Skip to main content

Cortex Platform - Core

This Integration is part of the Core Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.2.0 and later.

This integration uses the Cortex API to access all the core services and capabilities of the Cortex platform.

Configure Cortex Platform Core in Cortex#

ParameterDescriptionRequired
HTTP TimeoutThe timeout of the HTTP requests sent to Cortex API (in seconds).False

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

core-get-asset-details#


Get asset information.

Base Command#

core-get-asset-details

Input#

Argument NameDescriptionRequired
asset_idAsset unique identifier.Required

Context Output#

PathTypeDescription
Core.CoreAssetunknownAsset additional information.
Core.CoreAsset.xdmassetproviderunknownThe cloud provider or source responsible for the asset.
Core.CoreAsset.xdmassetrealmunknownThe realm or logical grouping of the asset.
Core.CoreAsset.xdmassetlast_observedunknownThe timestamp when the asset was last observed, in ISO 8601 format.
Core.CoreAsset.xdmassettype__idunknownThe unique identifier for the asset type.
Core.CoreAsset.xdmassetfirst_observedunknownThe timestamp when the asset was first observed, in ISO 8601 format.
Core.CoreAsset.asset_hierarchyunknownThe hierarchy or structure representing the asset.
Core.CoreAsset.xdmassettype__categoryunknownThe asset category type.
Core.CoreAsset.xdmcloudregionunknownThe cloud region where the asset resides.
Core.CoreAsset.xdmassetmodule_unstructured_fieldsunknownThe unstructured fields or metadata associated with the asset module.
Core.CoreAsset.xdmassetsourceunknownThe originating source of the asset's information.
Core.CoreAsset.xdmassetidunknownThe source unique identifier for the asset.
Core.CoreAsset.xdmassettype__classunknownThe classification or type class of the asset.
Core.CoreAsset.xdmassettype__nameunknownThe specific name of the asset type.
Core.CoreAsset.xdmassetstrong_idunknownThe strong or immutable identifier for the asset.
Core.CoreAsset.xdmassetnameunknownThe name of the asset.
Core.CoreAsset.xdmassetraw_fieldsunknownThe raw fields or unprocessed data related to the asset.
Core.CoreAsset.xdmassetnormalized_fieldsunknownThe normalized fields associated with the asset.
Core.CoreAsset.all_sourcesunknownA list of all sources providing information about the asset.
Command Example#

!core-get-asset-details asset_id=123

Context Example#
{
"Core.CoreAsset": [
{
"asset_hierarchy": ["123"],
"xdm__asset__type__category": "Policy",
"xdm__cloud__region": "Global",
"xdm__asset__module_unstructured_fields": {},
"xdm__asset__source": "XSIAM",
"xdm__asset__id": "123",
"xdm__asset__type__class": "Identity",
"xdm__asset__normalized_fields": {},
"xdm__asset__first_observed": 100000000,
"xdm__asset__last_observed": 100000000,
"xdm__asset__name": "Fake Name",
"xdm__asset__type__name": "IAM",
"xdm__asset__strong_id": "FAKE ID"
}
]
}
Human Readable Output#
asset_hierarchyxdmassettype__categoryxdmcloudregionxdmassetmodule_unstructured_fieldsxdmassetsourcexdmassetidxdmassettype__classxdmassetnormalized_fieldsxdmassetfirst_observedxdmassetlast_observedxdmassetnamexdmassettype__namexdmassetstrong_id
123PolicyGlobalXSIAM123Identity100000000100000000Fake NameIAMFAKE ID

core-get-issues#


Returns a list of issues and their metadata, which you can filter by built-in arguments or use the custom_filter to input a JSON filter object. Multiple filter arguments will be concatenated using the AND operator, while arguments that support a comma-separated list of values will use an OR operator between each value.

Base Command#

core-get-issues

Input#

Argument NameDescriptionRequired
issue_idThe unique ID of the issue. Accepts a comma-separated list.Optional
severityThe severity of the issue. Accepts a comma-separated list. Possible values are: low, medium, high, critical.Optional
custom_filterA custom filter. When using this argument, other filter arguments are not relevant. Example: {"OR": [{"SEARCH_FIELD": "actor_process_command_line", "SEARCH_TYPE": "EQ", "SEARCH_VALUE": "path_to_file"}]}Optional
Identity_typeAccount type. Accepts a comma-separated list. Possible values are: ANONYMOUS, APPLICATION, COMPUTE, FEDERATED_IDENTITY, SERVICE, SERVICE_ACCOUNT, TEMPORARY_CREDENTIALS, TOKEN, UNKNOWN, USER.Optional
agent_idA unique identifier per agent. Accepts a comma-separated list.Optional
action_external_hostnameThe hostname to connect to. In case of a proxy connection, this value will differ from action_remote_ip. Accepts a comma-separated list.Optional
rule_idA string identifying the user rule. Accepts a comma-separated list.Optional
rule_nameThe name of the user rule. Accepts a comma-separated list.Optional
issue_nameThe issue name. Accepts a comma-separated list.Optional
issue_sourceThe issue source. Accepts a comma-separated list. Possible values are: XDR Agent, XDR Analytics, XDR Analytics BIOC, PAN NGFW, XDR BIOC, XDR IOC, Threat Intelligence, XDR Managed Threat Hunting, Correlation, Prisma Cloud, Prisma Cloud Compute, ASM, IoT Security, Custom Alert, Health, SaaS Attachments, Attack Path, Cloud Network Analyzer, IaC Scanner, CAS Secret Scanner, CI/CD Risks, CLI Scanner, CIEM Scanner, API Traffic Monitor, API Posture Scanner, Agentless Disk Scanner, Kubernetes Scanner, Compute Policy, CSPM Scanner, CAS CVE Scanner, CAS License Scanner, Secrets Scanner, SAST Scanner, Data Policy, Attack Surface Test, Package Operational Risk, Vulnerability Policy, AI Security Posture.Optional
time_frameSupports relative or custom time options. If you choose custom, use the start_time and end_time arguments. Possible values are: 60 minutes, 3 hours, 12 hours, 24 hours, 2 days, 7 days, 14 days, 30 days, custom.Optional
user_nameThe name assigned to the user_id during agent runtime. Accepts a comma-separated list.Optional
actor_process_image_nameThe file name of the binary file. Accepts a comma-separated list.Optional
causality_actor_process_image_command_lineSHA256 Causality Graph Object command line. Accepts a comma-separated list.Optional
actor_process_image_command_lineCommand line used by the process image initiated by the causality actor. Accepts a comma-separated list.Optional
action_process_image_command_lineSHA256 The command line of the process created. Accepts a comma-separated list.Optional
actor_process_image_sha256SHA256 hash of the binary file. Accepts a comma-separated list.Optional
causality_actor_process_image_sha256SHA256 hash of the binary file. Accepts a comma-separated list.Optional
action_process_image_sha256SHA256 of the binary file. Accepts a comma-separated list.Optional
action_file_image_sha256SHA256 of the file related to the event. Accepts a comma-separated list.Optional
action_registry_nameThe name of the registry. Accepts a comma-separated list.Optional
action_registry_key_dataThe key data of the registry. Accepts a comma-separated list.Optional
host_ipThe host IP address. Accepts a comma-separated list.Optional
action_local_ipThe local IP address for the connection. Accepts a comma-separated list.Optional
action_remote_ipRemote IP address for the connection. Accepts a comma-separated list.Optional
issue_action_statusIssue action status. Possible values are: detected, detected (allowed the session), detected (download), detected (forward), detected (post detected), detected (prompt allow), detected (raised an alert), detected (reported), detected (on write), detected (scanned), detected (sinkhole), detected (syncookie sent), detected (wildfire upload failure), detected (wildfire upload success), detected (wildfire upload skip), detected (xdr managed threat hunting), prevented (block), prevented (blocked), prevented (block-override), prevented (blocked the url), prevented (blocked the ip), prevented (continue), prevented (denied the session), prevented (dropped all packets), prevented (dropped the session), prevented (dropped the session and sent a tcp reset), prevented (dropped the packet), prevented (override), prevented (override-lockout), prevented (post detected), prevented (prompt block), prevented (random-drop), prevented (silently dropped the session with an icmp unreachable message to the host or application), prevented (terminated the session and sent a tcp reset to both sides of the connection), prevented (terminated the session and sent a tcp reset to the client), prevented (terminated the session and sent a tcp reset to the server), prevented (on write).Optional
action_local_portThe local port for the connection. Accepts a comma-separated list.Optional
action_remote_portThe remote port for the connection. Accepts a comma-separated list.Optional
dst_action_external_hostnameThe hostname to connect to. In case of a proxy connection, this value will differ from action_remote_ip. Accepts a comma-separated list.Optional
sort_fieldThe field by which to sort the results. Default is source_insert_ts.Optional
sort_orderThe order in which to sort the results. Possible values are: DESC, ASC.Optional
offsetThe first page number to retrieve issues from. Default is 0.Optional
limitThe last page number to retrieve issues from. Default is 50.Optional
start_timeRelevant when the time_frame argument is set to custom. Supports epoch timestamp and simplified extended ISO format (YYYY-MM-DDThh:mm:ss).Optional
end_timeRelevant when the time_frame argument is set to custom. Supports epoch timestamp and simplified extended ISO format (YYYY-MM-DDThh:mm:ss).Optional
starredWhether the issue is starred. Possible values are: true, false.Optional
mitre_technique_id_and_nameThe MITRE attack technique. Accepts a comma-separated list.Optional
issue_categoryThe category of the issue. Accepts a comma-separated list.Optional
issue_domainThe domain of the issue. Accepts a comma-separated list. Possible values are: Health, Hunting, IT, Posture, Security.Optional
issue_descriptionThe description of the issue. Accepts a comma-separated list.Optional
os_actor_process_image_sha256The SHA256 hash of the OS actor process image. Accepts a comma-separated list.Optional
action_file_macro_sha256The SHA256 hash of the action file macro. Accepts a comma-separated list.Optional
statusThe status progress. Accepts a comma-separated list. Possible values are: New, In Progress, Resolved.Optional
not_statusNot status progress. Accepts a comma-separated list. Possible values are: New, In Progress, Resolved.Optional
asset_idsThe assets IDs related to the issue. Accepts a comma-separated list.Optional
assigneeThe assignee of the issue. Accepts a comma-separated list.Optional
output_keysA comma separated list of outputs to include in the context.Optional

Context Output#

PathTypeDescription
Core.Issue.internal_idStringThe unique ID of the issue.
Core.Issue.source_insert_tsNumberThe detection timestamp.
Core.Issue.issue_nameStringThe name of the issue.
Core.Issue.severityStringThe severity of the issue.
Core.Issue.issue_categoryStringThe category of the issue.
Core.Issue.issue_action_statusStringThe issue action status.
Core.Issue.issue_action_status_readableStringThe issue action status in readable format.
Core.Issue.issue_descriptionStringThe issue description.
Core.Issue.agent_ip_addressesStringThe host IP address.
Core.Issue.agent_hostnameStringThe hostname.
Core.Issue.mitre_tactic_id_and_nameStringThe MITRE attack tactic.
Core.Issue.mitre_technique_id_and_nameStringThe MITRE attack technique.
Core.Issue.starredBooleanWhether the issue is starred.

core-get-case-extra-data#


Get extra data fields of a specific case including issues and key artifacts.

Base Command#

core-get-case-extra-data

Input#

Argument NameDescriptionRequired
case_idA comma seperated list of case IDs.Required
issues_limitMaximum number of issues to return per case. The default and maximum is 1000. Default is 1000.Optional

Context Output#

PathTypeDescription
Core.CaseExtraData.case.case_idStringThe unique identifier for the case.
Core.CaseExtraData.case.case_nameStringThe name assigned to the case.
Core.CaseExtraData.case.creation_timeNumberThe timestamp (in epoch format) when the case was created.
Core.CaseExtraData.case.modification_timeNumberThe timestamp (in epoch format) when the case was last modified.
Core.CaseExtraData.case.detection_timeStringThe timestamp when the activity related to the case was first detected.
Core.CaseExtraData.case.statusStringThe current status of the case (e.g., 'new', 'under_investigation', 'closed').
Core.CaseExtraData.case.severityStringThe severity level of the case (e.g., 'low', 'medium', 'high', 'critical').
Core.CaseExtraData.case.descriptionStringA detailed textual description of the case.
Core.CaseExtraData.case.assigned_user_mailStringThe email address of the user assigned to the case.
Core.CaseExtraData.case.assigned_user_pretty_nameStringThe display name of the user assigned to the case.
Core.CaseExtraData.case.issue_countNumberThe total number of issues associated with the case.
Core.CaseExtraData.case.low_severity_issue_countNumberThe total number of low-severity issues within the case.
Core.CaseExtraData.case.med_severity_issue_countNumberThe total number of medium-severity issues within the case.
Core.CaseExtraData.case.high_severity_issue_countNumberThe total number of high-severity issues within the case.
Core.CaseExtraData.case.critical_severity_issue_countNumberThe total number of critical-severity issues within the case.
Core.CaseExtraData.case.user_countNumberThe number of unique users involved in the case.
Core.CaseExtraData.case.host_countNumberThe number of unique hosts involved in the case.
Core.CaseExtraData.case.notesArrayA collection of notes or comments added to the case by analysts.
Core.CaseExtraData.case.resolve_commentStringThe comment entered by a user when resolving the case.
Core.CaseExtraData.case.manual_severityStringThe severity level manually set by a user, which may override the calculated severity for the case.
Core.CaseExtraData.case.manual_descriptionStringA description of the case that was manually entered by a user.
Core.CaseExtraData.case.xdr_urlStringThe direct URL to view the case in the XDR platform.
Core.CaseExtraData.case.starredBooleanA flag indicating whether the case has been starred or marked as a favorite.
Core.CaseExtraData.case.hostsArrayA comma-separated list of hostnames involved in the case.
Core.CaseExtraData.case.case_sourcesStringThe products or sources that contributed issues to this case (e.g., 'XDR Agent', 'Firewall').
Core.CaseExtraData.case.rule_based_scoreNumberThe case's risk score as calculated by automated detection rules.
Core.CaseExtraData.case.manual_scoreNumberA risk score manually assigned to the case by a user.
Core.CaseExtraData.case.wildfire_hitsNumberThe number of times a file associated with this case was identified as malicious by WildFire.
Core.CaseExtraData.case.issues_grouping_statusStringThe current status of the issue grouping or clustering process for this case.
Core.CaseExtraData.case.mitre_techniques_ids_and_namesStringA list of MITRE ATT&CK technique IDs and names observed in the case.
Core.CaseExtraData.case.mitre_tactics_ids_and_namesStringA list of MITRE ATT&CK tactic IDs and names observed in the case.
Core.CaseExtraData.case.issue_categoriesStringA comma-separated list of categories for the issues included in the case.
Core.CaseExtraData.issues.total_countNumberThe total number of individual issues that are part of the case.
Core.CaseExtraData.issues.data.external_idStringThe unique external identifier for an individual issue.
Core.CaseExtraData.issues.data.severityStringThe severity of the individual issue.
Core.CaseExtraData.issues.data.matching_statusStringThe correlation status for the issue.
Core.CaseExtraData.issues.data.end_match_attempt_tsDateThe timestamp of the last attempt to match the issue with others.
Core.CaseExtraData.issues.data.local_insert_tsDateThe timestamp when the issue was first recorded in the system.
Core.CaseExtraData.issues.data.bioc_indicatorStringThe specific Behavioral Indicator of Compromise (BIOC) that triggered the issue.
Core.CaseExtraData.issues.data.matching_service_rule_idStringThe ID of the matching service rule that identified the issue.
Core.CaseExtraData.issues.data.attempt_counterNumberThe number of times a matching attempt has been made for this issue.
Core.CaseExtraData.issues.data.bioc_category_enum_keyStringThe key representing the category of the Behavioral Indicator of Compromise (BIOC).
Core.CaseExtraData.issues.data.case_idNumberThe ID of the case to which this issue belongs.
Core.CaseExtraData.issues.data.is_whitelistedBooleanA flag indicating whether this issue has been whitelisted or suppressed.
Core.CaseExtraData.issues.data.starredBooleanA flag indicating whether this individual issue has been starred.
Core.CaseExtraData.issues.data.deduplicate_tokensStringTokens used to identify and deduplicate similar issues.
Core.CaseExtraData.issues.data.filter_rule_idStringThe ID of any filter rule that was applied to this issue.
Core.CaseExtraData.issues.data.mitre_technique_id_and_nameStringThe specific MITRE ATT&CK technique ID and name associated with the issue.
Core.CaseExtraData.issues.data.mitre_tactic_id_and_nameStringThe specific MITRE ATT&CK tactic ID and name associated with the issue.
Core.CaseExtraData.issues.data.agent_versionStringThe version of the agent installed on the endpoint related to the issue.
Core.CaseExtraData.issues.data.agent_device_domainStringThe domain of the endpoint device.
Core.CaseExtraData.issues.data.agent_fqdnStringThe fully qualified domain name (FQDN) of the agent's host.
Core.CaseExtraData.issues.data.agent_os_typeStringThe operating system type of the endpoint (e.g., 'Windows', 'Linux').
Core.CaseExtraData.issues.data.agent_os_sub_typeStringThe specific version or distribution of the agent's operating system.
Core.CaseExtraData.issues.data.agent_data_collection_statusStringThe status of the agent's data collection process.
Core.CaseExtraData.issues.data.macStringThe primary MAC address of the endpoint.
Core.CaseExtraData.issues.data.mac_addressesArrayA list of all MAC addresses associated with the endpoint.
Core.CaseExtraData.issues.data.agent_is_vdiBooleanA flag indicating whether the agent is installed on a Virtual Desktop Infrastructure (VDI) instance.
Core.CaseExtraData.issues.data.agent_install_typeStringThe installation type of the agent.
Core.CaseExtraData.issues.data.agent_host_boot_timeDateThe last boot time of the host where the agent is installed.
Core.CaseExtraData.issues.data.event_sub_typeStringA more specific classification of the event type.
Core.CaseExtraData.issues.data.module_idStringThe identifier of the agent module that generated the event.
Core.CaseExtraData.issues.data.association_strengthNumberA score indicating the strength of the event's association to the case.
Core.CaseExtraData.issues.data.dst_association_strengthNumberThe association strength related to the destination entity in the event.
Core.CaseExtraData.issues.data.story_idStringAn identifier that groups a sequence of related events into a "story".
Core.CaseExtraData.issues.data.event_idStringThe unique identifier for the event.
Core.CaseExtraData.issues.data.event_typeStringThe primary type of the event (e.g., 'Process Execution', 'Network Connection').
Core.CaseExtraData.issues.data.events_lengthNumberThe number of raw events that were aggregated to create this issue.
Core.CaseExtraData.issues.data.event_timestampDateThe timestamp when the original event occurred.
Core.CaseExtraData.issues.data.actor_process_instance_idStringThe unique instance ID of the primary actor process.
Core.CaseExtraData.issues.data.actor_process_image_pathStringThe full file path of the actor process's executable.
Core.CaseExtraData.issues.data.actor_process_image_nameStringThe filename of the actor process's executable.
Core.CaseExtraData.issues.data.actor_process_command_lineStringThe command line used to launch the actor process.
Core.CaseExtraData.issues.data.actor_process_signature_statusStringThe digital signature status of the actor process executable (e.g., 'Signed', 'Unsigned').
Core.CaseExtraData.issues.data.actor_process_signature_vendorStringThe vendor name from the digital signature of the actor process.
Core.CaseExtraData.issues.data.actor_process_image_sha256StringThe SHA256 hash of the actor process executable.
Core.CaseExtraData.issues.data.actor_process_image_md5StringThe MD5 hash of the actor process executable.
Core.CaseExtraData.issues.data.actor_process_causality_idStringThe causality ID of the actor process, which links it to its parent process.
Core.CaseExtraData.issues.data.actor_causality_idStringThe causality ID of the primary actor in the event.
Core.CaseExtraData.issues.data.actor_process_os_pidStringThe operating system's Process ID (PID) of the actor process.
Core.CaseExtraData.issues.data.actor_thread_thread_idStringThe ID of the specific thread within the actor process that initiated the action.
Core.CaseExtraData.issues.data.causality_actor_process_image_nameStringThe image name of the process that initiated the actor process (the grandparent).
Core.CaseExtraData.issues.data.causality_actor_process_command_lineStringThe command line of the causality actor process.
Core.CaseExtraData.issues.data.causality_actor_process_image_pathStringThe file path of the causality actor process's executable.
Core.CaseExtraData.issues.data.causality_actor_process_signature_vendorStringThe signature vendor of the causality actor process.
Core.CaseExtraData.issues.data.causality_actor_process_signature_statusStringThe signature status of the causality actor process.
Core.CaseExtraData.issues.data.causality_actor_causality_idStringThe causality ID of the causality actor process.
Core.CaseExtraData.issues.data.causality_actor_process_execution_timeDateThe execution timestamp of the causality actor process.
Core.CaseExtraData.issues.data.causality_actor_process_image_md5StringThe MD5 hash of the causality actor process's executable.
Core.CaseExtraData.issues.data.causality_actor_process_image_sha256StringThe SHA256 hash of the causality actor process's executable.
Core.CaseExtraData.issues.data.action_file_pathStringThe file path of the file that was the target of an action.
Core.CaseExtraData.issues.data.action_file_nameStringThe name of the file that was the target of an action.
Core.CaseExtraData.issues.data.action_file_md5StringThe MD5 hash of the file that was the target of an action.
Core.CaseExtraData.issues.data.action_file_sha256StringThe SHA256 hash of the file that was the target of an action.
Core.CaseExtraData.issues.data.action_file_macro_sha256StringThe SHA256 hash of a macro embedded within the target file.
Core.CaseExtraData.issues.data.action_registry_dataStringThe data written to or read from a registry value during the action.
Core.CaseExtraData.issues.data.action_registry_key_nameStringThe name of the registry key involved in the action.
Core.CaseExtraData.issues.data.action_registry_value_nameStringThe name of the registry value involved in the action.
Core.CaseExtraData.issues.data.action_registry_full_keyStringThe full path of the registry key involved in the action.
Core.CaseExtraData.issues.data.action_local_ipStringThe local IP address involved in a network action.
Core.CaseExtraData.issues.data.action_local_portStringThe local port number involved in a network action.
Core.CaseExtraData.issues.data.action_remote_ipStringThe remote IP address involved in a network action.
Core.CaseExtraData.issues.data.action_remote_portStringThe remote port number involved in a network action.
Core.CaseExtraData.issues.data.action_external_hostnameStringThe external hostname or domain associated with the network action.
Core.CaseExtraData.issues.data.action_countryStringThe country associated with the remote IP address in the network action.
Core.CaseExtraData.issues.data.action_process_instance_idStringThe instance ID of the process that was the target of an action.
Core.CaseExtraData.issues.data.action_process_causality_idStringThe causality ID of the target process.
Core.CaseExtraData.issues.data.action_process_image_nameStringThe executable name of the target process.
Core.CaseExtraData.issues.data.action_process_image_sha256StringThe SHA256 hash of the target process's executable.
Core.CaseExtraData.issues.data.action_process_image_command_lineStringThe command line of the target process.
Core.CaseExtraData.issues.data.action_process_signature_statusStringThe signature status of the target process.
Core.CaseExtraData.issues.data.action_process_signature_vendorStringThe signature vendor of the target process.
Core.CaseExtraData.issues.data.os_actor_effective_usernameStringThe effective username of the OS-level actor responsible for the event.
Core.CaseExtraData.issues.data.os_actor_process_instance_idStringThe instance ID of the OS actor process.
Core.CaseExtraData.issues.data.os_actor_process_image_pathStringThe file path of the OS actor process's executable.
Core.CaseExtraData.issues.data.os_actor_process_image_nameStringThe image name of the OS actor process.
Core.CaseExtraData.issues.data.os_actor_process_command_lineStringThe command line of the OS actor process.
Core.CaseExtraData.issues.data.os_actor_process_signature_statusStringThe signature status of the OS actor process.
Core.CaseExtraData.issues.data.os_actor_process_signature_vendorStringThe signature vendor of the OS actor process.
Core.CaseExtraData.issues.data.os_actor_process_image_sha256StringThe SHA256 hash of the OS actor process's executable.
Core.CaseExtraData.issues.data.os_actor_process_causality_idStringThe causality ID of the OS actor process.
Core.CaseExtraData.issues.data.os_actor_causality_idStringThe causality ID of the OS actor.
Core.CaseExtraData.issues.data.os_actor_process_os_pidStringThe operating system PID of the OS actor process.
Core.CaseExtraData.issues.data.os_actor_thread_thread_idStringThe thread ID of the OS actor.
Core.CaseExtraData.issues.data.fw_app_idStringThe firewall application ID for the traffic.
Core.CaseExtraData.issues.data.fw_interface_fromStringThe firewall interface from which the traffic originated.
Core.CaseExtraData.issues.data.fw_interface_toStringThe firewall interface to which the traffic was destined.
Core.CaseExtraData.issues.data.fw_ruleStringThe name of the firewall rule that matched the traffic.
Core.CaseExtraData.issues.data.fw_rule_idStringThe unique ID of the firewall rule that matched the traffic.
Core.CaseExtraData.issues.data.fw_device_nameStringThe name of the firewall device that logged the event.
Core.CaseExtraData.issues.data.fw_serial_numberStringThe serial number of the firewall device.
Core.CaseExtraData.issues.data.fw_url_domainStringThe domain visited, as logged by the firewall.
Core.CaseExtraData.issues.data.fw_email_subjectStringThe subject line of an email, as logged by the firewall.
Core.CaseExtraData.issues.data.fw_email_senderStringThe sender of an email, as logged by the firewall.
Core.CaseExtraData.issues.data.fw_email_recipientStringThe recipient of an email, as logged by the firewall.
Core.CaseExtraData.issues.data.fw_app_subcategoryStringThe application subcategory as identified by the firewall.
Core.CaseExtraData.issues.data.fw_app_categoryStringThe application category as identified by the firewall.
Core.CaseExtraData.issues.data.fw_app_technologyStringThe application technology as identified by the firewall.
Core.CaseExtraData.issues.data.fw_vsysStringThe virtual system on the firewall that processed the traffic.
Core.CaseExtraData.issues.data.fw_xffStringThe X-Forwarded-For (XFF) header value from the traffic.
Core.CaseExtraData.issues.data.fw_miscStringMiscellaneous firewall log data.
Core.CaseExtraData.issues.data.fw_is_phishingBooleanA flag indicating if the firewall identified the event as phishing.
Core.CaseExtraData.issues.data.dst_agent_idStringThe agent ID of the destination endpoint in a lateral movement event.
Core.CaseExtraData.issues.data.dst_causality_actor_process_execution_timeDateThe execution time of the causality actor process on the destination endpoint.
Core.CaseExtraData.issues.data.dns_query_nameStringThe domain name in a DNS query event.
Core.CaseExtraData.issues.data.dst_action_external_hostnameStringThe external hostname of the destination.
Core.CaseExtraData.issues.data.dst_action_countryStringThe country of the destination.
Core.CaseExtraData.issues.data.dst_action_external_portStringThe external port of the destination.
Core.CaseExtraData.issues.data.issue_idStringThe unique identifier for the issue.
Core.CaseExtraData.issues.data.detection_timestampNumberThe timestamp when the issue was first detected.
Core.CaseExtraData.issues.data.nameStringThe name or title of the issue.
Core.CaseExtraData.issues.data.categoryStringThe category of the issue.
Core.CaseExtraData.issues.data.endpoint_idStringThe unique ID of the endpoint where the issue occurred.
Core.CaseExtraData.issues.data.descriptionStringA detailed description of the issue.
Core.CaseExtraData.issues.data.host_ipStringThe IP address of the host related to the issue.
Core.CaseExtraData.issues.data.host_nameStringThe hostname of the endpoint related to the issue.
Core.CaseExtraData.issues.data.sourceStringThe source of the issue (e.g., 'XDR').
Core.CaseExtraData.issues.data.actionStringThe action taken in response to the event (e.g., 'detected', 'prevented').
Core.CaseExtraData.issues.data.action_prettyStringA user-friendly representation of the action taken.
Core.CaseExtraData.issues.data.user_nameStringThe name of the user associated with the issue.
Core.CaseExtraData.issues.data.contains_featured_hostBooleanA flag indicating if the issue involves a host marked as featured or critical.
Core.CaseExtraData.issues.data.contains_featured_userBooleanA flag indicating if the issue involves a user marked as featured or critical.
Core.CaseExtraData.issues.data.contains_featured_ip_addressBooleanA flag indicating if the issue involves an IP address marked as featured or critical.
Core.CaseExtraData.issues.data.tagsStringAny tags that have been applied to the issue.
Core.CaseExtraData.issues.data.original_tagsStringThe original set of tags applied to the issue before any modifications.
Core.CaseExtraData.network_artifacts.total_countNumberThe total number of network artifacts associated with the case.
Core.CaseExtraData.network_artifacts.data.typeStringThe type of network artifact (e.g., 'IP Address', 'Domain').
Core.CaseExtraData.network_artifacts.data.issue_countNumberThe number of issues in the case that involve this network artifact.
Core.CaseExtraData.network_artifacts.data.is_manualBooleanA flag indicating if the network artifact was added manually by a user.
Core.CaseExtraData.network_artifacts.data.network_domainStringThe domain name of the network artifact.
Core.CaseExtraData.network_artifacts.data.network_remote_ipStringThe remote IP address of the network artifact.
Core.CaseExtraData.network_artifacts.data.network_remote_portStringThe remote port number of the network artifact.
Core.CaseExtraData.network_artifacts.data.network_countryStringThe country associated with the network artifact's IP address.
Core.CaseExtraData.file_artifacts.total_countNumberThe total number of file artifacts associated with the case.
Core.CaseExtraData.file_artifacts.data.issue_countNumberThe number of issues in the case that involve this file artifact.
Core.CaseExtraData.file_artifacts.data.file_nameStringThe name of the file artifact.
Core.CaseExtraData.file_artifacts.data.File_sha256StringThe SHA256 hash of the file artifact.
Core.CaseExtraData.file_artifacts.data.file_signature_statusStringThe digital signature status of the file artifact.
Core.CaseExtraData.file_artifacts.data.file_wildfire_verdictStringThe verdict from WildFire for this file (e.g., 'malicious', 'benign').
Core.CaseExtraData.file_artifacts.data.is_malicousBooleanA flag indicating whether the file artifact is considered malicious.
Core.CaseExtraData.file_artifacts.data.is_manualBooleanA flag indicating if the file artifact was added manually by a user.
Core.CaseExtraData.file_artifacts.data.is_processBooleanA flag indicating if the file artifact is a process executable.
Core.CaseExtraData.file_artifacts.data.low_confidenceBooleanA flag indicating if the verdict on the file artifact has low confidence.
Core.CaseExtraData.file_artifacts.data.typeStringThe type of the file artifact.

core-get-cases#


Get cases information based on the specified filters.

Base Command#

core-get-cases

Input#

Argument NameDescriptionRequired
lte_creation_timeA date in the format 2019-12-31T23:59:00. Only cases that were created on or before the specified date/time will be retrieved.Optional
gte_creation_timeA date in the format 2019-12-31T23:59:00. Only cases that were created on or after the specified date/time will be retrieved.Optional
lte_modification_timeFilters returned cases that were created on or before the specified date/time, in the format 2019-12-31T23:59:00.Optional
gte_modification_timeFilters returned cases that were modified on or after the specified date/time, in the format 2019-12-31T23:59:00.Optional
case_id_listA comma seperated list of case IDs.Optional
since_creation_timeFilters returned cases that were created on or after the specified date/time range, for example, 1 month, 2 days, 1 hour, and so on.Optional
since_modification_timeFilters returned cases that were modified on or after the specified date/time range, for example, 1 month, 2 days, 1 hour, and so on.Optional
sort_by_modification_timeSorts returned cases by the date/time that the case was last modified ("asc" - ascending, "desc" - descending). Possible values are: asc, desc.Optional
sort_by_creation_timeSorts returned cases by the date/time that the case was created ("asc" - ascending, "desc" - descending). Possible values are: asc, desc.Optional
pagePage number (for pagination). The default is 0 (the first page). Default is 0.Optional
limitMaximum number of cases to return per page. The default and maximum is 100. Default is 100.Optional
statusFilters only cases in the specified status. The options are: new, under_investigation, resolved_known_issue, resolved_false_positive, resolved_true_positive resolved_security_testing, resolved_other, resolved_auto.Optional
starredWhether the case is starred (Boolean value: true or false). Possible values are: true, false.Optional

Context Output#

PathTypeDescription
Core.Case.case_idStringUnique ID assigned to each returned case.
Core.Case.case_nameStringName of the case.
Core.Case.creation_timeNumberTimestamp when the case was created.
Core.Case.modification_timeNumberTimestamp when the case was last modified.
Core.Case.detection_timeDateTimestamp when the first issue was detected in the case. May be null.
Core.Case.statusStringCurrent status of the case.
Core.Case.severityStringSeverity level of the case.
Core.Case.descriptionStringDescription of the case.
Core.Case.assigned_user_mailStringEmail address of the assigned user. May be null.
Core.Case.assigned_user_pretty_nameStringFull name of the assigned user. May be null.
Core.Case.issue_countNumberTotal number of issues in the case.
Core.Case.low_severity_issue_countNumberNumber of issues with low severity.
Core.Case.med_severity_issue_countNumberNumber of issues with medium severity.
Core.Case.high_severity_issue_countNumberNumber of issues with high severity.
Core.Case.critical_severity_issue_countNumberNumber of issues with critical severity.
Core.Case.user_countNumberNumber of users involved in the case.
Core.Case.host_countNumberNumber of hosts involved in the case.
Core.Case.notesStringNotes related to the case. May be null.
Core.Case.resolve_commentStringComments added when resolving the case. May be null.
Core.Case.resolved_timestampNumberTimestamp when the case was resolved.
Core.Case.manual_severityNumberSeverity manually assigned by the user. May be null.
Core.Case.manual_descriptionStringDescription manually provided by the user.
Core.Case.xdr_urlStringURL to view the case in Cortex XDR.
Core.Case.starredBooleanIndicates whether the case is starred.
Core.Case.starred_manuallyBooleanTrue if the case was starred manually; false if starred by rules.
Core.Case.hostsArrayList of hosts involved in the case.
Core.Case.usersArrayList of users involved in the case.
Core.Case.case_sourcesArraySources of the case.
Core.Case.rule_based_scoreNumberScore based on rules.
Core.Case.manual_scoreNumberManually assigned score. May be null.
Core.Case.wildfire_hitsNumberNumber of WildFire hits.
Core.Case.issues_grouping_statusStringStatus of issue grouping.
Core.Case.mitre_tactics_ids_and_namesArrayList of MITRE ATT&CK tactic IDs and names associated with the case.
Core.Case.mitre_techniques_ids_and_namesArrayList of MITRE ATT&CK technique IDs and names associated with the case.
Core.Case.issue_categoriesArrayCategories of issues associated with the case.
Core.Case.original_tagsArrayOriginal tags assigned to the case.
Core.Case.tagsArrayCurrent tags assigned to the case.
Core.Case.case_domainStringDomain associated with the case.
Core.Case.custom_fieldsUnknownCustom fields for the case with standardized lowercase, whitespace-free names.