Skip to content

PaloAltoCortexXDR#

README

Palo Alto Cortex XDR: Extended Detection and Response

Cortex XDR is the industry’s first extended detection and response platform that integrates network, endpoint, cloud, and third-party data to stop sophisticated attacks. Cortex XDR has been designed from the ground up to help organizations secure their digital assets and users while simplifying operations. Using behavioral analytics, it identifies unknown and highly evasive threats targeting your network. Machine learning and AI models uncover threats from any source, including managed and unmanaged devices.

This responder interacts with the Cortex XDR API to support three actions: * Isolate an endpoint from the network. Prevents a suspected compromised system from causing any further harm to the network. * Unisolate an endpoint that was previously isolated. * Scan: initial a full scan of an endpoint.

The responder operates on a 'fqdn' or 'ip' case artifact (observable) from TheHive. The value of the FQDN should be the endpoint name as it appears in the Cortex XDR console.

The responder accepts multiple inputs at once if your observable is multi-line value with one entry per line.

PaloAltoCortexXDR_unisolate#

Author: Joe Lazaro
License: AGPL-V3
Version: 1.0
Supported data types:
- thehive:case_artifact
Registration required: True
Subscription required: True
Free subscription: False
Third party service: https://www.paloaltonetworks.com/cortex/cortex-xdr

Description#

Unisolate endpoints identified by hostname or IP list

Configuration#

api_key API key
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
api_key_id API key ID
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
advanced_security Set True if the API key was generated with Advanced security level. False for a Standard security key.
Default value if not configured N/A
Type of the configuration item boolean
The configuration item can contain multiple values False
Is required True
api_host Fully qualified domain name for the API host. Example: api-example.xdr.us.paloaltonetworks.com
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
isolate_polling_interval Interval, in seconds between requests for isolate or unisolate actions.
Default value if not configured 30
Type of the configuration item number
The configuration item can contain multiple values False
Is required False
isolate_max_polling_retries Maximum number of time to retry action status when the isolate or unisolate action is still in progress.
Default value if not configured 120
Type of the configuration item number
The configuration item can contain multiple values False
Is required False
allow_multiple_isolation_targets Allow the responder to send multiple targets for isolation/unisolation in one multi-line observable. Set to false as a safety mechanism to allow only a single endpoint to be affected while refusing requests to operate on multiple endpoints.
Default value if not configured False
Type of the configuration item boolean
The configuration item can contain multiple values False
Is required True

PaloAltoCortexXDR_scan#

Author: Joe Lazaro
License: AGPL-V3
Version: 1.0
Supported data types:
- thehive:case_artifact
Registration required: True
Subscription required: True
Free subscription: False
Third party service: https://www.paloaltonetworks.com/cortex/cortex-xdr

Description#

Scan endpoints identified by hostname or IP list

Configuration#

api_key API key
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
api_key_id API key ID
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
advanced_security Set True if the API key was generated with Advanced security level. False for a Standard security key.
Default value if not configured N/A
Type of the configuration item boolean
The configuration item can contain multiple values False
Is required True
api_host Fully qualified domain name for the API host. Example: api-example.xdr.us.paloaltonetworks.com
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
scan_polling_interval Interval, in seconds between requests for scan actions.
Default value if not configured 60
Type of the configuration item number
The configuration item can contain multiple values False
Is required False
scan_max_polling_retries Maximum number of time to retry action status when a scan action is still in progress.
Default value if not configured 240
Type of the configuration item number
The configuration item can contain multiple values False
Is required False

PaloAltoCortexXDR_isolate#

Author: Joe Lazaro
License: AGPL-V3
Version: 1.0
Supported data types:
- thehive:case_artifact
Registration required: True
Subscription required: True
Free subscription: False
Third party service: https://www.paloaltonetworks.com/cortex/cortex-xdr

Description#

Isolate endpoints identified by hostname or IP list

Configuration#

api_key API key
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
api_key_id API key ID
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
advanced_security Set True if the API key was generated with Advanced security level. False for a Standard security key.
Default value if not configured N/A
Type of the configuration item boolean
The configuration item can contain multiple values False
Is required True
api_host Fully qualified domain name for the API host. Example: api-example.xdr.us.paloaltonetworks.com
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
isolate_polling_interval Interval, in seconds between requests for isolate or unisolate actions.
Default value if not configured 30
Type of the configuration item number
The configuration item can contain multiple values False
Is required False
isolate_max_polling_retries Maximum number of time to retry action status when the isolate or unisolate action is still in progress.
Default value if not configured 120
Type of the configuration item number
The configuration item can contain multiple values False
Is required False
allow_multiple_isolation_targets Allow the responder to send multiple targets for isolation/unisolation in one multi-line observable. Set to false as a safety mechanism to allow only a single endpoint to be affected while refusing requests to operate on multiple endpoints.
Default value if not configured False
Type of the configuration item boolean
The configuration item can contain multiple values False
Is required True