PaloAltoCortexXDR#

README

Palo Alto Cortex XDR: Extended Detection and Response

Cortex XDR is the industry’s first extended detection and response platform that integrates network, endpoint, cloud, and third-party data to stop sophisticated attacks. Cortex XDR has been designed from the ground up to help organizations secure their digital assets and users while simplifying operations. Using behavioral analytics, it identifies unknown and highly evasive threats targeting your network. Machine learning and AI models uncover threats from any source, including managed and unmanaged devices.

This responder interacts with the Cortex XDR API to support three actions: * Isolate an endpoint from the network. Prevents a suspected compromised system from causing any further harm to the network. * Unisolate an endpoint that was previously isolated. * Scan: initial a full scan of an endpoint.

The responder operates on a 'fqdn' or 'ip' case artifact (observable) from TheHive. The value of the FQDN should be the endpoint name as it appears in the Cortex XDR console.

The responder accepts multiple inputs at once if your observable is multi-line value with one entry per line.

PaloAltoCortexXDR_scan#

Author: Joe Lazaro
License: AGPL-V3
Version: 1.0
Supported data types:
- thehive:case_artifact
Registration required: True
Subscription required: True
Free subscription: False
Third party service: https://www.paloaltonetworks.com/cortex/cortex-xdr

Description#

Scan endpoints identified by hostname or IP list

Configuration#

api_key	API key
Default value if not configured	N/A
Type of the configuration item	string
The configuration item can contain multiple values	False
Is required	True

api_key_id	API key ID
Default value if not configured	N/A
Type of the configuration item	string
The configuration item can contain multiple values	False
Is required	True

advanced_security	Set True if the API key was generated with Advanced security level. False for a Standard security key.
Default value if not configured	N/A
Type of the configuration item	boolean
The configuration item can contain multiple values	False
Is required	True

api_host	Fully qualified domain name for the API host. Example: api-example.xdr.us.paloaltonetworks.com
Default value if not configured	N/A
Type of the configuration item	string
The configuration item can contain multiple values	False
Is required	True

scan_polling_interval	Interval, in seconds between requests for scan actions.
Default value if not configured	60
Type of the configuration item	number
The configuration item can contain multiple values	False
Is required	False

scan_max_polling_retries	Maximum number of time to retry action status when a scan action is still in progress.
Default value if not configured	240
Type of the configuration item	number
The configuration item can contain multiple values	False
Is required	False

PaloAltoCortexXDR_isolate#

Author: Joe Lazaro
License: AGPL-V3
Version: 1.0
Supported data types:
- thehive:case_artifact
Registration required: True
Subscription required: True
Free subscription: False
Third party service: https://www.paloaltonetworks.com/cortex/cortex-xdr

Description#

Isolate endpoints identified by hostname or IP list

Configuration#

api_key	API key
Default value if not configured	N/A
Type of the configuration item	string
The configuration item can contain multiple values	False
Is required	True

api_key_id	API key ID
Default value if not configured	N/A
Type of the configuration item	string
The configuration item can contain multiple values	False
Is required	True

advanced_security	Set True if the API key was generated with Advanced security level. False for a Standard security key.
Default value if not configured	N/A
Type of the configuration item	boolean
The configuration item can contain multiple values	False
Is required	True

api_host	Fully qualified domain name for the API host. Example: api-example.xdr.us.paloaltonetworks.com
Default value if not configured	N/A
Type of the configuration item	string
The configuration item can contain multiple values	False
Is required	True

isolate_polling_interval	Interval, in seconds between requests for isolate or unisolate actions.
Default value if not configured	30
Type of the configuration item	number
The configuration item can contain multiple values	False
Is required	False

isolate_max_polling_retries	Maximum number of time to retry action status when the isolate or unisolate action is still in progress.
Default value if not configured	120
Type of the configuration item	number
The configuration item can contain multiple values	False
Is required	False

allow_multiple_isolation_targets	Allow the responder to send multiple targets for isolation/unisolation in one multi-line observable. Set to false as a safety mechanism to allow only a single endpoint to be affected while refusing requests to operate on multiple endpoints.
Default value if not configured	False
Type of the configuration item	boolean
The configuration item can contain multiple values	False
Is required	True

PaloAltoCortexXDR_unisolate#

Author: Joe Lazaro
License: AGPL-V3
Version: 1.0
Supported data types:
- thehive:case_artifact
Registration required: True
Subscription required: True
Free subscription: False
Third party service: https://www.paloaltonetworks.com/cortex/cortex-xdr

Description#

Unisolate endpoints identified by hostname or IP list

Configuration#

api_key	API key
Default value if not configured	N/A
Type of the configuration item	string
The configuration item can contain multiple values	False
Is required	True

api_key_id	API key ID
Default value if not configured	N/A
Type of the configuration item	string
The configuration item can contain multiple values	False
Is required	True

advanced_security	Set True if the API key was generated with Advanced security level. False for a Standard security key.
Default value if not configured	N/A
Type of the configuration item	boolean
The configuration item can contain multiple values	False
Is required	True

api_host	Fully qualified domain name for the API host. Example: api-example.xdr.us.paloaltonetworks.com
Default value if not configured	N/A
Type of the configuration item	string
The configuration item can contain multiple values	False
Is required	True

isolate_polling_interval	Interval, in seconds between requests for isolate or unisolate actions.
Default value if not configured	30
Type of the configuration item	number
The configuration item can contain multiple values	False
Is required	False

isolate_max_polling_retries	Maximum number of time to retry action status when the isolate or unisolate action is still in progress.
Default value if not configured	120
Type of the configuration item	number
The configuration item can contain multiple values	False
Is required	False

allow_multiple_isolation_targets	Allow the responder to send multiple targets for isolation/unisolation in one multi-line observable. Set to false as a safety mechanism to allow only a single endpoint to be affected while refusing requests to operate on multiple endpoints.
Default value if not configured	False
Type of the configuration item	boolean
The configuration item can contain multiple values	False
Is required	True