Skip to main content

Investigation & Response

This Integration is part of the Core - Investigation and Response Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.2.0 and later.

The Cortex Core IR integration uses the Cortex API for detection and response, by natively integrating network, endpoint, and cloud data to stop sophisticated attacks.

Configure Investigation & Response in Cortex#

ParameterDescriptionRequired
Incident typeFalse
Server URL (copy URL from Core - click ? to see more info.)False
API Key IDFalse
API KeyFalse
HTTP TimeoutThe timeout of the HTTP requests sent to Cortex API (in seconds).False

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

core-isolate-endpoint#


Isolates the specified endpoint.

Base Command#

core-isolate-endpoint

Input#

Argument NameDescriptionRequired
incident_idLinks the response action to the triggered incident.Optional
interval_in_secondsInterval in seconds between each poll.Optional
timeout_in_secondsPolling timeout in seconds.Optional
action_idFor polling use.Optional
endpoint_idThe endpoint ID (string) to isolate. Retrieve the string from the core-get-endpoints command.Required
suppress_disconnected_endpoint_errorSuppress an error when trying to isolate a disconnected endpoint. When set to false, an error is returned. Possible values are: true, false. Default is false.Optional

Context Output#

PathTypeDescription
Core.Isolation.endpoint_idStringThe endpoint ID.

core-unisolate-endpoint#


Reverses the isolation of an endpoint.

Base Command#

core-unisolate-endpoint

Input#

Argument NameDescriptionRequired
incident_idLinks the response action to the triggered incident.Optional
endpoint_idThe endpoint ID (string) to reverse the isolation. Retrieve it from the core-get-endpoints command.Required
suppress_disconnected_endpoint_errorSuppress an error when trying to unisolate a disconnected endpoint. When set to false, an error is be returned. Possible values are: true, false. Default is false.Optional
action_idFor polling use.Optional
interval_in_secondsInterval in seconds between each poll.Optional
timeout_in_secondsPolling timeout in seconds.Optional

Context Output#

PathTypeDescription
Core.UnIsolation.endpoint_idStringIsolates the specified endpoint.

core-get-endpoints#


Gets a list of endpoints, according to the passed filters. If there are no filters, all endpoints are returned. Filtering by multiple fields will be concatenated using AND condition (OR is not supported). Maximum result set size is 100. Offset is the zero-based number of endpoint from the start of the result set (start by counting from 0).

Base Command#

core-get-endpoints

Input#

Argument NameDescriptionRequired
endpoint_id_listA comma-separated list of endpoint IDs.Optional
dist_nameA comma-separated list of distribution package names or installation package names.
Example: dist_name1,dist_name2.
Optional
ip_listA comma-separated list of private IP addresses.
Example: 10.1.1.1,192.168.1.1.
Optional
public_ip_listA comma-separated list of public IP addresses that correlate to the last IPv4 address from which the Cortex XDR agent connected (know as Last Origin IP).
Example: 8.8.8.8,1.1.1.1.
Optional
group_nameThe group name to which the agent belongs.
Example: group_name1,group_name2.
Optional
platformThe endpoint platform. Valid values are\: "windows", "linux", "macos", or "android". . Possible values are: windows, linux, macos, android.Optional
alias_nameA comma-separated list of alias names.
Examples: alias_name1,alias_name2.
Optional
isolateSpecifies whether the endpoint was isolated or unisolated. Possible values are: isolated, unisolated.Optional
hostnameHostname
Example: hostname1,hostname2.
Optional
first_seen_gteAll the agents that were first seen after {first_seen_gte}.
Supported values:
1579039377301 (time in milliseconds)
"3 days" (relative date)
"2019-10-21T23:45:00" (date).
Optional
first_seen_lteAll the agents that were first seen before {first_seen_lte}.
Supported values:
1579039377301 (time in milliseconds)
"3 days" (relative date)
"2019-10-21T23:45:00" (date).
Optional
last_seen_gteAll the agents that were last seen before {last_seen_gte}.
Supported values:
1579039377301 (time in milliseconds)
"3 days" (relative date)
"2019-10-21T23:45:00" (date).
Optional
last_seen_lteAll the agents that were last seen before {last_seen_lte}.
Supported values:
1579039377301 (time in milliseconds)
"3 days" (relative date)
"2019-10-21T23:45:00" (date).
Optional
pagePage number (for pagination). The default is 0 (the first page). Default is 0.Optional
limitMaximum number of endpoints to return per page. The default and maximum is 30. Default is 30.Optional
sort_bySpecifies whether to sort endpoints by the first time or last time they were seen. Can be "first_seen" or "last_seen". Possible values are: first_seen, last_seen.Optional
sort_orderThe order by which to sort results. Can be "asc" (ascending) or "desc" ( descending). Default set to asc. Possible values are: asc, desc. Default is asc.Optional
statusA comma-separated list of endpoints statuses to filter. Possible values are: connected, disconnected, lost, uninstalled.Optional
usernameThe usernames to query for, accepts a single user, or comma-separated list of usernames.Optional

Context Output#

PathTypeDescription
Core.Endpoint.endpoint_idStringThe endpoint ID.
Core.Endpoint.endpoint_nameStringThe endpoint name.
Core.Endpoint.endpoint_typeStringThe endpoint type.
Core.Endpoint.endpoint_statusStringThe status of the endpoint.
Core.Endpoint.os_typeStringThe endpoint OS type.
Core.Endpoint.ipUnknownA list of IP addresses.
Core.Endpoint.usersUnknownA list of users.
Core.Endpoint.domainStringThe endpoint domain.
Core.Endpoint.aliasStringThe endpoint's aliases.
Core.Endpoint.first_seenUnknownFirst seen date/time in Epoch (milliseconds).
Core.Endpoint.last_seenDateLast seen date/time in Epoch (milliseconds).
Core.Endpoint.content_versionStringContent version.
Core.Endpoint.installation_packageStringInstallation package.
Core.Endpoint.active_directoryStringActive directory.
Core.Endpoint.install_dateDateInstall date in Epoch (milliseconds).
Core.Endpoint.endpoint_versionStringEndpoint version.
Core.Endpoint.is_isolatedStringWhether the endpoint is isolated.
Core.Endpoint.group_nameStringThe name of the group to which the endpoint belongs.
Endpoint.HostnameStringThe hostname that is mapped to this endpoint.
Endpoint.IDStringThe unique ID within the tool retrieving the endpoint.
Endpoint.IPAddressStringThe IP address of the endpoint.
Endpoint.DomainStringThe domain of the endpoint.
Endpoint.OSStringThe endpoint's operation system.
Account.UsernameStringThe username in the relevant system.
Account.DomainStringThe domain of the account.
Endpoint.StatusStringThe endpoint's status.
Endpoint.IsIsolatedStringThe endpoint's isolation status.
Endpoint.MACAddressStringThe endpoint's MAC address.
Endpoint.VendorStringThe integration name of the endpoint vendor.

Command example#

!core-get-endpoints isolate="unisolated" first_seen_gte="3 month" page="0" limit="30" sort_order="asc"

Context Example#

{
"Account": [
{
"Domain": "xdrdummyurl.com",
"Username": "xdrdummyurl.com"
}
],
"Core": {
"Endpoint": [
{
"active_directory": null,
"alias": "",
"content_release_timestamp": 1643023344000,
"content_version": "360-81029",
"domain": "xdrdummyurl.com",
"endpoint_id": "87ae5fc622604ea4809dd28f01c436d0",
"endpoint_name": "dummy_new_name2",
"endpoint_status": "DISCONNECTED",
"endpoint_type": "AGENT_TYPE_SERVER",
"endpoint_version": "1.1.1.1",
"first_seen": 1642943216960,
"group_name": [],
"install_date": 1642943217006,
"installation_package": "",
"ip": [
"1.1.1.1"
],
"is_isolated": "AGENT_UNISOLATED",
"isolated_date": null,
"last_content_update_time": 1643026320796,
"last_seen": 1643026320166,
"operational_status": "PROTECTED",
"operational_status_description": null,
"os_type": "AGENT_OS_WINDOWS",
"os_version": "1.1.1",
"scan_status": "SCAN_STATUS_NONE",
"users": [
"woo@demisto.com"
]
}
]
}
}

Human Readable Output#

Endpoints#

active_directoryaliascontent_release_timestampcontent_versiondomainendpoint_idendpoint_nameendpoint_statusendpoint_typeendpoint_versionfirst_seengroup_nameinstall_dateinstallation_packageipis_isolatedisolated_datelast_content_update_timelast_seenoperational_statusoperational_status_descriptionos_typeos_versionscan_statususers
1643023344000360-81029api.xdrurl.com87ae5fc622604ea4809dd28f01c436d0dummy_new_name2DISCONNECTEDAGENT_TYPE_SERVER1.1.1.116429432169601642943217006HOLODECK_11.1.1.1AGENT_UNISOLATED16430263207961643026320166PROTECTEDAGENT_OS_WINDOWS1.1.1.SCAN_STATUS_NONEwoo@demisto.com

core-get-distribution-versions#


Gets a list of all the agent versions to use for creating a distribution list.

Base Command#

core-get-distribution-versions

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
Core.DistributionVersions.windowsUnknownA list of Windows agent versions.
Core.DistributionVersions.linuxUnknownA list of Linux agent versions.
Core.DistributionVersions.macosUnknownA list of Mac agent versions.

Command example#

!core-get-distribution-versions

Context Example#

{
"Core": {
"DistributionVersions": {
"container": [
"1.1.1.1"
],
"linux": [
"1.1.1.1"
],
"macos": [
"1.1.1.1"
],
"windows": [
"1.1.1.1"
]
}
}
}

Human Readable Output#

windows#

versions
1.1.1.1

linux#

versions
1.1.1.1

macos#

versions
1.1.1.1

container#

versions
1.1.1.1

core-create-distribution#


Creates an installation package. This is an asynchronous call that returns the distribution ID. This does not mean that the creation succeeded. To confirm that the package has been created, check the status of the distribution by running the Get Distribution Status API.

Base Command#

core-create-distribution

Input#

Argument NameDescriptionRequired
nameA string representing the name of the installation package.Required
platformString, valid values are:
• windows
• linux
• macos
• android. Possible values are: windows, linux, macos, android.
Required
package_typeA string representing the type of package to create.
standalone - An installation for a new agent
upgrade - An upgrade of an agent from ESM. Possible values are: standalone, upgrade.
Required
agent_versionagent_version returned from core-get-distribution-versions. Not required for Android platfoms.Required
descriptionInformation about the package.Optional

Context Output#

PathTypeDescription
Core.Distribution.idStringThe installation package ID.
Core.Distribution.nameStringThe name of the installation package.
Core.Distribution.platformStringThe installation OS.
Core.Distribution.agent_versionStringAgent version.
Core.Distribution.descriptionStringInformation about the package.

Command example#

!core-create-distribution agent_version=6.1.4.1680 name="dist_1" package_type=standalone platform=linux description="some description"

Context Example#

{
"Core": {
"Distribution": {
"agent_version": "6.1.4.1680",
"description": "some description",
"id": "52c0e7988a024cbab32d4cd888e44dfb",
"name": "dist_1",
"package_type": "standalone",
"platform": "linux"
}
}
}

Human Readable Output#

Distribution 52c0e7988a024cbab32d4cd888e44dfb created successfully

core-get-distribution-url#


Gets the distribution URL for downloading the installation package.

Base Command#

core-get-distribution-url

Input#

Argument NameDescriptionRequired
distribution_idThe ID of the installation package.
Copy the distribution_id from the "id" field on Endpoints > Agent Installation page.
Required
package_typeThe installation package type. Valid
values are:
• upgrade
• sh - For Linux
• rpm - For Linux
• deb - For Linux
• pkg - For Mac
• x86 - For Windows
• x64 - For Windows. Possible values are: upgrade, sh, rpm, deb, pkg, x86, x64.
Required

Context Output#

PathTypeDescription
Core.Distribution.idStringDistribution ID.
Core.Distribution.urlStringURL for downloading the installation package.

core-get-create-distribution-status#


Gets the status of the installation package.

Base Command#

core-get-create-distribution-status

Input#

Argument NameDescriptionRequired
distribution_idsStatus of distribution IDs, in a comma-separated list.Required

Context Output#

PathTypeDescription
Core.Distribution.idStringDistribution ID.
Core.Distribution.statusStringInstallation package status.

core-get-audit-management-logs#


Gets management logs. You can filter by multiple fields, which will be concatenated using the AND condition (OR is not supported). Maximum result set size is 100. Offset is the zero-based number of management logs from the start of the result set (start by counting from 0).

Base Command#

core-get-audit-management-logs

Input#

Argument NameDescriptionRequired
emailUser’s email address.Optional
typeThe audit log type. Possible values are: REMOTE_TERMINAL, RULES, AUTH, RESPONSE, INCIDENT_MANAGEMENT, ENDPOINT_MANAGEMENT, ALERT_WHITELIST, PUBLIC_API, DISTRIBUTIONS, STARRED_INCIDENTS, POLICY_PROFILES, DEVICE_CONTROL_PROFILE, HOST_FIREWALL_PROFILE, POLICY_RULES, PROTECTION_POLICY, DEVICE_CONTROL_TEMP_EXCEPTIONS, DEVICE_CONTROL_GLOBAL_EXCEPTIONS, GLOBAL_EXCEPTIONS, MSSP, REPORTING, DASHBOARD, BROKER_VM.Optional
sub_typeThe audit log subtype.Optional
resultResult type. Possible values are: SUCCESS, FAIL, PARTIAL.Optional
timestamp_gteReturn logs when the timestamp is after 'log_time_after'.
Supported values:
1579039377301 (time in milliseconds)
"3 days" (relative date)
"2019-10-21T23:45:00" (date).
Optional
timestamp_lteReturn logs when the timestamp is before the 'log_time_after'.
Supported values:
1579039377301 (time in milliseconds)
"3 days" (relative date)
"2019-10-21T23:45:00" (date).
Optional
pagePage number (for pagination). The default is 0 (the first page). Default is 0.Optional
limitMaximum number of audit logs to return per page. The default and maximum is 30. Default is 30.Optional
sort_bySpecifies the field by which to sort the results. By default the sort is defined as creation-time and descending. Can be "type", "sub_type", "result", or "timestamp". Possible values are: type, sub_type, result, timestamp.Optional
sort_orderThe sort order. Can be "asc" (ascending) or "desc" (descending). Default set to "desc". Possible values are: asc, desc. Default is desc.Optional

Context Output#

PathTypeDescription
Core.AuditManagementLogs.AUDIT_IDNumberAudit log ID.
Core.AuditManagementLogs.AUDIT_OWNER_NAMEStringAudit owner name.
Core.AuditManagementLogs.AUDIT_OWNER_EMAILStringAudit owner email address.
Core.AuditManagementLogs.AUDIT_ASSET_JSONStringAsset JSON.
Core.AuditManagementLogs.AUDIT_ASSET_NAMESStringAudit asset names.
Core.AuditManagementLogs.AUDIT_HOSTNAMEStringHost name.
Core.AuditManagementLogs.AUDIT_RESULTStringAudit result.
Core.AuditManagementLogs.AUDIT_REASONStringAudit reason.
Core.AuditManagementLogs.AUDIT_DESCRIPTIONStringDescription of the audit.
Core.AuditManagementLogs.AUDIT_ENTITYStringAudit entity (e.g., AUTH, DISTRIBUTIONS).
Core.AuditManagementLogs.AUDIT_ENTITY_SUBTYPEStringEntity subtype (e.g., Login, Create).
Core.AuditManagementLogs.AUDIT_CASE_IDNumberAudit case ID.
Core.AuditManagementLogs.AUDIT_INSERT_TIMEDateLog's insert time.

Command example#

!core-get-audit-management-logs result=SUCCESS type=DISTRIBUTIONS limit=2 timestamp_gte="3 month"

Context Example#

{
"Core": {
"AuditManagementLogs": [
{
"AUDIT_ASSET_JSON": null,
"AUDIT_ASSET_NAMES": "",
"AUDIT_CASE_ID": null,
"AUDIT_DESCRIPTION": "Created a Windows Standalone installer installation package 'HOLODECK_3' with agent version 7.5.1.38280",
"AUDIT_ENTITY": "DISTRIBUTIONS",
"AUDIT_ENTITY_SUBTYPE": "Create",
"AUDIT_HOSTNAME": null,
"AUDIT_ID": 1002,
"AUDIT_INSERT_TIME": 1636017216034,
"AUDIT_OWNER_EMAIL": "moo@demisto.com",
"AUDIT_OWNER_NAME": "",
"AUDIT_REASON": null,
"AUDIT_RESULT": "SUCCESS",
"AUDIT_SESSION_ID": null,
"AUDIT_SEVERITY": "SEV_010_INFO"
}
]
}
}

Human Readable Output#

Audit Management Logs#

AUDIT_IDAUDIT_RESULTAUDIT_DESCRIPTIONAUDIT_OWNER_NAMEAUDIT_OWNER_EMAILAUDIT_ASSET_JSONAUDIT_ASSET_NAMESAUDIT_HOSTNAMEAUDIT_REASONAUDIT_ENTITYAUDIT_ENTITY_SUBTYPEAUDIT_SESSION_IDAUDIT_CASE_IDAUDIT_INSERT_TIME
1002SUCCESSCreated a Windows Standalone installer installation package 'HOLODECK_3' with agent version 1.1.1.1Moomoo@demisto.comDISTRIBUTIONSCreate1636017216034
1001SUCCESSEdited installation package 'HOLODECK_1'Moomoo@demisto.comDISTRIBUTIONSEdit1636017119505

core-get-audit-agent-reports#


Gets agent event reports. You can filter by multiple fields, which will be concatenated using the AND condition (OR is not supported). Maximum result set size is 100. Offset is the zero-based number of reports from the start of the result set (start by counting from 0).

Base Command#

core-get-audit-agent-reports

Input#

Argument NameDescriptionRequired
endpoint_idsA comma-separated list of endpoint IDs.Optional
endpoint_namesA comma-separated list of endpoint names.Optional
typeThe report type. Can be "Installation", "Policy", "Action", "Agent Service", "Agent Modules", or "Agent Status". Possible values are: Installation, Policy, Action, Agent Service, Agent Modules, Agent Status.Optional
sub_typeThe report subtype. Possible values are: Install, Uninstall, Upgrade, Local Configuration, Content Update, Policy Update, Process Exception, Hash Exception, Scan, File Retrieval, File Scan, Terminate Process, Isolate, Cancel Isolation, Payload Execution, Quarantine, Restore, Stop, Start, Module Initialization, Local Analysis Model, Local Analysis Feature Extraction, Fully Protected, OS Incompatible, Software Incompatible, Kernel Driver Initialization, Kernel Extension Initialization, Proxy Communication, Quota Exceeded, Minimal Content, Reboot Eequired, Missing Disc Access.Optional
resultThe result type. Can be "Success" or "Fail". If not passed, returns all event reports. Possible values are: Success, Fail.Optional
timestamp_gteReturn logs that their timestamp is greater than 'log_time_after'.
Supported values:
1579039377301 (time in milliseconds)
"3 days" (relative date)
"2019-10-21T23:45:00" (date).
Optional
timestamp_lteReturn logs for which the timestamp is before the 'timestamp_lte'.

Supported values:
1579039377301 (time in milliseconds)
"3 days" (relative date)
"2019-10-21T23:45:00" (date).
Optional
pagePage number (for pagination). The default is 0 (the first page). Default is 0.Optional
limitThe maximum number of reports to return. Default and maximum is 30. Default is 30.Optional
sort_byThe field by which to sort results. Can be "type", "category", "trapsversion", "timestamp", or "domain"). Possible values are: type, category, trapsversion, timestamp, domain.Optional
sort_orderThe sort order. Can be "asc" (ascending) or "desc" (descending). Default is "asc". Possible values are: asc, desc. Default is asc.Optional

Context Output#

PathTypeDescription
Core.AuditAgentReports.ENDPOINTIDStringEndpoint ID.
Core.AuditAgentReports.ENDPOINTNAMEStringEndpoint name.
Core.AuditAgentReports.DOMAINStringAgent domain.
Core.AuditAgentReports.TRAPSVERSIONStringTraps version.
Core.AuditAgentReports.RECEIVEDTIMEDateReceived time in Epoch time.
Core.AuditAgentReports.TIMESTAMPDateTimestamp in Epoch time.
Core.AuditAgentReports.CATEGORYStringReport category (e.g., Audit).
Core.AuditAgentReports.TYPEStringReport type (e.g., Action, Policy).
Core.AuditAgentReports.SUBTYPEStringReport subtype (e.g., Fully Protected,Policy Update,Cancel Isolation).
Core.AuditAgentReports.RESULTStringReport result.
Core.AuditAgentReports.REASONStringReport reason.
Core.AuditAgentReports.DESCRIPTIONStringAgent report description.
Endpoint.IDStringThe unique ID within the tool retrieving the endpoint.
Endpoint.HostnameStringThe hostname that is mapped to this endpoint.
Endpoint.DomainStringThe domain of the endpoint.

Command example#

!core-get-audit-agent-reports result=Success timestamp_gte="100 days" endpoint_ids=ea303670c76e4ad09600c8b346f7c804 type=Policy limit=2

core-blocklist-files#


Block lists requested files which have not already been block listed or added to allow lists.

Base Command#

core-blocklist-files

Input#

Argument NameDescriptionRequired
incident_idLinks the response action to the triggered incident.Optional
hash_listString that represents a list of hashed files you want to block list. Must be a valid SHA256 hash.Required
commentString that represents additional information regarding the action.Optional
detailed_responseChoose either regular response or detailed response. Default value = false, regular response. Possible values are: true, false. Default is false.Optional

Context Output#

PathTypeDescription
Core.blocklist.added_hashesNumberAdded fileHash to blocklist
Core.blocklist.excluded_hashesNumberAdded fileHash to blocklist

Command example#

!core-blocklist-files hash_list=11d69fb388ff59e5ba6ca217ca04ecde6a38fa8fb306aa5f1b72e22bb7c3a252

Context Example#

{
"Core": {
"blocklist": {
"added_hashes": {
"fileHash": [
"11d69fb388ff59e5ba6ca217ca04ecde6a38fa8fb306aa5f1b72e22bb7c3a252"
]
}
}
}
}

Human Readable Output#

Blocklist Files#

Added _ Hashes
11d69fb388ff59e5ba6ca217ca04ecde6a38fa8fb306aa5f1b72e22bb7c3a252

core-allowlist-files#


Adds requested files to allow list if they are not already on block list or allow list.

Base Command#

core-allowlist-files

Input#

Argument NameDescriptionRequired
incident_idLinks the response action to the triggered incident.Optional
hash_listString that represents a list of hashed files you want to add to allow lists. Must be a valid SHA256 hash.Required
commentString that represents additional information regarding the action.Optional
detailed_responseChoose either regular response or detailed response. Default value = false, regular response. Possible values are: true, false. Default is false.Optional

Context Output#

PathTypeDescription
Core.allowlist.added_hashesNumberAdded fileHash to allowlist
Core.allowlist.excluded_hashesNumberAdded fileHash to allowlist

Command example#

!core-allowlist-files hash_list=11d69fb388ff59e5ba6ca217ca04ecde6a38fa8fb306aa5f1b72e22bb7c3a252

Context Example#

{
"Core": {
"allowlist": {
"added_hashes": {
"fileHash": [
"11d69fb388ff59e5ba6ca217ca04ecde6a38fa8fb306aa5f1b72e22bb7c3a252"
]
}
}
}
}

Human Readable Output#

Allowlist Files#

Added _ Hashes
11d69fb388ff59e5ba6ca217ca04ecde6a38fa8fb306aa5f1b72e22bb7c3a252

core-quarantine-files#


Quarantines a file on selected endpoints. You can select up to 1000 endpoints.

Base Command#

core-quarantine-files

Input#

Argument NameDescriptionRequired
incident_idLinks the response action to the triggered incident.Optional
endpoint_id_listList of endpoint IDs.Required
file_pathString that represents the path of the file you want to quarantine.Required
file_hashString that represents the file’s hash. Must be a valid SHA256 hash.Required
action_idFor polling use.Optional
interval_in_secondsInterval in seconds between each poll.Optional
timeout_in_secondsPolling timeout in seconds.Optional

Context Output#

There is no context output for this command.

core-get-quarantine-status#


Retrieves the quarantine status for a selected file.

Base Command#

core-get-quarantine-status

Input#

Argument NameDescriptionRequired
endpoint_idString that represents the endpoint ID.Required
file_hashString that represents the file hash. Must be a valid SHA256 hash.Required
file_pathString that represents the file path.Required

Context Output#

There is no context output for this command.

Command example#

!core-get-quarantine-status endpoint_id=f8a2f58846b542579c12090652e79f3d file_hash=55f8718109829bf506b09d8af615b9f107a266e19f7a311039d1035f180b22d4 file_path=/home/ec2-user/test_file.txt

Context Example#

{
"Core": {
"quarantineFiles": {
"status": {
"endpointId": "f8a2f58846b542579c12090652e79f3d",
"fileHash": "55f8718109829bf506b09d8af615b9f107a266e19f7a311039d1035f180b22d4",
"filePath": "/home/ec2-user/test_file.txt",
"status": false
}
}
}
}

Human Readable Output#

Quarantine files status#

StatusEndpoint IdFile PathFile Hash
falsef8a2f58846b542579c12090652e79f3d/home/ec2-user/test_file.txt55f8718109829bf506b09d8af615b9f107a266e19f7a311039d1035f180b22d4

core-restore-file#


Restores a quarantined file on requested endpoints.

Base Command#

core-restore-file

Input#

Argument NameDescriptionRequired
incident_idLinks the response action to the incident that triggered it.Optional
file_hashString that represents the file in hash. Must be a valid SHA256 hash.Required
endpoint_idString that represents the endpoint ID. If you do not enter a specific endpoint ID, the request will run restore on all endpoints which relate to the quarantined file you defined.Optional
action_idFor polling use.Optional
interval_in_secondsInterval in seconds between each poll.Optional
timeout_in_secondsPolling timeout in seconds.Optional

Context Output#

There is no context output for this command.

core-endpoint-scan#


Runs a scan on a selected endpoint. To scan all endpoints, run this command with argument all=true. Note that scanning all the endpoints may cause performance issues and latency.

Base Command#

core-endpoint-scan

Input#

Argument NameDescriptionRequired
incident_idLinks the response action to the triggered incident.Optional
endpoint_id_listList of endpoint IDs.Optional
dist_nameName of the distribution list.Optional
gte_first_seenEpoch timestamp in milliseconds.Optional
gte_last_seenEpoch timestamp in milliseconds.Optional
lte_first_seenEpoch timestamp in milliseconds.Optional
lte_last_seenEpoch timestamp in milliseconds.Optional
ip_listList of IP addresses.Optional
group_nameName of the endpoint group.Optional
platformType of operating system. Possible values are: windows, linux, macos, android.Optional
aliasEndpoint alias name.Optional
isolateChoose if an endpoint has been isolated. Select "isolated" or "unisolated". Possible values are: isolated, unisolated.Optional
hostnameName of the host.Optional
allChoose whether to scan all of the endpoints or not. Default is false. Scanning all of the endpoints may cause performance issues and latency. Possible values are: true, false. Default is false.Optional
action_idFor polling use.Optional
interval_in_secondsInterval in seconds between each poll.Optional
timeout_in_secondsPolling timeout in seconds.Optional

Context Output#

PathTypeDescription
Core.endpointScan.actionIdNumberThe action ID of the scan request.
Core.endpointScan.abortedBooleanWas the scan aborted.

core-endpoint-scan-abort#


Cancel the selected endpoints scan. A scan can only be cancelled if the selected endpoints are Pending or In Progress. To scan all endpoints, run the command with the argument all=true. Note that scanning all of the endpoints may cause performance issues and latency.

Base Command#

core-endpoint-scan-abort

Input#

Argument NameDescriptionRequired
incident_idLinks the response action to the incident that triggered it.Optional
endpoint_id_listList of endpoint IDs.Optional
dist_nameName of the distribution list.Optional
gte_first_seenEpoch timestamp in milliseconds.Optional
gte_last_seenEpoch timestamp in milliseconds.Optional
lte_first_seenEpoch timestamp in milliseconds.Optional
lte_last_seenEpoch timestamp in milliseconds.Optional
ip_listList of IP addresses.Optional
group_nameName of the endpoint group.Optional
platformType of operating system. Possible values are: windows, linux, macos, android.Optional
aliasEndpoint alias name.Optional
isolateChoose whether an endpoint has been isolated. Select "isolated" or "unisolated". Possible values are: isolated, unisolated.Optional
hostnameName of the host.Optional
allWhether to scan all of the endpoints or not. Default is false. Note that scanning all of the endpoints may cause performance issues and latency. Possible values are: true, false. Default is false.Optional

Context Output#

PathTypeDescription
Core.endpointScan.actionIdUnknownThe action id of the abort scan request.
Core.endpointScan.abortedBooleanWas the scan cancelled.

core-get-policy#


Gets the policy name for a specific endpoint.

Base Command#

core-get-policy

Input#

Argument NameDescriptionRequired
endpoint_idThe endpoint ID. Retrieve by running the core-get-endpoints command.Required

Context Output#

PathTypeDescription
Core.PolicystringThe policy allocated with the endpoint.
Core.Policy.policy_namestringName of the policy allocated with the endpoint.
Core.Policy.endpoint_idstringEndpoint ID.

core-get-scripts#


Gets a list of scripts available in the scripts library.

Base Command#

core-get-scripts

Input#

Argument NameDescriptionRequired
script_nameA comma-separated list of the script names.Optional
descriptionA comma-separated list of the script descriptions.Optional
created_byA comma-separated list of the users who created the script.Optional
limitThe maximum number of scripts returned to the War Room. Default is 50.Optional
offset(Int) Offset in the data set. Default is 0.Optional
windows_supportedChoose to run the script on a Windows operating system. Possible values are: true, false.Optional
linux_supportedChoose to run the script on a Linux operating system. Possible values are: true, false.Optional
macos_supportedChoose to run the script on a Mac operating system. Possible values are: true, false.Optional
is_high_riskChoose if the script has a high-risk outcome. Possible values are: true, false.Optional

Context Output#

PathTypeDescription
Core.ScriptsUnknownThe scripts command results.
Core.Scripts.script_idUnknownScript ID.
Core.Scripts.namestringName of the script.
Core.Scripts.descriptionstringDescription of the script.
Core.Scripts.modification_dateUnknownTimestamp of when the script was last modified.
Core.Scripts.created_bystringName of the user who created the script.
Core.Scripts.windows_supportedbooleanChoose to run the script on a Windows operating system.
Core.Scripts.linux_supportedbooleanChoose to run the script on a Linux operating system.
Core.Scripts.macos_supportedbooleanChoose to run the script on a Mac operating system.
Core.Scripts.is_high_riskbooleanChoose if the script has a high-risk outcome.
Core.Scripts.script_uidstringGlobally Unique Identifier of the script, used to identify the script when executing.

Command example#

!core-get-scripts created_by="Palo Alto Networks" is_high_risk=true

Context Example#

{
"Core": {
"Scripts": [
{
"created_by": "Palo Alto Networks",
"description": "Delete a file by path",
"is_high_risk": true,
"linux_supported": true,
"macos_supported": true,
"modification_date": "2021-05-04T14:33:48",
"modification_date_timestamp": 1620138828748,
"name": "delete_file",
"script_id": 1,
"script_uid": "548023b6e4a01ec51a495ba6e5d2a15d",
"windows_supported": true
},
{
"created_by": "Palo Alto Networks",
"description": "Execute list of shell commands",
"is_high_risk": true,
"linux_supported": true,
"macos_supported": true,
"modification_date": "2022-01-05T10:14:14",
"modification_date_timestamp": 1641377654469,
"name": "execute_commands",
"script_id": 2,
"script_uid": "a6f7683c8e217d85bd3c398f0d3fb6bf",
"windows_supported": true
},
{
"created_by": "Palo Alto Networks",
"description": "Kill all processes with a CPU usage higher than specified",
"is_high_risk": true,
"linux_supported": true,
"macos_supported": true,
"modification_date": "2022-01-05T10:14:14",
"modification_date_timestamp": 1641377654480,
"name": "process_kill_cpu",
"script_id": 6,
"script_uid": "3d928a24f61cd3c1116544900c424098",
"windows_supported": true
},
{
"created_by": "Palo Alto Networks",
"description": "Kill all processes with a RAM usage higher than specified",
"is_high_risk": true,
"linux_supported": true,
"macos_supported": true,
"modification_date": "2021-05-04T14:33:48",
"modification_date_timestamp": 1620138828795,
"name": "process_kill_mem",
"script_id": 7,
"script_uid": "87d4547df6d4882a3c006ec58c3b8bf4",
"windows_supported": true
},
{
"created_by": "Palo Alto Networks",
"description": "Kill processes by name",
"is_high_risk": true,
"linux_supported": true,
"macos_supported": true,
"modification_date": "2021-05-04T14:33:48",
"modification_date_timestamp": 1620138828803,
"name": "process_kill_name",
"script_id": 8,
"script_uid": "fd0a544a99a9421222b4f57a11839481",
"windows_supported": true
},
{
"created_by": "Palo Alto Networks",
"description": "Delete registry value or delete registry key with all its values",
"is_high_risk": true,
"linux_supported": false,
"macos_supported": false,
"modification_date": "2021-05-04T14:33:48",
"modification_date_timestamp": 1620138828812,
"name": "registry_delete",
"script_id": 9,
"script_uid": "ad36488a20cdbdd1604ec4bec9da5c41",
"windows_supported": true
},
{
"created_by": "Palo Alto Networks",
"description": "Set registry value",
"is_high_risk": true,
"linux_supported": false,
"macos_supported": false,
"modification_date": "2021-05-04T14:33:48",
"modification_date_timestamp": 1620138828829,
"name": "registry_set",
"script_id": 11,
"script_uid": "896392a13b2ef0ae75b3f2396125037d",
"windows_supported": true
}
]
}
}

Human Readable Output#

Scripts#

NameDescriptionScript UidModification DateCreated ByWindows SupportedLinux SupportedMacos SupportedIs High Risk
delete_fileDelete a file by path548023b6e4a01ec51a495ba6e5d2a15d2021-05-04T14:33:48Palo Alto Networkstruetruetruetrue
execute_commandsExecute list of shell commandsa6f7683c8e217d85bd3c398f0d3fb6bf2022-01-05T10:14:14Palo Alto Networkstruetruetruetrue
process_kill_cpuKill all processes with a CPU usage higher than specified3d928a24f61cd3c1116544900c4240982022-01-05T10:14:14Palo Alto Networkstruetruetruetrue
process_kill_memKill all processes with a RAM usage higher than specified87d4547df6d4882a3c006ec58c3b8bf42021-05-04T14:33:48Palo Alto Networkstruetruetruetrue
process_kill_nameKill processes by namefd0a544a99a9421222b4f57a118394812021-05-04T14:33:48Palo Alto Networkstruetruetruetrue
registry_deleteDelete registry value or delete registry key with all its valuesad36488a20cdbdd1604ec4bec9da5c412021-05-04T14:33:48Palo Alto Networkstruefalsefalsetrue
registry_setSet registry value896392a13b2ef0ae75b3f2396125037d2021-05-04T14:33:48Palo Alto Networkstruefalsefalsetrue

core-delete-endpoints#


Deletes selected endpoints in the Cortex app. You can delete up to 1000 endpoints.

Base Command#

core-delete-endpoints

Input#

Argument NameDescriptionRequired
endpoint_idsComma-separated list of endpoint IDs. You can retrieve the endpoint IDs from the core-get-endpoints command.Required

Context Output#

There is no context output for this command.

core-get-endpoint-device-control-violations#


Gets a list of device control violations filtered by selected fields. You can retrieve up to 100 violations.

Base Command#

core-get-endpoint-device-control-violations

Input#

Argument NameDescriptionRequired
endpoint_idsComma-separated list of endpoint IDs. You can retrieve the endpoint IDs from the core-get-endpoints command.Optional
typeType of violation. Possible values are: "cd-rom", "disk drive", "floppy disk", and "portable device". Possible values are: cd-rom, disk drive, floppy disk, portable device.Optional
timestamp_gteTimestamp of the violation. Violations that are greater than or equal to this timestamp will be returned. Values can be in either ISO date format, relative time, or epoch timestamp. For example: "2019-10-21T23:45:00" (ISO date format), "3 days ago" (relative time) 1579039377301 (epoch time).Optional
timestamp_lteTimestamp of the violation. Violations that are less than or equal to this timestamp will be returned. Values can be in either ISO date format, relative time, or epoch timestamp. For example: "2019-10-21T23:45:00" (ISO date format), "3 days ago" (relative time) 1579039377301 (epoch time).Optional
ip_listComma-separated list of IP addresses.Optional
vendorName of the vendor.Optional
vendor_idVendor ID.Optional
productName of the product.Optional
product_idProduct ID.Optional
serialSerial number.Optional
hostnameHostname.Optional
violation_id_listComma-separated list of violation IDs.Optional
usernameUsername.Optional

Context Output#

PathTypeDescription
Core.EndpointViolationsUnknownEndpoint violations command results.
Core.EndpointViolations.violationsUnknownA list of violations.
Core.EndpointViolations.violations.os_typestringType of the operating system.
Core.EndpointViolations.violations.hostnamestringHostname of the violation.
Core.EndpointViolations.violations.usernamestringUsername of the violation.
Core.EndpointViolations.violations.ipstringIP address of the violation.
Core.EndpointViolations.violations.timestampnumberTimestamp of the violation.
Core.EndpointViolations.violations.violation_idnumberViolation ID.
Core.EndpointViolations.violations.typestringType of violation.
Core.EndpointViolations.violations.vendor_idstringVendor ID of the violation.
Core.EndpointViolations.violations.vendorstringName of the vendor of the violation.
Core.EndpointViolations.violations.product_idstringProduct ID of the violation.
Core.EndpointViolations.violations.productstringName of the product of the violation.
Core.EndpointViolations.violations.serialstringSerial number of the violation.
Core.EndpointViolations.violations.endpoint_idstringEndpoint ID of the violation.

Command example#

!core-get-endpoint-device-control-violations violation_id_list=100,90,80

Context Example#

{
"Core": {
"EndpointViolations": null
}
}

Human Readable Output#

Endpoint Device Control Violation#

No entries.

core-retrieve-files#


Retrieves files from selected endpoints. You can retrieve up to 20 files, from no more than 10 endpoints. At least one endpoint ID and one file path are necessary in order to run the command. After running this command, you can use the core-action-status-get command with returned action_id, to check the action status.

Base Command#

core-retrieve-files

Input#

Argument NameDescriptionRequired
incident_idLinks the response action to the incident that triggered it.Optional
endpoint_idsComma-separated list of endpoint IDs.Required
windows_file_pathsA comma-separated list of file paths on the Windows platform.Optional
linux_file_pathsA comma-separated list of file paths on the Linux platform.Optional
mac_file_pathsA comma-separated list of file paths on the Mac platform.Optional
generic_file_pathA comma-separated list of file paths in any platform. Can be used instead of the mac/windows/linux file paths. The order of the files path list must be parellel to the endpoints list order, therefore, the first file path in the list is related to the first endpoint and so on.Optional
action_idFor polling use.Optional
interval_in_secondsInterval in seconds between each poll.Optional
timeout_in_secondsPolling timeout in seconds.Optional

Context Output#

PathTypeDescription
Core.RetrievedFiles.action_idstringID of the action to retrieve files from selected endpoints.

core-retrieve-file-details#


View the file retrieved by the core-retrieve-files command according to the action ID. Before running this command, you can use the core-action-status-get command to check if this action completed successfully.

Base Command#

core-retrieve-file-details

Input#

Argument NameDescriptionRequired
action_idAction ID retrieved from the core-retrieve-files command.Required

Context Output#

PathTypeDescription
FileUnknownThe file details command results.
File.NameStringThe full file name (including the file extension).
File.EntryIDStringThe ID for locating the file in the War Room.
File.SizeNumberThe size of the file in bytes.
File.MD5StringThe MD5 hash of the file.
File.SHA1StringThe SHA1 hash of the file.
File.SHA256StringThe SHA256 hash of the file.
File.SHA512StringThe SHA512 hash of the file.
File.ExtensionStringThe file extension. For example: "xls".
File.TypeStringThe file type, as determined by libmagic (same as displayed in file entries).

Command example#

!core-retrieve-file-details action_id=1763

Human Readable Output#

Action id : 1763#

Retrieved 0 files from 0 endpoints. To get the exact action status run the core-action-status-get command

core-get-script-metadata#


Gets the full definition of a specific script in the scripts library.

Base Command#

core-get-script-metadata

Input#

Argument NameDescriptionRequired
script_uidUnique identifier of the script, returned by the core-get-scripts command.Required

Context Output#

PathTypeDescription
Core.ScriptMetadataUnknownThe script metadata command results.
Core.ScriptMetadata.script_idnumberScript ID.
Core.ScriptMetadata.namestringScript name.
Core.ScriptMetadata.descriptionstringScript description.
Core.ScriptMetadata.modification_dateunknownTimestamp of when the script was last modified.
Core.ScriptMetadata.created_bystringName of the user who created the script.
Core.ScriptMetadata.is_high_riskbooleanWhether the script has a high-risk outcome.
Core.ScriptMetadata.windows_supportedbooleanChoose to run the script on a Windows operating system.
Core.ScriptMetadata.linux_supportedbooleanChoose to run the script on a Linux operating system.
Core.ScriptMetadata.macos_supportedbooleanChoose to run the script on a Mac operating system.
Core.ScriptMetadata.entry_pointstringName of the entry point selected for the script. An empty string indicates the script defined as just run.
Core.ScriptMetadata.script_inputstringName and type for the specified entry point.
Core.ScriptMetadata.script_output_typestringType of the output.
Core.ScriptMetadata.script_output_dictionary_definitionsUnknownIf the script_output_type is a dictionary, an array with friendly name, name, and type for each output.

Command example#

!core-get-script-metadata script_uid=43973479d389f2ac7e99b6db88eaee40

Context Example#

{
"Core": {
"ScriptMetadata": {
"created_by": "Palo Alto Networks",
"description": "List all directories under path",
"entry_point": "run",
"is_high_risk": false,
"linux_supported": true,
"macos_supported": true,
"modification_date": 1620138828771,
"name": "list_directories",
"script_id": 4,
"script_input": [
{
"name": "path",
"type": "string"
},
{
"name": "number_of_levels",
"type": "number"
}
],
"script_output_dictionary_definitions": null,
"script_output_type": "string_list",
"script_uid": "43973479d389f2ac7e99b6db88eaee40",
"windows_supported": true
}
}
}

Human Readable Output#

Script Metadata#

Created ByDescriptionEntry PointIs High RiskLinux SupportedMacos SupportedModification DateModification Date TimestampNameScript IdScript InputScript Output TypeScript UidWindows Supported
Palo Alto NetworksList all directories under pathrunfalsetruetrue2021-05-04T14:33:481620138828771list_directories4{'name': 'path', 'type': 'string'},
{'name': 'number_of_levels', 'type': 'number'}
string_list43973479d389f2ac7e99b6db88eaee40true

core-get-script-code#


Gets the code of a specific script in the script library.

Base Command#

core-get-script-code

Input#

Argument NameDescriptionRequired
script_uidUnique identifier of the script, returned by the core-get-scripts command.Required

Context Output#

PathTypeDescription
Core.ScriptCodeUnknownThe script code command results.
Core.ScriptCode.codestringThe code of a specific script in the script library.
Core.ScriptCode.script_uidstringUnique identifier of the script.

Command example#

!core-get-script-code script_uid=548023b6e4a01ec51a495ba6e5d2a15d

Context Example#

{
"Core": {
"ScriptCode": {
"code": "import os\nimport sys\nimport traceback\n\n\ndef run(file_path):\n path = os.path.expanduser(file_path)\n path = os.path.expandvars(path)\n if os.path.isabs(path):\n try:\n os.remove(path)\n except IOError:\n sys.stderr.write(f\"File not accessible: {path}\")\n return False\n except Exception as e:\n sys.stderr.write(f\"Exception occured: {traceback.format_exc()}\")\n return False\n return True\n",
"script_uid": "548023b6e4a01ec51a495ba6e5d2a15d"
}
}
}

Human Readable Output#

Script code:#

import sys
import traceback
def run(file_path):
path = os.path.expanduser(file_path)
path = os.path.expandvars(path)
if os.path.isabs(path):
try:
os.remove(path)
except IOError:
sys.stderr.write(f"File not accessible: {path}")
return False
except Exception as e:
sys.stderr.write(f"Exception occured: {traceback.format_exc()}")
return False
return True

core-action-status-get#


Retrieves the status of the requested actions according to the action ID.

Base Command#

core-action-status-get

Input#

Argument NameDescriptionRequired
action_idThe action ID of the selected request. After performing an action, you will receive an action ID.Required

Context Output#

PathTypeDescription
Core.GetActionStatusUnknownThe action status command results.
Core.GetActionStatus.endpoint_idstringEndpoint ID.
Core.GetActionStatus.statusstringThe status of the specific endpoint ID.
Core.GetActionStatus.action_idnumberThe specified action ID.

Command example#

!core-action-status-get action_id="1819"

Context Example#

{
"Core": {
"GetActionStatus": null
}
}

Human Readable Output#

Get Action Status#

No entries.

core-run-script (Deprecated)#


Deprecated. Use core-script-run instead.

Base Command#

core-run-script

Input#

Argument NameDescriptionRequired
incident_idLinks the response action to the incident that triggered it.Optional
endpoint_idsComma-separated list of endpoint IDs. Can be retrieved by running the core-get-endpoints command.Required
script_uidUnique identifier of the script. Can be retrieved by running the core-get-scripts command.Required
parametersDictionary contains the parameter name as key and its value for this execution as the value. For example, {"param1":"param1_value","param2":"param2_value"}.Optional
timeoutThe timeout in seconds for this execution. Default is 600.Optional

Context Output#

PathTypeDescription
Core.ScriptRun.action_idNumberID of the action initiated.
Core.ScriptRun.endpoints_countNumberNumber of endpoints the action was initiated on.

core-run-snippet-code-script#


Initiates a new endpoint script execution action using the provided snippet code.

Base Command#

core-run-snippet-code-script

Input#

Argument NameDescriptionRequired
incident_idLinks the response action to the incident that triggered it. it.Optional
endpoint_idsComma-separated list of endpoint IDs. Can be retrieved by running the core-get-endpoints command.Required
snippet_codeSection of a script you want to initiate on an endpoint, for example, print("7").Required
action_idFor polling use.Optional
interval_in_secondsInterval in seconds between each poll.Optional
timeout_in_secondsPolling timeout in seconds.Optional

Context Output#

PathTypeDescription
Core.ScriptRun.action_idNumberID of the action initiated.
Core.ScriptRun.endpoints_countNumberNumber of endpoints the action was initiated on.

core-get-script-execution-status#


Retrieves the status of a script execution action.

Base Command#

core-get-script-execution-status

Input#

Argument NameDescriptionRequired
action_idAction IDs retrieved from the core-run-script command.Required

Context Output#

PathTypeDescription
Core.ScriptStatus.general_statusStringGeneral status of the action, considering the status of all the endpoints.
Core.ScriptStatus.error_messageStringError message regarding permissions for running APIs or the action doesn’t exist.
Core.ScriptStatus.endpoints_timeoutNumberNumber of endpoints in "timeout" status.
Core.ScriptStatus.action_idNumberID of the action initiated.
Core.ScriptStatus.endpoints_pending_abortNumberNumber of endpoints in "pending abort" status.
Core.ScriptStatus.endpoints_pendingNumberNumber of endpoints in "pending" status.
Core.ScriptStatus.endpoints_in_progressNumberNumber of endpoints in "in progress" status.
Core.ScriptStatus.endpoints_failedNumberNumber of endpoints in "failed" status.
Core.ScriptStatus.endpoints_expiredNumberNumber of endpoints in "expired" status.
Core.ScriptStatus.endpoints_completed_successfullyNumberNumber of endpoints in "completed successfully" status.
Core.ScriptStatus.endpoints_canceledNumberNumber of endpoints in "canceled" status.
Core.ScriptStatus.endpoints_abortedNumberNumber of endpoints in "aborted" status.

core-get-script-execution-results#


Retrieve the results of a script execution action.

Base Command#

core-get-script-execution-results

Input#

Argument NameDescriptionRequired
action_idAction IDs retrieved from the core-run-script command.Required

Context Output#

PathTypeDescription
Core.ScriptResult.action_idNumberID of the action initiated.
Core.ScriptResult.results.retrieved_filesNumberNumber of successfully retrieved files.
Core.ScriptResult.results.endpoint_ip_addressStringEndpoint IP address.
Core.ScriptResult.results.endpoint_nameStringNumber of successfully retrieved files.
Core.ScriptResult.results.failed_filesNumberNumber of files failed to retrieve.
Core.ScriptResult.results.endpoint_statusStringEndpoint status.
Core.ScriptResult.results.domainStringDomain to which the endpoint belongs.
Core.ScriptResult.results.endpoint_idStringEndpoint ID.
Core.ScriptResult.results.execution_statusStringExecution status of this endpoint.
Core.ScriptResult.results.return_valueStringValue returned by the script in case the type is not a dictionary.
Core.ScriptResult.results.standard_outputStringThe STDOUT and the STDERR logged by the script during the execution.
Core.ScriptResult.results.retention_dateDateTimestamp in which the retrieved files will be deleted from the server.
Core.ScriptResult.results.commandStringThe command that was executed by the script.
Core.ScriptResult.results.command_outputArrayThe output of the command executed by the script.

core-get-script-execution-result-files#


Gets the files retrieved from a specific endpoint during a script execution.

Base Command#

core-get-script-execution-result-files

Input#

Argument NameDescriptionRequired
action_idAction ID retrieved from the core-run-script command.Required
endpoint_idEndpoint ID. Can be retrieved by running the core-get-endpoints command.Required

Context Output#

PathTypeDescription
File.SizeStringThe size of the file.
File.SHA1StringThe SHA1 hash of the file.
File.SHA256StringThe SHA256 hash of the file.
File.SHA512StringThe SHA512 hash of the file.
File.NameStringThe name of the file.
File.SSDeepStringThe SSDeep hash of the file.
File.EntryIDStringEntryID of the file
File.InfoStringInformation about the file.
File.TypeStringThe file type.
File.MD5StringThe MD5 hash of the file.
File.ExtensionStringThe extension of the file.

core-run-script-execute-commands#


Initiate a new endpoint script execution of shell commands.

Base Command#

core-run-script-execute-commands

Input#

Argument NameDescriptionRequired
incident_idLink the response action to triggered incident.Optional
endpoint_idsComma-separated list of endpoint IDs. Can be retrieved by running the core-get-endpoints command.Required
commandsComma-separated list of shell commands to execute. Set the is_raw_command argument to true to prevent splitting by commas. (Useful when using \|\|, &&, ; separators for controlling the flow of multiple commands).Required
timeoutThe timeout in seconds for this execution. Default is 600.Optional
action_idFor polling use.Optional
interval_in_secondsInterval in seconds between each poll.Optional
timeout_in_secondsPolling timeout in seconds.Optional
is_raw_commandWhether to pass the command as-is. When false, the command is split by commas and sent as a list of commands, that are run independently.Optional
command_typeType of shell command. Possible values: "powershell", "null".Optional

Context Output#

PathTypeDescription
Core.ScriptRun.action_idNumberID of the action initiated.
Core.ScriptRun.endpoints_countNumberNumber of endpoints the action was initiated on.

core-run-script-delete-file#


Initiates a new endpoint script execution to delete the specified file.

Base Command#

core-run-script-delete-file

Input#

Argument NameDescriptionRequired
incident_idLinks the response action to the incident that triggered it.Optional
endpoint_idsComma-separated list of endpoint IDs. Can be retrieved by running the core-get-endpoints command.Required
file_pathPaths of the files to delete, in a comma-separated list. Paths of the files to check for existence. All of the given file paths will run on all of the endpoints.Required
timeoutThe timeout in seconds for this execution. Default is 600.Optional
action_idFor polling use.Optional
interval_in_secondsInterval in seconds between each poll.Optional
timeout_in_secondsPolling timeout in seconds.Optional

Context Output#

PathTypeDescription
Core.ScriptRun.action_idNumberID of the action initiated.
Core.ScriptRun.endpoints_countNumberNumber of endpoints the action was initiated on.

core-run-script-file-exists#


Initiates a new endpoint script execution to check if file exists.

Base Command#

core-run-script-file-exists

Input#

Argument NameDescriptionRequired
incident_idLinks the response action to the incident that triggered it.Optional
endpoint_idsComma-separated list of endpoint IDs. Can be retrieved by running the core-get-endpoints command.Required
file_pathPaths of the files to check for existence, in a comma-separated list. All of the given file paths will run on all of the endpoints.Required
timeoutThe timeout in seconds for this execution. Default is 600.Optional
action_idFor polling use.Optional
interval_in_secondsInterval in seconds between each poll.Optional
timeout_in_secondsPolling timeout in seconds.Optional

Context Output#

PathTypeDescription
Core.ScriptRun.action_idNumberID of the action initiated.
Core.ScriptRun.endpoints_countNumberNumber of endpoints the action was initiated on.

core-run-script-kill-process#


Initiates a new endpoint script execution kill process.

Base Command#

core-run-script-kill-process

Input#

Argument NameDescriptionRequired
incident_idLinks the response action to the incident that triggered it.Optional
endpoint_idsComma-separated list of endpoint IDs. Can be retrieved by running the core-get-endpoints command.Required
process_nameNames of processes to kill. Will kill all of the given processes on all of the endpoints.Required
timeoutThe timeout in seconds for this execution. Default is 600.Optional
action_idFor polling use.Optional
interval_in_secondsInterval in seconds between each poll.Optional
timeout_in_secondsPolling timeout in seconds.Optional

Context Output#

PathTypeDescription
Core.ScriptRun.action_idNumberID of the action initiated.
Core.ScriptRun.endpoints_countNumberNumber of endpoints the action was initiated on.

endpoint#


Returns information about an endpoint.

Base Command#

endpoint

Input#

Argument NameDescriptionRequired
idThe endpoint ID.Optional
ipThe endpoint IP address.Optional
hostnameThe endpoint hostname.Optional

Context Output#

PathTypeDescription
Endpoint.HostnameStringThe endpoint's hostname.
Endpoint.OSStringThe endpoint's operation system.
Endpoint.IPAddressStringThe endpoint's IP address.
Endpoint.IDStringThe endpoint's ID.
Endpoint.StatusStringThe endpoint's status.
Endpoint.IsIsolatedStringThe endpoint's isolation status.
Endpoint.MACAddressStringThe endpoint's MAC address.
Endpoint.VendorStringThe integration name of the endpoint vendor.

core-report-incorrect-wildfire#


Reports to WildFire about incorrect hash verdict through Cortex.

Base Command#

core-report-incorrect-wildfire

Input#

Argument NameDescriptionRequired
file_hashString that represents the file’s hash. Must be a valid SHA256 hash.Required
new_verdictThe new verdict of the file. 0 - benign, 1 - malware. Possible values are: 0, 1.Required
reasonString that represents the reason of the report.Required
emailUser’s email address.Optional

Context Output#

PathTypeDescription
Core.WildFire.file_hashNumberString that represents the file’s hash.
Core.WildFire.new_verdictNumberThe new verdict of the file.

core-remove-allowlist-files#


Removes requested files from allow list.

Base Command#

core-remove-allowlist-files

Input#

Argument NameDescriptionRequired
incident_idLinks the response action to the incident that triggered it.Optional
hash_listString that represents a list of hashed files you want to add to allow list. Must be a valid SHA256 hash.Required
commentString that represents additional information regarding the action.Optional

Context Output#

PathTypeDescription
Core.allowlist.removed_hashesNumberRemoved file hash

Command example#

!core-remove-allowlist-files hash_list=11d69fb388ff59e5ba6ca217ca04ecde6a38fa8fb306aa5f1b72e22bb7c3a252

Context Example#

{
"Core": {
"allowlist": [
{
"removed_hashes": "11d69fb388ff59e5ba6ca217ca04ecde6a38fa8fb306aa5f1b72e22bb7c3a252"
}
]
}
}

Human Readable Output#

Allowlist Files Removed#

Removed _ Hashes
11d69fb388ff59e5ba6ca217ca04ecde6a38fa8fb306aa5f1b72e22bb7c3a252

core-remove-blocklist-files#


Removes requested files from block list.

Base Command#

core-remove-blocklist-files

Input#

Argument NameDescriptionRequired
incident_idLinks the response action to the incident that triggered it.Optional
hash_listString that represents a list of hashed files you want to add to allow list. Must be a valid SHA256 hash.Required
commentString that represents additional information regarding the action.Optional

Context Output#

PathTypeDescription
Core.blocklist.removed_hashesNumberRemoved fileHash from blocklist

Command example#

!core-remove-blocklist-files hash_list=11d69fb388ff59e5ba6ca217ca04ecde6a38fa8fb306aa5f1b72e22bb7c3a252

Context Example#

{
"Core": {
"blocklist": [
{
"removed_hashes": "11d69fb388ff59e5ba6ca217ca04ecde6a38fa8fb306aa5f1b72e22bb7c3a252"
}
]
}
}

Human Readable Output#

Blocklist Files Removed#

Removed _ Hashes
11d69fb388ff59e5ba6ca217ca04ecde6a38fa8fb306aa5f1b72e22bb7c3a252

core-add-exclusion#


Adds alert exclusion rule based on filterObject.

Base Command#

core-add-exclusion

Input#

Argument NameDescriptionRequired
nameName of the exclusion.Required
filterObjectFilter object for the exclusion. example: {"filter":{"AND":[{"SEARCH_FIELD":"alert_category","SEARCH_TYPE":"NEQ","SEARCH_VALUE":"Phishing"}]}}.Required
commentString that represents additional information regarding the action.Optional
statusStatus of exclusion. default value = ENABLED. Possible values are: ENABLED, DISABLED. Default is ENABLED.Optional

Context Output#

PathTypeDescription
Core.exclusion.rule_idNumberAdded exclusion rule id

Command example#

!core-add-exclusion filterObject={\"filter\":{\"AND\":[{\"SEARCH_FIELD\":\"alert_category\",\"SEARCH_TYPE\":\"NEQ\",\"SEARCH_VALUE\":\"Phishing\"}]}} name=test1

Context Example#

{
"Core": {
"exclusion": {
"rule_id": 45
}
}
}

Human Readable Output#

Add Exclusion#

rule_id
45

core-delete-exclusion#


Delete an alert exclusion rule based on rule ID.

Base Command#

core-delete-exclusion

Input#

Argument NameDescriptionRequired
alert_exclusion_idThe desired alert_exclusion_id to be removed.Required

Context Output#

PathTypeDescription
Core.deletedExclusion.rule_idNumberDeleted exclusion rule id

Command example#

!core-delete-exclusion alert_exclusion_id=36

Context Example#

{
"Core": {
"deletedExclusion": {
"rule_id": null
}
}
}

Human Readable Output#

Successfully deleted the following exclusion: 36

core-get-exclusion#


Get a list of the alerts exclusion.

Base Command#

core-get-exclusion

Input#

Argument NameDescriptionRequired
tenant_IDLinks the response action to the tenant that triggered it.Optional
filterObjectFilter object for the exclusion. Example: {"filter":{"AND":[{"SEARCH_FIELD":"alert_category","SEARCH_TYPE":"NEQ","SEARCH_VALUE":"Phishing"}]}}.Optional
limitLimit for the response. You will get the first "limit" exclusions. Default value is 20. Default is 20.Optional

Context Output#

PathTypeDescription
Core.exclusion.ALERT_WHITELIST_IDNumber
Core.exclusion.ALERT_WHITELIST_MODIFY_TIMEDate
Core.exclusion.ALERT_WHITELIST_NAMEString
Core.exclusion.ALERT_WHITELIST_INDICATOR_TEXT.pretty_nameString
Core.exclusion.ALERT_WHITELIST_INDICATOR_TEXT.data_typeUnknown
Core.exclusion.ALERT_WHITELIST_INDICATOR_TEXT.render_typeString
Core.exclusion.ALERT_WHITELIST_INDICATOR_TEXT.entity_mapUnknown
Core.exclusion.ALERT_WHITELIST_INDICATOR_TEXT.dml_typeUnknown
Core.exclusion.ALERT_WHITELIST_INDICATOR.filter.AND.SEARCH_FIELDString
Core.exclusion.ALERT_WHITELIST_INDICATOR.filter.AND.SEARCH_TYPEString
Core.exclusion.ALERT_WHITELIST_INDICATOR.filter.AND.SEARCH_VALUEString
Core.exclusion.ALERT_WHITELIST_HITSNumber
Core.exclusion.ALERT_WHITELIST_COMMENTString
Core.exclusion.ALERT_WHITELIST_USERString
Core.exclusion.ALERT_WHITELIST_PRETTY_USERString
Core.exclusion.ALERT_WHITELIST_STATUSString
Core.exclusion.ALERT_WHITELIST_BACKWARDS_SCAN_STATUSString
Core.exclusion.ALERT_WHITELIST_BACKWARDS_SCAN_TIMESTAMPUnknown
Core.exclusion.ALERT_WHITELIST_MIGRATED_FROM_ANALYTICSNumber

Command example#

!core-get-exclusion filterObject={\"filter\":{\"AND\":[{\"SEARCH_FIELD\":\"ALERT_WHITELIST_COMMENT\",\"SEARCH_TYPE\":\"NEQ\",\"SEARCH_VALUE\":\"Phishing\"}]}}

Context Example#

{
"Core": {
"exclusion": [
{
"ALERT_WHITELIST_BACKWARDS_SCAN_STATUS": "DISABLED",
"ALERT_WHITELIST_BACKWARDS_SCAN_TIMESTAMP": null,
"ALERT_WHITELIST_COMMENT": "",
"ALERT_WHITELIST_HITS": 0,
"ALERT_WHITELIST_ID": 45,
"ALERT_WHITELIST_INDICATOR": {
"filter": {
"AND": [
{
"SEARCH_FIELD": "alert_category",
"SEARCH_TYPE": "NEQ",
"SEARCH_VALUE": "Phishing"
}
]
}
},
"ALERT_WHITELIST_INDICATOR_TEXT": [
{
"data_type": "TEXT",
"dml_type": null,
"entity_map": null,
"pretty_name": "category",
"render_type": "attribute"
},
{
"data_type": null,
"entity_map": null,
"pretty_name": "!=",
"render_type": "operator"
},
{
"data_type": null,
"entity_map": null,
"pretty_name": "Phishing",
"render_type": "value"
}
],
"ALERT_WHITELIST_MIGRATED_FROM_ANALYTICS": 0,
"ALERT_WHITELIST_MODIFY_TIME": 1645102011552,
"ALERT_WHITELIST_NAME": "test1",
"ALERT_WHITELIST_PRETTY_USER": "Public API - 3",
"ALERT_WHITELIST_STATUS": "ENABLED",
"ALERT_WHITELIST_USER": "N/A"
}
]
}
}

Human Readable Output#

Exclusion#

ALERT_WHITELIST_BACKWARDS_SCAN_STATUSALERT_WHITELIST_BACKWARDS_SCAN_TIMESTAMPALERT_WHITELIST_COMMENTALERT_WHITELIST_HITSALERT_WHITELIST_IDALERT_WHITELIST_INDICATORALERT_WHITELIST_INDICATOR_TEXTALERT_WHITELIST_MIGRATED_FROM_ANALYTICSALERT_WHITELIST_MODIFY_TIMEALERT_WHITELIST_NAMEALERT_WHITELIST_PRETTY_USERALERT_WHITELIST_STATUSALERT_WHITELIST_USER
DISABLED045filter: {"AND": [{"SEARCH_FIELD": "alert_category", "SEARCH_TYPE": "NEQ", "SEARCH_VALUE": "Phishing"}]}{'pretty_name': 'category', 'data_type': 'TEXT', 'render_type': 'attribute', 'entity_map': None, 'dml_type': None},
{'pretty_name': '!=', 'data_type': None, 'render_type': 'operator', 'entity_map': None},
{'pretty_name': 'Phishing', 'data_type': None, 'render_type': 'value', 'entity_map': None}
01645102011552test1Public API - 3ENABLEDN/A

core-get-cloud-original-alerts#


Returns information about each alert ID.

Base Command#

core-get-cloud-original-alerts

Input#

Argument NameDescriptionRequired
alert_idsA comma-separated list of alert IDs.Required
events_from_decider_formatWhether to return events_from_decider context output as a dictionary (the raw API response) or as a list (improved for playbook automation) - relevant only when filter_alert_fields is set to False.Optional

Context Output#

PathTypeDescription
Core.OriginalAlert.event._timeStringThe timestamp of the occurence of the event.
Core.OriginalAlert.event.vendorStringVendor name.
Core.OriginalAlert.event.event_timestampNumberEvent timestamp.
Core.OriginalAlert.event.event_typeNumberEvent type (static 500).
Core.OriginalAlert.event.cloud_providerStringThe cloud provider - GCP, AZURE, or AWS.
Core.OriginalAlert.event.projectStringThe project in which the event occurred.
Core.OriginalAlert.event.cloud_provider_event_idStringThe ID given to the event by the cloud provider, if the ID exists.
Core.OriginalAlert.event.cloud_correlation_idStringThe ID the cloud provider is using to aggregate events that are part of the same general event.
Core.OriginalAlert.event.operation_name_origStringThe name of the operation that occurred, as supplied by the cloud provider.
Core.OriginalAlert.event.operation_nameStringThe normalized name of the operation performed by the event.
Core.OriginalAlert.event.identity_origStringContains the original identity related fields as provided by the cloud provider.
Core.OriginalAlert.event.identity_nameStringThe name of the identity that initiated the action.
Core.OriginalAlert.event.identity_uuidStringSame as identity_name but also contains the UUID of the identity if it exists.
Core.OriginalAlert.event.identity_typeStringAn enum representing the type of the identity.
Core.OriginalAlert.event.identity_sub_typeStringAn enum representing the sub-type of the identity, respective to its identity_type.
Core.OriginalAlert.event.identity_invoked_by_nameStringThe name of the identity that invoked the action as it appears in the log.
Core.OriginalAlert.event.identity_invoked_by_uuidStringThe UUID of the identity that invoked the action as it appears in the log.
Core.OriginalAlert.event.identity_invoked_by_typeStringAn enum that represents the type of identity event that invoked the action.
Core.OriginalAlert.event.identity_invoked_by_sub_typeStringAn enum that represents the respective sub_type of the type of identity (identity_type) that has invoked the action.
Core.OriginalAlert.event.operation_statusStringStatus of whether the operation has succeed or failed, if provided.
Core.OriginalAlert.event.operation_status_origStringThe operation status code as it appears in the log, including lookup from code number to code name.
Core.OriginalAlert.event.operation_status_orig_codeStringThe operation status code as it appears in the log.
Core.OriginalAlert.event.operation_status_reason_providedStringDescription of the error, if the log record indicates an error and the cloud provider supplied the reason.
Core.OriginalAlert.event.resource_typeStringThe normalized type of the service that emitted the log row.
Core.OriginalAlert.event.resource_type_origStringThe type of the service that omitted the log as provided by the cloud provider.
Core.OriginalAlert.event.resource_sub_typeStringThe sub-type respective to the resource_type field, normalized across all cloud providers.
Core.OriginalAlert.event.resource_sub_type_origStringThe sub-type of the service that emitted this log row as provided by the cloud provider.
Core.OriginalAlert.event.regionStringThe cloud region of the resource that emitted the log.
Core.OriginalAlert.event.zoneStringThe availability zone of the resource that emitted the log.
Core.OriginalAlert.event.referenced_resourceStringThe cloud resource referenced in the audit log.
Core.OriginalAlert.event.referenced_resource_nameStringSame as referenced_resource but provides only the substring that represents the resource name instead of the full asset ID.
Core.OriginalAlert.event.referenced_resources_countNumberThe number of extracted resources referenced in this audit log.
Core.OriginalAlert.event.user_agentStringThe user agent provided in the call to the API of the cloud provider.
Core.OriginalAlert.event.caller_ipStringThe IP of the caller that performed the action in the log.
Core.OriginalAlert.event.caller_ip_geolocationStringThe geolocation associated with the caller_ip's value.
Core.OriginalAlert.event.caller_ip_asnNumberThe ASN of the caller_ip's value.
Core.OriginalAlert.event.caller_projectStringThe project of the caller entity.
Core.OriginalAlert.event.raw_logUnknownThe raw log that is being normalized.
Core.OriginalAlert.event.log_nameStringThe name of the log that contains the log row.
Core.OriginalAlert.event.caller_ip_asn_orgStringThe organization associated with the ASN of the caller_ip's value.
Core.OriginalAlert.event.event_base_idStringEvent base ID.
Core.OriginalAlert.event.ingestion_timeStringIngestion time.

core-get-dynamic-analysis#


Returns dynamic analysis of each alert ID.

Base Command#

core-get-dynamic-analysis

Input#

Argument NameDescriptionRequired
alert_idsA comma-separated list of alert IDs.Required

Context Output#

PathTypeDescription
Core.DynamicAnalysis.causalityIdString
Core.DynamicAnalysis.internals.nameString
Core.DynamicAnalysis.internals.factNameString
Core.DynamicAnalysis.internals.timestampDate
Core.DynamicAnalysis.internals.eventIdString
Core.DynamicAnalysis.internals.attributes.user_presenceString
Core.DynamicAnalysis.internals.attributes.shellcode_addressString
Core.DynamicAnalysis.internals.attributes.tidString
Core.DynamicAnalysis.internals.attributes.parent_pidString
Core.DynamicAnalysis.internals.attributes.is_signString
Core.DynamicAnalysis.internals.attributes.sync_actionString
Core.DynamicAnalysis.internals.attributes.is_remote_sessionString
Core.DynamicAnalysis.internals.attributes.pebString
Core.DynamicAnalysis.internals.attributes.process_image_pathString
Core.DynamicAnalysis.internals.attributes.command_lineString
Core.DynamicAnalysis.internals.attributes.scanned_buffer_crc32_stacktrace_allocation_base_bufferString
Core.DynamicAnalysis.internals.attributes.page_base_shellcode_bufferString
Core.DynamicAnalysis.internals.attributes.os_sig_statusString
Core.DynamicAnalysis.internals.attributes.file_info_legal_copyrightString
Core.DynamicAnalysis.internals.attributes.user_nameString
Core.DynamicAnalysis.internals.attributes.is_heavens_gateString
Core.DynamicAnalysis.internals.attributes.is_impersonatedString
Core.DynamicAnalysis.internals.attributes.os_parent_instance_idString
Core.DynamicAnalysis.internals.attributes.file_info_internal_nameString
Core.DynamicAnalysis.internals.attributes.stack_traceString
Core.DynamicAnalysis.internals.attributes.is_injectedString
Core.DynamicAnalysis.internals.attributes.pidString
Core.DynamicAnalysis.internals.attributes.thread_context_eip_image_pathString
Core.DynamicAnalysis.internals.attributes.image_path_sha256String
Core.DynamicAnalysis.internals.attributes.montepi_errString
Core.DynamicAnalysis.internals.attributes.file_info_company_nameString
Core.DynamicAnalysis.internals.attributes.file_info_original_nameString
Core.DynamicAnalysis.internals.attributes.instance_idString
Core.DynamicAnalysis.internals.attributes.yara_file_scan_resultString
Core.DynamicAnalysis.internals.attributes.file_obj_flagsString
Core.DynamicAnalysis.internals.attributes.should_obfuscateString
Core.DynamicAnalysis.internals.attributes.file_sizeString
Core.DynamicAnalysis.internals.attributes.file_info_is_dot_netString
Core.DynamicAnalysis.internals.attributes.call_region_shellcode_bufferString
Core.DynamicAnalysis.internals.attributes.allocation_base_shellcode_bufferString
Core.DynamicAnalysis.internals.attributes.signer_nameString
Core.DynamicAnalysis.internals.attributes.original_command_lineString
Core.DynamicAnalysis.internals.attributes.yara_rules_results_stacktrace_page_base_bufferString
Core.DynamicAnalysis.internals.attributes.rpc_interface_uuidString
Core.DynamicAnalysis.internals.attributes.rpc_interface_minor_versionString
Core.DynamicAnalysis.internals.attributes.telemString
Core.DynamicAnalysis.internals.attributes.is_trusted_signerString
Core.DynamicAnalysis.internals.attributes.thread_context_eipString
Core.DynamicAnalysis.internals.attributes.requested_parent_instance_idString
Core.DynamicAnalysis.internals.attributes.is_cgoString
Core.DynamicAnalysis.internals.attributes.parent_cidString
Core.DynamicAnalysis.internals.attributes.enabled_privilegesDate
Core.DynamicAnalysis.internals.attributes.peb32String
Core.DynamicAnalysis.internals.attributes.is_embedded_signString
Core.DynamicAnalysis.internals.attributes.rpc_function_opnumString
Core.DynamicAnalysis.internals.attributes.parent_thread_instance_idString
Core.DynamicAnalysis.internals.attributes.remote_causality_actor_ipString
Core.DynamicAnalysis.internals.attributes.canonized_process_image_pathString
Core.DynamicAnalysis.internals.attributes.scanned_buffer_crc32_stacktrace_call_region_bufferString
Core.DynamicAnalysis.internals.attributes.yara_rules_results_stacktrace_allocation_base_bufferString
Core.DynamicAnalysis.internals.attributes.entry_point_rvaString
Core.DynamicAnalysis.internals.attributes.is_stack_pivotString
Core.DynamicAnalysis.internals.attributes.os_parent_pidString
Core.DynamicAnalysis.internals.attributes.image_path_md5String
Core.DynamicAnalysis.internals.attributes.causality_actor_typeString
Core.DynamicAnalysis.internals.attributes.timestampString
Core.DynamicAnalysis.internals.attributes.is_in_transactionString
Core.DynamicAnalysis.internals.attributes.cidString
Core.DynamicAnalysis.internals.attributes.integrity_levelString
Core.DynamicAnalysis.internals.attributes.actor_typeString
Core.DynamicAnalysis.internals.attributes.file_info_descriptionString
Core.DynamicAnalysis.internals.attributes.chisq_probString
Core.DynamicAnalysis.internals.attributes.parent_tidString
Core.DynamicAnalysis.internals.attributes.rpc_interface_major_versionString
Core.DynamicAnalysis.internals.attributes.dse_internalString
Core.DynamicAnalysis.internals.attributes.telem_bit_maskString
Core.DynamicAnalysis.internals.attributes.process_image_nameString
Core.DynamicAnalysis.internals.attributes.parent_instance_idString
Core.DynamicAnalysis.internals.attributes.entropyString
Core.DynamicAnalysis.internals.attributes.call_region_base_addressString
Core.DynamicAnalysis.internals.attributes.yara_rules_results_stacktrace_call_region_bufferString
Core.DynamicAnalysis.internals.attributes.scanned_buffer_crc32_stacktrace_page_base_bufferString
Core.DynamicAnalysis.internals.attributes.image_baseString
Core.DynamicAnalysis.internals.attributes.sync_idString
Core.DynamicAnalysis.internals.attributes.effective_user_sidString
Core.DynamicAnalysis.internals.attributes.requested_parent_pidString
Core.DynamicAnalysis.internals.attributes.event_idString
Core.DynamicAnalysis.internals.attributes.rpc_protocolString
Core.DynamicAnalysis.internals.processIdxNumber
Core.DynamicAnalysis.internals.instanceIdString
Core.DynamicAnalysis.internals.attributes.scriptblock_textString
Core.DynamicAnalysis.internals.attributes.script_pathString
Core.DynamicAnalysis.internals.attributes.actor_pidString
Core.DynamicAnalysis.internals.attributes.actor_instance_idString
Core.DynamicAnalysis.internals.attributes.actor_thread_instance_idString
Core.DynamicAnalysis.internals.attributes.etw_event_idString
Core.DynamicAnalysis.internals.attributes.actor_tidString
Core.DynamicAnalysis.internals.attributes.suspicious_stringsString
Core.DynamicAnalysis.internals.attributes.suspicious_strings_contextString
Core.DynamicAnalysis.internals.attributes.content_versionString
Core.DynamicAnalysis.internals.attributes.script_hashString
Core.DynamicAnalysis.internals.attributes.dotnet_callstackString
Core.DynamicAnalysis.internals.attributes.hook_typeString
Core.DynamicAnalysis.internals.attributes.appdomain_idString
Core.DynamicAnalysis.internals.attributes.ps_assembly_versionString
Core.DynamicAnalysis.internals.attributes.original_lengthString
Core.DynamicAnalysis.internals.attributes.invoke_expression_countString
Core.DynamicAnalysis.internals.attributes.file_pathString
Core.DynamicAnalysis.internals.attributes.contentString
Core.DynamicAnalysis.internals.attributes.edr_assembly_versionString
Core.DynamicAnalysis.internals.attributes.expression_tree_scan_resultString
Core.DynamicAnalysis.internals.attributes.content_lengthString
Core.DynamicAnalysis.internals.attributes.local_analysis_verdictString
Core.DynamicAnalysis.internals.attributes.clr_versionString
Core.DynamicAnalysis.internals.attributes.powershell_versionString
Core.DynamicAnalysis.internals.attributes.script_sourceString
Core.DynamicAnalysis.internals.attributes.prioString
Core.DynamicAnalysis.internals.attributes.build_timestampDate
Core.DynamicAnalysis.potentialPreventionActionOverrideBoolean
Core.DynamicAnalysis.isBiocRuleBoolean
Core.DynamicAnalysis.biocIdNumber
Core.DynamicAnalysis.additionalDataString
Core.DynamicAnalysis.biocRuleNameString
Core.DynamicAnalysis.reachedMaxActivationsPerRuleBoolean
Core.DynamicAnalysis.syncActionStatusNumber
Core.DynamicAnalysis.spawnerImagePathString
Core.DynamicAnalysis.spawnerCmdlineString
Core.DynamicAnalysis.spawnerSignerString
Core.DynamicAnalysis.osSpawnerImagePathString
Core.DynamicAnalysis.osSpawnerCmdlineString
Core.DynamicAnalysis.osSpawnerSignerString

core-get-hash-analytics-prevalence#


Get the prevalence of a file, identified by sha256.

Base Command#

core-get-hash-analytics-prevalence

Input#

Argument NameDescriptionRequired
sha256The sha256 of a file.Required

Context Output#

PathTypeDescription
Core.AnalyticsPrevalence.Hash.valueBooleanWhether the hash is prevalent or not.
Core.AnalyticsPrevalence.Hash.data.global_prevalence.valueNumberThe global prevalence of the hash.
Core.AnalyticsPrevalence.Hash.data.local_prevalence.valueNumberThe local prevalence of the hash.
Core.AnalyticsPrevalence.Hash.data.prevalence.valueNumberThe prevalence of the hash.

core-get-IP-analytics-prevalence#


Get the prevalence of an ip, identified by ip_address.

Base Command#

core-get-IP-analytics-prevalence

Input#

Argument NameDescriptionRequired
ip_addressThe IP address.Required

Context Output#

PathTypeDescription
Core.AnalyticsPrevalence.Ip.valueBooleanWhether the IP address is prevalent or not.
Core.AnalyticsPrevalence.Ip.data.global_prevalence.valueNumberThe global prevalence of the IP.
Core.AnalyticsPrevalence.Ip.data.local_prevalence.valueNumberThe local prevalence of the IP.
Core.AnalyticsPrevalence.Ip.data.prevalence.valueNumberThe prevalence of the IP.

core-get-domain-analytics-prevalence#


Get the prevalence of a domain, identified by domain_name.

Base Command#

core-get-domain-analytics-prevalence

Input#

Argument NameDescriptionRequired
domain_nameThe domain name.Required

Context Output#

PathTypeDescription
Core.AnalyticsPrevalence.Domain.valueBooleanWhether the domain is prevalent or not.
Core.AnalyticsPrevalence.Domain.data.global_prevalence.valueNumberThe global prevalence of the domain.
Core.AnalyticsPrevalence.Domain.data.local_prevalence.valueNumberThe local prevalence of the domain.
Core.AnalyticsPrevalence.Domain.data.prevalence.valueNumberThe prevalence of the domain.

core-get-process-analytics-prevalence#


Get the prevalence of a process, identified by process_name.

Base Command#

core-get-process-analytics-prevalence

Input#

Argument NameDescriptionRequired
process_nameThe process name.Required

Context Output#

PathTypeDescription
Core.AnalyticsPrevalence.Process.valueBooleanWhether the process is prevalent or not.
Core.AnalyticsPrevalence.Process.data.global_prevalence.valueNumberThe global prevalence of the process.
Core.AnalyticsPrevalence.Process.data.local_prevalence.valueNumberThe local prevalence of the process.
Core.AnalyticsPrevalence.Process.data.prevalence.valueNumberThe prevalence of the process.

core-get-registry-analytics-prevalence#


Get the prevalence of a registry_path, identified by key_name, value_name.

Base Command#

core-get-registry-analytics-prevalence

Input#

Argument NameDescriptionRequired
key_nameThe key name of a registry path.Required
value_nameThe value name of a registry path.Required

Context Output#

PathTypeDescription
Core.AnalyticsPrevalence.Registry.valueBooleanWhether the registry is prevalent or not.
Core.AnalyticsPrevalence.Registry.data.global_prevalence.valueNumberThe global prevalence of the registry.
Core.AnalyticsPrevalence.Registry.data.local_prevalence.valueNumberThe local prevalence of the registry.
Core.AnalyticsPrevalence.Registry.data.prevalence.valueNumberThe prevalence of the registry.

core-get-cmd-analytics-prevalence#


Get the prevalence of a process_command_line, identified by process_command_line.

Base Command#

core-get-cmd-analytics-prevalence

Input#

Argument NameDescriptionRequired
process_command_lineThe process command line.Required

Context Output#

PathTypeDescription
Core.AnalyticsPrevalence.Cmd.valueBooleanWhether the CMD is prevalent or not.
Core.AnalyticsPrevalence.Cmd.data.global_prevalence.valueNumberThe global prevalence of the CMD.
Core.AnalyticsPrevalence.Cmd.data.local_prevalence.valueNumberThe local prevalence of the CDM.
Core.AnalyticsPrevalence.Cmd.data.prevalence.valueNumberThe prevalence of the Cmd.

core-add-endpoint-tag#


Add a tag to one or more endpoints.

Base Command#

core-add-endpoint-tag

Input#

Argument NameDescriptionRequired
endpoint_idsA comma-separated list of tenant IDs of the endpoint(s) for which you want to assign the tag.Required
tagThe tag name to assign to the endpoint(s).Required
endpoint_id_listA comma-separated list of endpoint IDs to filter by them.Optional
dist_nameA comma-separated list of distribution package names or installation package names.
Example: dist_name1,dist_name2.
Optional
ip_listA comma-separated list of IP addresses.
Example: 8.8.8.8,1.1.1.1.
Optional
group_nameA comma-separated list of group names to which the agent belongs.
Example: group_name1,group_name2.
Optional
platformThe endpoint platform. Possible values are: windows, linux, macos, android.Optional
alias_nameA comma-separated list of alias names.
Examples: alias_name1,alias_name2.
Optional
isolateSpecifies whether the endpoint was isolated or unisolated. Possible values are: isolated, unisolated.Optional
hostnameA comma-separated list of hostnames.
Example: hostname1,hostname2.
Optional
first_seen_gteAll the agents that were first seen after {first_seen_gte}.
Supported values:
1579039377301 (time in milliseconds)
"3 days" (relative date)
"2019-10-21T23:45:00" (date).
Optional
first_seen_lteAll the agents that were first seen before {first_seen_lte}.
Supported values:
1579039377301 (time in milliseconds)
"3 days" (relative date)
"2019-10-21T23:45:00" (date).
Optional
last_seen_gteAll the agents that were last seen before {last_seen_gte}.
Supported values:
1579039377301 (time in milliseconds)
"3 days" (relative date)
"2019-10-21T23:45:00" (date).
Optional
last_seen_lteAll the agents that were last seen before {last_seen_lte}.
Supported values:
1579039377301 (time in milliseconds)
"3 days" (relative date)
"2019-10-21T23:45:00" (date).
Optional
statusThe status of the endpoint to filter. Possible values are: connected, disconnected, lost, uninstalled.Optional

Context Output#

There is no context output for this command.

Command example#

!core-add-endpoint-tag endpoint_ids=1234 tag=test

Human Readable Output#

Successfully added tag test to endpoint(s) ['1234']

core-remove-endpoint-tag#


Remove a tag from one or more endpoints.

Base Command#

core-remove-endpoint-tag

Input#

Argument NameDescriptionRequired
endpoint_idsA comma-separated list of tenant IDs of the endpoint(s) for which you want to remove the tag.Required
tagThe tag name to remove from the endpoint(s).Required
endpoint_id_listA comma-separated list of endpoint IDs to filter by them.Optional
dist_nameA comma-separated list of distribution package names or installation package names.
Example: dist_name1,dist_name2.
Optional
ip_listA comma-separated list of IP addresses.
Example: 8.8.8.8,1.1.1.1.
Optional
group_nameA comma-separated list of group names to which the agent belongs.
Example: group_name1,group_name2.
Optional
platformThe endpoint platform. Possible values are: windows, linux, macos, android.Optional
alias_nameA comma-separated list of alias names.
Examples: alias_name1,alias_name2.
Optional
isolateSpecifies whether the endpoint was isolated or unisolated. Possible values are: isolated, unisolated.Optional
hostnameA comma-separated list of hostnames.
Example: hostname1,hostname2.
Optional
first_seen_gteAll the agents that were first seen after {first_seen_gte}.
Supported values:
1579039377301 (time in milliseconds)
"3 days" (relative date)
"2019-10-21T23:45:00" (date).
Optional
first_seen_lteAll the agents that were first seen before {first_seen_lte}.
Supported values:
1579039377301 (time in milliseconds)
"3 days" (relative date)
"2019-10-21T23:45:00" (date).
Optional
last_seen_gteAll the agents that were last seen before {last_seen_gte}.
Supported values:
1579039377301 (time in milliseconds)
"3 days" (relative date)
"2019-10-21T23:45:00" (date).
Optional
last_seen_lteAll the agents that were last seen before {last_seen_lte}.
Supported values:
1579039377301 (time in milliseconds)
"3 days" (relative date)
"2019-10-21T23:45:00" (date).
Optional
statusThe status of the endpoint to filter. Possible values are: connected, disconnected, lost, uninstalled.Optional

Context Output#

There is no context output for this command.

Command example#

!core-remove-endpoint-tag endpoint_ids=1234 tag=test

Human Readable Output#

Successfully removed tag test from endpoint(s) ['1234']

core-endpoint-alias-change#


Gets a list of endpoints according to the passed filters, and changes their alias name. Filtering by multiple fields will be concatenated using the AND condition (OR is not supported).

Base Command#

core-endpoint-alias-change

Input#

Argument NameDescriptionRequired
statusThe status of the endpoint to use as a filter. Possible values are: connected, disconnected.Optional
endpoint_id_listA comma-separated list of endpoint IDs to use as a filter.Optional
dist_nameA comma-separated list of distribution package names or installation package names to use as a filter.
Example: dist_name1,dist_name2.
Optional
ip_listA comma-separated list of IP addresses to use as a filter.
Example: 8.8.8.8,1.1.1.1.
Optional
group_nameA comma-separated list of group names to which the agent belongs to use as a filter.
Example: group_name1,group_name2.
Optional
platformThe endpoint platform to use as a filter. Possible values are: windows, linux, macos, android.Optional
alias_nameA comma-separated list of alias names to use as a filter.
Examples: alias_name1,alias_name2.
Optional
isolateSpecifies whether the endpoint was isolated or unisolated to use as a filter. Possible values are: isolated, unisolated. Note: This argument returns only the first endpoint that matches.Optional
hostnameA comma-separated list of hostnames to use as a filter.
Example: hostname1,hostname2.
Optional
first_seen_gteAll the agents that were first seen after {first_seen_gte} to use as a filter.
Supported values:
1579039377301 (time in milliseconds)
"3 days" (relative date)
"2019-10-21T23:45:00" (date).
Optional
first_seen_lteAll the agents that were first seen before {first_seen_lte} to use as a filter.
Supported values:
1579039377301 (time in milliseconds)
"3 days" (relative date)
"2019-10-21T23:45:00" (date).
Optional
last_seen_gteAll the agents that were last seen after {last_seen_gte} to use as a filter.
Supported values:
1579039377301 (time in milliseconds)
"3 days" (relative date)
"2019-10-21T23:45:00" (date).
Optional
last_seen_lteAll the agents that were last seen before {last_seen_lte} to use as a filter.
Supported values:
1579039377301 (time in milliseconds)
"3 days" (relative date)
"2019-10-21T23:45:00" (date).
Optional
usernameThe usernames to query for to use as a filter. Accepts a single user, or comma-separated list of usernames.Optional
new_alias_nameThe alias name to change to. Note: If you send an empty field, (e.g new_alias_name=\"\") the current alias name is deleted.Required
scan_statusThe scan status of the endpoint to use as a filter. Possible values are: none, pending, in_progress, canceled, aborted, pending_cancellation, success, error.Optional

Context Output#

There is no context output for this command.

Command example#

!core-endpoint-alias-change new_alias_name=test scan_status=success ip_list=1.1.1.1

Human Readable Output#

The endpoint alias was changed successfully. Note: If there is no error in the process, then this is the output even when the specific endpoint does not exist.

core-list-users#


Retrieve a list of the current users in the environment. Required license: Cortex XDR Pro per Endpoint, Cortex XDR Pro, or Cortex XDR Pro per TB.

Base Command#

core-list-users

Input#

Argument NameDescriptionRequired

Context Output#

PathTypeDescription
Core.User.user_emailstringEmail address of the user
Core.User.user_first_namestringFirst name of the user
Core.User.user_last_namestringLast name of the user.
Core.User.role_namestringRole name associated with the user.
Core.User.last_logged_inNumberTimestamp of when the user last logged in.
Core.User.user_typestringType of user.
Core.User.groupsarrayName of user groups associated with the user, if applicable.
Core.User.scopearrayName of scope associated with the user, if applicable.

Command example#

!core-list-users

Context Example#

{
"dummy": {
"User": [
{
"groups": [],
"last_logged_in": 1648158415051,
"role_name": "dummy",
"scope": [],
"user_email": "dummy@dummy.com",
"user_first_name": "dummy",
"user_last_name": "dummy",
"user_type": "dummy"
},
{
"groups": [],
"last_logged_in": null,
"role_name": "dummy",
"scope": [],
"user_email": "dummy@dummy.com",
"user_first_name": "dummy",
"user_last_name": "dummy",
"user_type": "dummy"
}
]
}
}

Human Readable Output#

Users#

First NameGroupsLast NameRoleTypeUser email
dummydummydummydummydummy
dummydummydummydummydummy

core-list-risky-users#


Retrieve the risk score of a specific user or list of users with the highest risk score in the environment along with the reason affecting each score. Required license: Cortex XDR Pro per Endpoint, Cortex XDR Pro, or Cortex XDR Pro per TB.

Base Command#

core-list-risky-users

Input#

Argument NameDescriptionRequired
user_idUnique ID of a specific user.
User ID could be either of the foo/dummy format, or just dummy.
.
Optional
limitLimit the number of users that will appear in the list. (Use limit when no specific host is requested.). Default is 10.Optional

Context Output#

PathTypeDescription
Core.RiskyUser.typeStringForm of identification element.
Core.RiskyUser.idStringIdentification value of the type field.
Core.RiskyUser.scoreNumberThe score assigned to the user.
Core.RiskyUser.reasons.date createdStringDate when the incident was created.
Core.RiskyUser.reasons.descriptionStringDescription of the incident.
Core.RiskyUser.reasons.severityStringThe severity of the incident
Core.RiskyUser.reasons.statusStringThe incident status
Core.RiskyUser.reasons.pointsNumberThe score.

Command example#

!core-list-risky-users user_id=dummy

Context Example#

{
"Core": {
"RiskyUser": {
"id": "dummy",
"reasons": [],
"score": 0,
"type": "user"
}
}
}

Human Readable Output#

Risky Users#

User IDScoreDescription
dummy0

core-list-risky-hosts#


Retrieve the risk score of a specific host or list of hosts with the highest risk score in the environment along with the reason affecting each score. Required license: Cortex XDR Pro per Endpoint, Cortex XDR Pro, or Cortex XDR Pro per TB.

Base Command#

core-list-risky-hosts

Input#

Argument NameDescriptionRequired
host_idThe host name of a specific host.Optional
limitLimit the number of hosts that will appear in the list. By default, the limit is 10 hosts.(Use limit when no specific host is requested.). Default is 50.Optional

Context Output#

PathTypeDescription
Core.RiskyHost.typeStringForm of identification element.
Core.RiskyHost.idStringIdentification value of the type field.
Core.RiskyHost.scoreNumberThe score assigned to the host.
Core.RiskyHost.reasons.date createdStringDate when the incident was created.
Core.RiskyHost.reasons.descriptionStringDescription of the incident.
Core.RiskyHost.reasons.severityStringThe severity of the incident
Core.RiskyHost.reasons.statusStringThe incident status
Core.RiskyHost.reasons.pointsNumberThe score.

Command example#

!core-list-risky-hosts host_id=dummy

Context Example#

{
"Core": {
"RiskyHost": {
"id": "dummy",
"reasons": [],
"score": 0,
"type": "dummy"
}
}
}

Human Readable Output#

Risky Hosts#

Host IDScoreDescription
dummy0

core-list-user-groups#


Retrieve a list of the current user emails associated with one or more user groups in the environment. Required license: Cortex XDR Pro per Endpoint, Cortex XDR Pro, or Cortex XDR Pro per TB.

Base Command#

core-list-user-groups

Input#

Argument NameDescriptionRequired
group_namesA comma-separated list of one or more user group names for which you want the associated users.Required

Context Output#

PathTypeDescription
Core.UserGroup.group_nameStringName of the user group.
Core.UserGroup.descriptionStringDescription of the user group, if available.
Core.UserGroup.pretty_nameStringName of the user group as it appears in the management console.
Core.UserGroup.insert_timeNumberTimestamp of when the user group was created.
Core.UserGroup.update_timeNumberTimestamp of when the user group was last updated.
Core.UserGroup.user_emailarrayList of email addresses belonging to the users associated with the user group.
Core.UserGroup.sourceStringType of user group.

Command example#

!core-list-user-groups group_names=test

Context Example#

{
"Core": {
"UserGroup": {
"description": "test",
"group_name": "test",
"insert_time": 1684746187678,
"pretty_name": null,
"source": "Custom",
"update_time": 1684746209062,
"user_email": [
null
]
}
}
}

Human Readable Output#

Groups#

Group NameGroup DescriptionUser email
testtest for demo

core-get-incidents#


Returns a list of incidents, which you can filter by a list of incident IDs (max. 100), the time the incident was last modified, and the time the incident was created. If you pass multiple filtering arguments, they will be concatenated using the AND condition. The OR condition is not supported.

Required Permissions#

Required Permissions For API call: Alerts And Incidents --> View Builtin Roles with this permission includes: "Investigator", "Responder", "Privileged Investigator", "Privileged Responder", "Viewer", and "Instance Admin".

Base Command#

core-get-incidents

Input#

Argument NameDescriptionRequired
lte_creation_timeA date in the format 2019-12-31T23:59:00. Only incidents that were created on or before the specified date/time will be retrieved.Optional
gte_creation_timeA date in the format 2019-12-31T23:59:00. Only incidents that were created on or after the specified date/time will be retrieved.Optional
lte_modification_timeFilters returned incidents that were created on or before the specified date/time, in the format 2019-12-31T23:59:00.Optional
gte_modification_timeFilters returned incidents that were modified on or after the specified date/time, in the format 2019-12-31T23:59:00.Optional
incident_id_listAn array or CSV string of incident IDs.Optional
since_creation_timeFilters returned incidents that were created on or after the specified date/time range, for example, 1 month, 2 days, 1 hour, and so on.Optional
since_modification_timeFilters returned incidents that were modified on or after the specified date/time range, for example, 1 month, 2 days, 1 hour, and so on.Optional
sort_by_modification_timeSorts returned incidents by the date/time that the incident was last modified ("asc" - ascending, "desc" - descending). Possible values are: asc, desc.Optional
sort_by_creation_timeSorts returned incidents by the date/time that the incident was created ("asc" - ascending, "desc" - descending). Possible values are: asc, desc.Optional
pagePage number (for pagination). The default is 0 (the first page). Default is 0.Optional
limitMaximum number of incidents to return per page. The default and maximum is 100. Default is 100.Optional
statusFilters only incidents in the specified status. The options are: new, under_investigation, resolved_known_issue, resolved_false_positive, resolved_true_positive resolved_security_testing, resolved_other, resolved_auto.Optional
starredWhether the incident is starred (Boolean value: true or false). Possible values are: true, false.Optional
starred_incidents_fetch_windowStarred fetch window timestamp (<number> <time unit>, e.g., 12 hours, 7 days). Default is 3 days.Optional

Context Output#

PathTypeDescription
Core.Incident.incident_idStringUnique ID assigned to each returned incident.
Core.Incident.manual_severityStringIncident severity assigned by the user. This does not affect the calculated severity. Can be "low", "medium", "high"
Core.Incident.manual_descriptionStringIncident description provided by the user.
Core.Incident.assigned_user_mailStringEmail address of the assigned user.
Core.Incident.high_severity_alert_countStringNumber of alerts with the severity HIGH.
Core.Incident.host_countnumberNumber of hosts involved in the incident.
Core.Incident.xdr_urlStringA link to the incident view on Cortex XDR or XSIAM.
Core.Incident.assigned_user_pretty_nameStringFull name of the user assigned to the incident.
Core.Incident.alert_countnumberTotal number of alerts in the incident.
Core.Incident.med_severity_alert_countnumberNumber of alerts with the severity MEDIUM.
Core.Incident.user_countnumberNumber of users involved in the incident.
Core.Incident.severityStringCalculated severity of the incident. Valid values are:

"low","medium","high" | | Core.Incident.low_severity_alert_count | String | Number of alerts with the severity LOW. | | Core.Incident.status | String | Current status of the incident. Valid values are: "new","under_investigation","resolved_known_issue","resolved_duplicate","resolved_false_positive","resolved_true_positive","resolved_security_testing" or "resolved_other". | | Core.Incident.description | String | Dynamic calculated description of the incident. | | Core.Incident.resolve_comment | String | Comments entered by the user when the incident was resolved. | | Core.Incident.notes | String | Comments entered by the user regarding the incident. | | Core.Incident.creation_time | date | Date and time the incident was created on Cortex XDR or XSIAM. | | Core.Incident.detection_time | date | Date and time that the first alert occurred in the incident. | | Core.Incident.modification_time | date | Date and time that the incident was last modified. |

Command Example#

!core-get-incidents gte_creation_time=2010-10-10T00:00:00 limit=3 sort_by_creation_time=desc

Context Example#
{
"Core.Incident": [
{
"host_count": 1,
"incident_id": "4",
"manual_severity": "medium",
"description": "5 'This alert from content TestXDRPlaybook' alerts detected by Checkpoint - SandBlast ",
"severity": "medium",
"modification_time": 1579290004178,
"assigned_user_pretty_name": null,
"notes": null,
"creation_time": 1577276587937,
"alert_count": 5,
"med_severity_alert_count": 1,
"detection_time": null,
"assigned_user_mail": null,
"resolve_comment": "This issue was solved in Incident number 192304",
"status": "new",
"user_count": 1,
"xdr_url": "https://some.xdr.url.com/incident-view/4",
"starred": false,
"low_severity_alert_count": 0,
"high_severity_alert_count": 4,
"manual_description": null
},
{
"host_count": 1,
"incident_id": "3",
"manual_severity": "medium",
"description": "'test 1' generated by Virus Total - Firewall",
"severity": "medium",
"modification_time": 1579237974014,
"assigned_user_pretty_name": "woo@demisto.com",
"notes": null,
"creation_time": 1576100096594,
"alert_count": 1,
"med_severity_alert_count": 0,
"detection_time": null,
"assigned_user_mail": "woo@demisto.com",
"resolve_comment": null,
"status": "new",
"user_count": 1,
"xdr_url": "https://some.xdr.url.com/incident-view/3",
"starred": false,
"low_severity_alert_count": 0,
"high_severity_alert_count": 1,
"manual_description": null
},
{
"host_count": 1,
"incident_id": "2",
"manual_severity": "high",
"description": "'Alert Name Example 333' along with 1 other alert generated by Virus Total - VPN & Firewall-3 and Checkpoint - SandBlast",
"severity": "high",
"modification_time": 1579288790259,
"assigned_user_pretty_name": null,
"notes": null,
"creation_time": 1576062816474,
"alert_count": 2,
"med_severity_alert_count": 0,
"detection_time": null,
"assigned_user_mail": null,
"resolve_comment": null,
"status": "under_investigation",
"user_count": 1,
"xdr_url": "https://some.xdr.url.com/incident-view/2",
"starred": false,
"low_severity_alert_count": 0,
"high_severity_alert_count": 2,
"manual_description": null
}
]
}
Human Readable Output#

Incidents#

alert_countassigned_user_mailassigned_user_pretty_namecreation_timedescriptiondetection_timehigh_severity_alert_counthost_countincident_idlow_severity_alert_countmanual_descriptionmanual_severitymed_severity_alert_countmodification_timenotesresolve_commentseveritystarredstatususer_countxdr_url
515772765879375 'This alert from content TestXDRPlaybook' alerts detected by Checkpoint - SandBlast4140medium11579290004178This issue was solved in Incident number 192304mediumfalsenew1https://some.xdr.url.com/incident-view/4
1woo@demisto.comwoo@demisto.com1576100096594'test 1' generated by Virus Total - Firewall1130medium01579237974014mediumfalsenew1https://some.xdr.url.com/incident-view/3
21576062816474'Alert Name Example 333' along with 1 other alert generated by Virus Total - VPN & Firewall-3 and Checkpoint - SandBlast2120high01579288790259highfalseunder_investigation1https://some.xdr.url.com/incident-view/2

core-script-run#


Initiates a new endpoint script execution action using a script from the script library and returns the results.

Base Command#

core-script-run

Input#

Argument NameDescriptionRequired
incident_idAllows linking the response action to the incident that triggered it.Optional
endpoint_idsA comma-separated list of endpoint IDs. Can be retrieved by running the core-get-endpoints command.Required
script_uidUnique identifier of the script. Can be retrieved by running the core-get-scripts command.Required
parametersDictionary containing the parameter name as key and its value for this execution as the value. For example, {"param1":"param1_value","param2":"param2_value"}.Optional
timeoutThe timeout in seconds for this execution. Default is 600.Optional
polling_interval_in_secondsInterval in seconds between each poll. Default is 10.Optional
polling_timeout_in_secondsPolling timeout in seconds. Default is 600.Optional
action_idThe action ID for polling use.Optional
hide_polling_outputWhether to hide the polling result (automatically filled by polling).Optional
is_coreIs the command being called from a core pack. Default is True.Optional

Context Output#

PathTypeDescription
Core.ScriptResult.action_idNumberID of the action initiated.
Core.ScriptResult.results.retrieved_filesNumberNumber of successfully retrieved files.
Core.ScriptResult.results.endpoint_ip_addressStringEndpoint IP address.
Core.ScriptResult.results.endpoint_nameStringName of successfully retrieved files.
Core.ScriptResult.results.failed_filesNumberNumber of files failed to be retrieved.
Core.ScriptResult.results.endpoint_statusStringEndpoint status.
Core.ScriptResult.results.domainStringDomain to which the endpoint belongs.
Core.ScriptResult.results.endpoint_idStringEndpoint ID.
Core.ScriptResult.results.execution_statusStringExecution status of this endpoint.
Core.ScriptResult.results.return_valueStringValue returned by the script in case the type is not a dictionary.
Core.ScriptResult.results.standard_outputStringThe STDOUT and the STDERR logged by the script during the execution.
Core.ScriptResult.results.retention_dateDateTimestamp in which the retrieved files will be deleted from the server.

Command example#

!core-script-run endpoint_ids=111 script_uid=111 polling_timeout_in_seconds=1200 timeout=1200

Context Example#
{
"Core.ScriptResult": [
{
"action_id": 1,
"results": [
{
"retrieved_files" : 0,
"_return_value": [],
"standard_output": ""
"domain" : "222",
"endpoint_id" : "111",
"endpoint_ip_address" : ["1.1.1.1"],
"command" : "_return_value",
"retention_date" : NULL,
"command_output" : [],
"endpoint_name" : "test",
"failed_files" : 0,
"execution_status" : "COMPLETED_SUCCESSFULLY",
"endpoint_status" : "STATUS_010_CONNECTED"
},
]
}
],
"Core.ScriptRun": [
{
"action_id": 1,
"endpoints_count": 1,
"status": 1
}
]
}
Human Readable Output#

Script Execution Results#

_return_valuedomainendpoint_idendpoint_ip_addressendpoint_nameendpoint_statusexecution_statusfailed_filesretention_dateretrieved_filesstandard_output
2221111.1.1.1testSTATUS_010_CONNECTEDCOMPLETED_SUCCESSFULLY00

core-terminate-process#


Terminate a process by its instance ID.

Base Command#

core-terminate-process

Input#

Argument NameDescriptionRequired
agent_idThe agent ID.Required
instance_idThe instance ID.Required
process_nameThe process name.Optional
incident_idThe incident ID.Optional
action_idThe action ID. For polling use.Optional
interval_in_secondsInterval in seconds between each poll.Optional
timeout_in_secondsPolling timeout in seconds.Optional

Context Output#

PathTypeDescription
Core.TerminateProcess.action_idStringThe action ID.

core-terminate-causality#


Stops a process by its causality ID.

Command Example#

!core-terminate-process agent_id=1 instance_id=1 process_name=process incident_id=2

Context Example#
{
"Core.TerminateProcess": [
{
"action_id": "1",
}
]
}

Base Command#

core-terminate-causality

Input#

Argument NameDescriptionRequired
agent_idThe agent ID.Required
causality_idThe causality ID.Required
process_nameThe process name.Optional
incident_idThe incident ID.Optional
action_idThe action ID. For polling use.Optional
interval_in_secondsInterval in seconds between each poll.Optional
timeout_in_secondsPolling timeout in seconds.Optional

Context Output#

PathTypeDescription
Core.TerminateCausality.action_idStringThe action id.
Command Example#

!core-terminate-causality agent_id=1 causality_id=1 process_name=process incident_id=2

Context Example#
{
"Core.TerminateCausality": [
{
"action_id": "1",
}
]
}

core-get-asset-details#


Get asset information.

Base Command#

core-get-asset-details

Input#

Argument NameDescriptionRequired
asset_idAsset unique identifier.Required

Context Output#

PathTypeDescription
Core.CoreAssetunknownAsset additional information.
Core.CoreAsset.xdmassetproviderunknownThe cloud provider or source responsible for the asset.
Core.CoreAsset.xdmassetrealmunknownThe realm or logical grouping of the asset.
Core.CoreAsset.xdmassetlast_observedunknownThe timestamp of when the asset was last observed, in ISO 8601 format.
Core.CoreAsset.xdmassettype__idunknownThe unique identifier for the asset type.
Core.CoreAsset.xdmassetfirst_observedunknownThe timestamp of when the asset was first observed, in ISO 8601 format.
Core.CoreAsset.asset_hierarchyunknownThe hierarchy or structure representing the asset.
Core.CoreAsset.xdmassettype__categoryunknownThe category type of the asset.
Core.CoreAsset.xdmcloudregionunknownThe cloud region where the asset resides.
Core.CoreAsset.xdmassetmodule_unstructured_fieldsunknownThe unstructured fields or metadata associated with the asset module.
Core.CoreAsset.xdmassetsourceunknownThe originating source of the asset's information.
Core.CoreAsset.xdmassetidunknownA unique identifier for the asset.
Core.CoreAsset.xdmassettype__classunknownThe classification or type class of the asset.
Core.CoreAsset.xdmassettype__nameunknownThe specific name of the asset type.
Core.CoreAsset.xdmassetstrong_idunknownThe strong or immutable identifier for the asset.
Core.CoreAsset.xdmassetnameunknownThe name of the asset.
Core.CoreAsset.xdmassetraw_fieldsunknownThe raw fields or unprocessed data related to the asset.
Core.CoreAsset.xdmassetnormalized_fieldsunknownThe normalized fields associated with the asset.
Core.CoreAsset.all_sourcesunknownA list of all sources providing information about the asset.
Command Example#

!core-get-asset-details asset_id=123

Context Example#
{
"Core.CoreAsset": [
{
"asset_hierarchy": ["123"],
"xdm__asset__type__category": "Policy",
"xdm__cloud__region": "Global",
"xdm__asset__module_unstructured_fields": {},
"xdm__asset__source": "XSIAM",
"xdm__asset__id": "123",
"xdm__asset__type__class": "Identity",
"xdm__asset__normalized_fields": {},
"xdm__asset__first_observed": 100000000,
"xdm__asset__last_observed": 100000000,
"xdm__asset__name": "Fake Name",
"xdm__asset__type__name": "IAM",
"xdm__asset__strong_id": "FAKE ID"
}
]
}
Human Readable Output#

| asset_hierarchy | xdmassettypecategory | xdmcloudregion | xdmassetmodule_unstructured_fields | xdmassetsource | xdmassetid | xdmassettypeclass | xdmassetnormalized_fields | xdmassetfirst_observed | xdmassetlast_observed | xdmassetname | xdmassettypename | xdmasset__strong_id | |---|---|---|---|---|---|---|---|---|---|---|---|---| |123|Policy|Global||XSIAM|123|Identity||100000000|100000000|Fake Name|IAM|FAKE ID|