PaloAltoCortexXDR
README
Palo Alto Cortex XDR: Extended Detection and Response
Cortex XDR is the industry’s first extended detection and response platform that integrates network, endpoint, cloud, and third-party data to stop sophisticated attacks. Cortex XDR has been designed from the ground up to help organizations secure their digital assets and users while simplifying operations. Using behavioral analytics, it identifies unknown and highly evasive threats targeting your network. Machine learning and AI models uncover threats from any source, including managed and unmanaged devices.
This responder interacts with the Cortex XDR API to support the following actions:
Endpoint actions — operate on a fqdn or ip case artifact. The FQDN value should match the endpoint name as it appears in the Cortex XDR console.
* Isolate: isolate an endpoint from the network to prevent a suspected compromised system from causing further harm.
* Unisolate: reverse the isolation of a previously isolated endpoint.
* Scan: initiate a full scan of an endpoint. Accepts multiple inputs at once if your observable is a multi-line value with one entry per line.
* Cancel Scan: abort a running scan on an endpoint (only possible if the scan is in Pending or In Progress status).
* Initiate Forensics Triage: trigger forensics collection on an endpoint. Requires the Forensics add-on license. An optional triage configuration preset UUID can be specified, otherwise the XDR default is used.
Hash actions — operate on a hash case artifact (SHA256).
* Block List: add a file hash to the Cortex XDR block list. Accepts multiple inputs at once if your observable is a multi-line value with one hash per line.
* Allow List: add a file hash to the Cortex XDR allow list. Accepts multiple inputs at once if your observable is a multi-line value with one hash per line.
* Restore File: restore a quarantined file on all endpoints where it was quarantined. Operates on a single hash observable.
For Isolate and Unisolate, the responder can be configured to accept multi-line observables (one entry per line) by enabling allow_multiple_isolation_targets in the responder configuration. This is disabled by default as a safety mechanism.
PaloAltoCortexXDR_block_list
Author: Joe Lazaro; Fabien Bloume, StrangeBee
License: AGPL-V3
Version: 1.0
Supported data types:
- thehive:case_artifact
Registration required: True
Subscription required: True
Free subscription: False
Third party service: https://www.paloaltonetworks.com/cortex/cortex-xdr
Description
Add a file hash to the Cortex XDR block list
Configuration
| api_key |
API key |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
True |
| api_key_id |
API key ID |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
True |
| advanced_security |
Set True if the API key was generated with Advanced security level. False for a Standard security key. |
| Default value if not configured |
N/A |
| Type of the configuration item |
boolean |
| The configuration item can contain multiple values |
False |
| Is required |
True |
| api_host |
Fully qualified domain name for the API host. Example: api-example.xdr.us.paloaltonetworks.com |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
True |
| comment |
Optional comment added to the block list entry for audit purposes. |
| Default value if not configured |
Blocked via TheHive |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
PaloAltoCortexXDR_restore_file
Author: Joe Lazaro; Fabien Bloume, StrangeBee
License: AGPL-V3
Version: 1.0
Supported data types:
- thehive:case_artifact
Registration required: True
Subscription required: True
Free subscription: False
Third party service: https://www.paloaltonetworks.com/cortex/cortex-xdr
Description
Restore a quarantined file on all endpoints where it was quarantined, identified by its SHA256 hash
Configuration
| api_key |
API key |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
True |
| api_key_id |
API key ID |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
True |
| advanced_security |
Set True if the API key was generated with Advanced security level. False for a Standard security key. |
| Default value if not configured |
N/A |
| Type of the configuration item |
boolean |
| The configuration item can contain multiple values |
False |
| Is required |
True |
| api_host |
Fully qualified domain name for the API host. Example: api-example.xdr.us.paloaltonetworks.com |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
True |
| scan_polling_interval |
Interval, in seconds between requests for restore file actions. |
| Default value if not configured |
30 |
| Type of the configuration item |
number |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| scan_max_polling_retries |
Maximum number of time to retry action status when a restore file action is still in progress. |
| Default value if not configured |
30 |
| Type of the configuration item |
number |
| The configuration item can contain multiple values |
False |
| Is required |
False |
PaloAltoCortexXDR_unisolate
Description
Unisolate endpoints identified by hostname or IP list
Configuration
| api_key |
API key |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
True |
| api_key_id |
API key ID |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
True |
| advanced_security |
Set True if the API key was generated with Advanced security level. False for a Standard security key. |
| Default value if not configured |
N/A |
| Type of the configuration item |
boolean |
| The configuration item can contain multiple values |
False |
| Is required |
True |
| api_host |
Fully qualified domain name for the API host. Example: api-example.xdr.us.paloaltonetworks.com |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
True |
| isolate_polling_interval |
Interval, in seconds between requests for isolate or unisolate actions. |
| Default value if not configured |
30 |
| Type of the configuration item |
number |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| isolate_max_polling_retries |
Maximum number of time to retry action status when the isolate or unisolate action is still in progress. |
| Default value if not configured |
120 |
| Type of the configuration item |
number |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| allow_multiple_isolation_targets |
Allow the responder to send multiple targets for isolation/unisolation in one multi-line observable. Set to false as a safety mechanism to allow only a single endpoint to be affected while refusing requests to operate on multiple endpoints. |
| Default value if not configured |
False |
| Type of the configuration item |
boolean |
| The configuration item can contain multiple values |
False |
| Is required |
True |
PaloAltoCortexXDR_initiate_forensics
Author: Joe Lazaro; Fabien Bloume, StrangeBee
License: AGPL-V3
Version: 1.0
Supported data types:
- thehive:case_artifact
Registration required: True
Subscription required: True
Free subscription: False
Third party service: https://www.paloaltonetworks.com/cortex/cortex-xdr
Description
Initiate forensics triage collection on endpoints identified by hostname or IP list
Configuration
| api_key |
API key |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
True |
| api_key_id |
API key ID |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
True |
| advanced_security |
Set True if the API key was generated with Advanced security level. False for a Standard security key. |
| Default value if not configured |
N/A |
| Type of the configuration item |
boolean |
| The configuration item can contain multiple values |
False |
| Is required |
True |
| api_host |
Fully qualified domain name for the API host. Example: api-example.xdr.us.paloaltonetworks.com |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
True |
| collector_uuid |
Optional UUID of the triage configuration preset to use. If not specified, the XDR default configuration is used. |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
PaloAltoCortexXDR_isolate
Description
Isolate endpoints identified by hostname or IP list
Configuration
| api_key |
API key |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
True |
| api_key_id |
API key ID |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
True |
| advanced_security |
Set True if the API key was generated with Advanced security level. False for a Standard security key. |
| Default value if not configured |
N/A |
| Type of the configuration item |
boolean |
| The configuration item can contain multiple values |
False |
| Is required |
True |
| api_host |
Fully qualified domain name for the API host. Example: api-example.xdr.us.paloaltonetworks.com |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
True |
| isolate_polling_interval |
Interval, in seconds between requests for isolate or unisolate actions. |
| Default value if not configured |
30 |
| Type of the configuration item |
number |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| isolate_max_polling_retries |
Maximum number of time to retry action status when the isolate or unisolate action is still in progress. |
| Default value if not configured |
120 |
| Type of the configuration item |
number |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| allow_multiple_isolation_targets |
Allow the responder to send multiple targets for isolation/unisolation in one multi-line observable. Set to false as a safety mechanism to allow only a single endpoint to be affected while refusing requests to operate on multiple endpoints. |
| Default value if not configured |
False |
| Type of the configuration item |
boolean |
| The configuration item can contain multiple values |
False |
| Is required |
True |
PaloAltoCortexXDR_allow_list
Author: Joe Lazaro; Fabien Bloume, StrangeBee
License: AGPL-V3
Version: 1.0
Supported data types:
- thehive:case_artifact
Registration required: True
Subscription required: True
Free subscription: False
Third party service: https://www.paloaltonetworks.com/cortex/cortex-xdr
Description
Add a file hash to the Cortex XDR allow list
Configuration
| api_key |
API key |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
True |
| api_key_id |
API key ID |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
True |
| advanced_security |
Set True if the API key was generated with Advanced security level. False for a Standard security key. |
| Default value if not configured |
N/A |
| Type of the configuration item |
boolean |
| The configuration item can contain multiple values |
False |
| Is required |
True |
| api_host |
Fully qualified domain name for the API host. Example: api-example.xdr.us.paloaltonetworks.com |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
True |
| comment |
Optional comment added to the allow list entry for audit purposes. |
| Default value if not configured |
Allowed via TheHive |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
PaloAltoCortexXDR_cancel_scan
Author: Joe Lazaro; Fabien Bloume, StrangeBee
License: AGPL-V3
Version: 1.0
Supported data types:
- thehive:case_artifact
Registration required: True
Subscription required: True
Free subscription: False
Third party service: https://www.paloaltonetworks.com/cortex/cortex-xdr
Description
Cancel a running scan on endpoints identified by hostname or IP list
Configuration
| api_key |
API key |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
True |
| api_key_id |
API key ID |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
True |
| advanced_security |
Set True if the API key was generated with Advanced security level. False for a Standard security key. |
| Default value if not configured |
N/A |
| Type of the configuration item |
boolean |
| The configuration item can contain multiple values |
False |
| Is required |
True |
| api_host |
Fully qualified domain name for the API host. Example: api-example.xdr.us.paloaltonetworks.com |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
True |
| scan_polling_interval |
Interval, in seconds between requests for scan actions. |
| Default value if not configured |
30 |
| Type of the configuration item |
number |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| scan_max_polling_retries |
Maximum number of time to retry action status when a cancel scan action is still in progress. |
| Default value if not configured |
30 |
| Type of the configuration item |
number |
| The configuration item can contain multiple values |
False |
| Is required |
False |
PaloAltoCortexXDR_scan
Description
Scan endpoints identified by hostname or IP list
Configuration
| api_key |
API key |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
True |
| api_key_id |
API key ID |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
True |
| advanced_security |
Set True if the API key was generated with Advanced security level. False for a Standard security key. |
| Default value if not configured |
N/A |
| Type of the configuration item |
boolean |
| The configuration item can contain multiple values |
False |
| Is required |
True |
| api_host |
Fully qualified domain name for the API host. Example: api-example.xdr.us.paloaltonetworks.com |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
True |
| scan_polling_interval |
Interval, in seconds between requests for scan actions. |
| Default value if not configured |
60 |
| Type of the configuration item |
number |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| scan_max_polling_retries |
Maximum number of time to retry action status when a scan action is still in progress. |
| Default value if not configured |
240 |
| Type of the configuration item |
number |
| The configuration item can contain multiple values |
False |
| Is required |
False |