident list | Enter the list of incident IDs. Example: $LIST[Incident ID1, Incident ID2, Incident ID3] | List | Required | |
Search from | Enter search from integer representing the starting offset within the query result set. Example: 3 | Integer | Optional | Default value:
|
Search to | Enter the Search to integer value representing the end offset within the result set. Example: 90 | Integer | Optional | Default value:
|
Sort field | Enter the field to sort. Example: "modification_time" | Text | Optional | Allowed values:
Default value:
|
Sort order | Enter the sort order. Example: "desc" | Text | Optional | Allowed values:
Default value:
|
Example Request
{
"incident_list": [incident ID1, incident ID2],
"search_from": 3,
"search_to": 90,
"sort_field": "modification_time",
"sort_order": "desc"
}Action: List All Alerts
This action retrieves a list of all the alerts.
Action Input Parameters
This action does not require any input parameter.
Action: Get Alerts
This action retrieves a list of alerts with multiple events.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Filter field | Enter the field to filter with. Example: "alert_id_list" | Text | Required | Allowed values:
|
Value list | Enter the value of the list associated with the selected filter field. An example of the "severity" filter field and the associated value is shown below. Example: $LIST["low", "medium", "high"] | List | Required | |
Search from | Enter search from integer representing the starting offset within the query result set. Example: 4 | Integer | Optional | Default value:
|
Search to | Enter the search to integer value representing the end offset within the result set. Example: 80 | Integer | Optional | Default value:
|
Sort field | Enter the field to sort. Example: "modification_time" | Text | Optional | Allowed values:
Default values:
|
Sort order | Enter the sort order. Example: "asc" | Text | Optional | Allowed values:
Default value:
|
Example Request
{
"filter_field": "alert_id_list",
"value_list": [low, medium, high],
"search_from": 4,
"search_to": 90,
"sort_field": "modification_time",
"sort_order": "asc"
}Action: List All Endpoints
This action retrieves a list of host endpoints.
Action Input Parameters
This action does not require any input parameter.
Action: Get Filtered Endpoints
This action retrieves endpoints filtered by the specified fields.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Filter field | Enter the field to filter with. Example: "endpoint_id_list" | Text | Required | |
Value list | Enter the value of the list associated with the field to filter. Example: $LIST["endpoint1", "endpoint2"] | List | Required | |
Search from | Enter search from integer representing the starting offset within the query result set. Example: 4 | Integer | Optional | Default value:
|
Search to | Enter the search to an integer value representing the end offset within the result set. Example: 80 | Integer | Optional | Default value:
|
Sort field | Enter the field to sort. Example: "first_seen" | Text | Optional | Default value:
|
Sort order | Enter the sort order. Example: "asc" | Text | Optional | Allowed values:
Default value:
|
Example Request
{
"filter_field": "endpoint_id_list",
"value_list": [endpoint1, endpoint2],
"search_from": 4,
"search_to": 80,
"sort_field": "first_seen",
"sort_order": "asc"
}Action: Isolate Endpoints
This action isolates more than one endpoint.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Endpoint list | Enter the list of endpoint IDs. Example: $LIST["endpoint_id1", "endpoint_id2"] | Any | Required |
Example Request
{
"filter_field": "alert_id_list",
"value_list": [endpoint_id1, endpoint_id2],
}Action: Unisolate Endpoint
This action removes an endpoint from isolation.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Endpoint ID | Enter the endpoint ID. Example: "sample_endpoint_ID" | Text | Required |
Example Request
{
"endpoint_id": "sample_endpoint_ID"
}
Action: Quarantine Files
This action quarantines files on selected endpoints. You can select up to 1000 endpoints.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Endpoint list | Enter the list of endpoint IDs. Example: "sample_endpoint_ID" | Text | Required | |
File path | Enter the path of the file you want to quarantine. Example: "C:\\<file path>\\test_x64.msi" | Text | Required | |
File hash | Enter file hash. The hash value must be a valid sha256. Example: "sample_sha256_hash" | Text | Required |
Example Request:
{
"endpoint_list": [incident ID1, incident ID2],
"file_path": "C:\\<file path>\\test_x64.msi",
"file_hash": "sample_sha256_hash"
}Action: Restore Files
This action restores a quarantined file on requested endpoints.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Incident ID | Enter the incident ID. Example: "sample_incident_ID" | Text | Required | |
File hash | Enter the file hash. The hash must be a valid sha256. Example: "sample_sha256_hash" | Text | Required |
Example Request:
{
"incident_id": "sample_incident_ID",
"file_hash": "sample_sha256_hash"
}Action: Generic Action
This is a generic action to perform any additional use case that you want on cortex xdr.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Endpoint | Enter the endpoint to perform the use case. Example: /public_api/v1/endpoints/ | Text | Required |
|
Payload | Enter the JSON payload to pass to the API. Example: {"name": "phishing_attack"} | Key Value | Optional |
|
Query params | Enter the query parameters to pass to the API. Example: {"limit": "10"} | Key Value | Optional |
|
Headers | Enter the headers to pass to the API. Example: {"content-type": "application/json"} | Key Value | Optional |
|
Action: Get XQL Query Result
This action retrieves the results of an executed XQL query.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query id | Enter the query id of the XQL query. Example: 5f9b1b1a-5f9b-11eb-8c9f-0242ac130002. | Text | Required |
|
Format | Enter the format. | Text | Optional | Allowed values:
|
Pending flag | Choose whether the api call must operate in synchronous/blocking mode, or in asynchronous/non-blocking mode. | Boolean | Optional | Default value: True |
Limit | Enter the maximum number of results to return. Example: 10 | Integer | Optional |
|
Action: Get XQL Query Result Stream
This action retrieves XQL query results with more than 1000 results.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Stream id | Enter the stream id to return the response. | Text | Required |
|
Is gzip compressed | Choose whether the response should be compressed and gzipped. | Boolean | Optional |
|
Action: Upload Indicators in CSV Format
This action uploads a list of indicators in a CSV format.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Request data | Enter the CSV file data as a string value. | Text | Required | Allowed values: indicator, type, severity, expiration_date, comment, reputation, reliability, class, vendor.name, vendor.reputation, vendor.reliability |
Validate | Choose to return an array of errors in the case of an unsuccessful update indicator API request. | Boolean | Optional | Default value: true |
Action: Upload Indicators in JSON Format
This action uploads indicators in a json format. you can also upload as an array of json objects.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Indicator | Enter the indicator value. Example: 192.0.2.146 | Text | Required |
|
Type | Enter the type of the indicator. | Text | Required | Allowed values:
|
Severity | Enter the severity of the indicator. | Text | Required | Allowed values:
|
Validate | Choose to return an array of errors in the case of an unsuccessful update indicator api request. | Boolean | Optional | Default value: true |
Vendors | Enter the list of vendors. Example:[{"vendor":"test_vendor","reputation":"malicious","reliability":"a"}] | List | Optional |
|
Extra params | Add additional parameters to upload indicators. Example: {"expiration_date": "2020-12-31t23:59:59.000z","comment": "test comment"} | Key Value | Optional |
|
Action: Get Extra Incident Data
This action retrieves extra data fields of a specific incident including alerts and key artifacts.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Incident ID | Enter the ID of the incident for which you want to retrieve extra data. | Text | Required |
|
Alerts Limit | Enter the maximum number of related alerts in the incident that you want to retrieve. | Integer | Optional | Default value: 1000 |
Action: Start a XQL Query
This action starts a new XQL query.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query | Enter the XQL query. Example: dataset=xdr_data | Text | Required |
|
Tenants | Enter the list of tenants. Example: 12345678, 87654321. | List | Optional |
|
Start Time | Enter the start time in UNIX to run this query. Example: 1610630400. | Text | Optional |
|
End Time | Enter the end time in UNIX up to which the query should run. Example: 2010716800. | Text | Optional |
|
Relative Time | Enter the relative time in UNIX representing the last 24 hours. Example: 2110630400. | Text | Optional |
|