Palo Alto Cortex XDR (EDR)
Cortex XDR is the detection and response app that natively integrates network, endpoint and cloud data to stop sophisticated attacks.
Configuration
| Name | Type | Description |
|---|---|---|
api_key |
string |
The API Key is your unique identifier used as the authorization header |
api_key_id |
string |
The API Key ID is your unique token used to authenticate the API Key |
fqdn |
string |
The FQDN is a unique host and domain name associated with each tenant |
Actions
[BETA] Abort Scan endpoints
Arguments
| Name | Type | Description |
|---|---|---|
incident_id |
string |
Incident ID. When included in the request, the Cancel Scan Endpoints action will appear in the Cortex XDR Incident View Timeline tab |
filter_endpoint_id_list |
array |
List of endpoint IDs |
filter_dist_name |
array |
List of the distribution list |
filter_group_name |
array |
List of endpoint groups |
filter_ip_list |
array |
List of IP addresses |
filter_alias |
array |
List of endpoint aliases to select |
filter_hostname |
array |
List of hostnames to select |
filter_username |
array |
List of usernames to select |
filter_platform |
array |
List of platforms to select (Possible values: windows, linux, macos, android) |
filter_isolate |
array |
List of isolation states to select (Possible values: isolated, unisolated) |
filter_scan_status |
array |
List of scan statuses to select (Possible values: none, pending, in_progress, canceled, aborted, pending_cancellation, success, error) |
Block malicious files
Arguments
| Name | Type | Description |
|---|---|---|
stix_objects_path |
string |
Filepath of the STIX objects fetched from the collection |
comment |
string |
Comment to add to entity. |
incident_id |
integer |
Incident ID. |
Comment alerts
Arguments
| Name | Type | Description |
|---|---|---|
alert_id_list |
array |
List of alert IDs to update. |
comment |
string |
Comment to add to the alert. |
Isolate endpoint
Arguments
| Name | Type | Description |
|---|---|---|
endpoint_id |
string |
Endpoint ID. |
incident_id |
string |
Incident ID. |
[BETA] List endpoints
Quarantine the file
Arguments
| Name | Type | Description |
|---|---|---|
file_path |
string |
Path to the file to be quarantined. |
file_hash |
string |
Hash of the file to be quarantined. |
endpoint_ids |
array |
List of endpoint IDs to filter by. |
[BETA] Scan endpoints
Arguments
| Name | Type | Description |
|---|---|---|
incident_id |
string |
Incident ID. When included in the request, the Cancel Scan Endpoints action will appear in the Cortex XDR Incident View Timeline tab |
filter_endpoint_id_list |
array |
List of endpoint IDs |
filter_dist_name |
array |
List of the distribution list |
filter_group_name |
array |
List of endpoint groups |
filter_ip_list |
array |
List of IP addresses |
filter_alias |
array |
List of endpoint aliases to select |
filter_hostname |
array |
List of hostnames to select |
filter_username |
array |
List of usernames to select |
filter_platform |
array |
List of platforms to select (Possible values: windows, linux, macos, android) |
filter_isolate |
array |
List of isolation states to select (Possible values: isolated, unisolated) |
filter_scan_status |
array |
List of scan statuses to select (Possible values: none, pending, in_progress, canceled, aborted, pending_cancellation, success, error) |
Unisolate endpoint
Arguments
| Name | Type | Description |
|---|---|---|
endpoint_id |
string |
Endpoint ID. |
incident_id |
string |
Incident ID. |
Update alert status and severity
Arguments
| Name | Type | Description |
|---|---|---|
alert_id_list |
array |
List of alert IDs to update. |
status |
string |
New status for the alert. |
severity |
string |
New severity for the alert. |
XQL query
Arguments
| Name | Type | Description |
|---|---|---|
query |
string |
XQL query to run. |
tenants |
array |
List of tenant IDs. |
timeframe_from |
integer |
Start time as UNIX timestamp. |
timeframe_to |
integer |
End time as UNIX timestamp. |
max_wait_time |
integer |
Maximum wait time in seconds to finish the query. If limit is reached, the action will fail. |
Extra
Module Palo Alto Cortex XDR (EDR) v1.3.11