Skip to main content

Cortex XDR - IOC

This Integration is part of the Cortex XDR by Palo Alto Networks Pack.#

Supported versions

Supported Cortex XSOAR versions: 5.5.0 and later.

Cortex XDR is the world's first detection and response app that natively integrates network, endpoint and cloud data to stop sophisticated attacks.

Use the Cortex XDR - IOCs feed integration to sync indicators between Cortex XSOAR and Cortex XDR. The integration will sync indicators according to the defined fetch interval. At each interval, the integration will push new and modified indicators defined in the Sync Query from Cortex XSOAR to Cortex XDR. Additionally, the integration will check if there are manual modifications of indicators on Cortex XDR and sync back to Cortex XSOAR. Once per day, the integration will perform a complete sync which will also remove indicators that have been deleted/expired in Cortex XSOAR, from Cortex XDR.

This integration was integrated and tested with Branch: stable-50 of XDR.

Prerequisites#

An API key of type Advanced with an Administrator role.

Configure Cortex XDR - IOC on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for Cortex XDR - IOC.
  3. Click Add instance to create and configure a new integration instance.
ParameterDescriptionRequired
urlServer URL (e.g. https://example.net\)True
apikey_idAPI Key IDTrue
apikeyAPI KeyTrue
feedFetch indicatorsFalse
severitythe severity in Cortex XDRTrue
querySync QueryTrue
insecureTrust any certificate (not secure)False
xsoar_severity_fieldThe Cortex XSOAR indicator field used as severity.True
xsoar_comments_fieldThe Cortex XSOAR field where comments are stored. Default is comments. Expecting an XSOAR IOC format of a comment (nested dictionary). See Comments As Tags for more.True
comments_as_tagsWhether to consider the value at xsoar_comments_field as CSV. Requires specifying a xsoar_comments_field value different than the default comments.True
proxyUse system proxy settingsFalse
feedReputationIndicator ReputationFalse
feedReliabilitySource ReliabilityTrue
tlp_colorThe Traffic Light Protocol (TLP) designation to apply to indicators fetched from the feed. More information about the protocol can be found at https://us-cert.cisa.gov/tlpFalse
feedExpirationPolicyFalse
feedExpirationIntervalFalse
feedFetchIntervalFeed Fetch IntervalFalse
feedBypassExclusionListBypass exclusion listFalse
  1. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook.
After you successfully execute a command, a DBot message appears in the War Room with the command details.

xdr-iocs-sync#


run once when configure the integration (do NOT run this twice!). will all the indicators that was synced with XDR and then resync.

Base Command#

xdr-iocs-sync

Input#

There are no input arguments for this command.

Context Output#

There is no context output for this command.

Command Example#

!xdr-iocs-sync

Human Readable Output#

sync with XDR completed.

xdr-iocs-push#


Push new IOCs to XDR. run This every minute (without indicator argument) or ioc trigerd (using indicator argument).

Base Command#

xdr-iocs-push

Input#

Argument NameDescriptionRequired
indicatorthe indicatorsOptional

Context Output#

There is no context output for this command.

Command Example#

xdr-iocs-push

Human Readable Output#

push success.

xdr-iocs-enable#


Enable iocs in XDR server

Base Command#

xdr-iocs-enable

Input#

Argument NameDescriptionRequired
indicatorThe indicator to enableRequired

Context Output#

There is no context output for this command.

Command Example#

!xdr-iocs-enable indicator=11.11.11.11

Human Readable Output#

indicators 11.11.11.11 enabled.

xdr-iocs-disable#


Disable iocs in XDR server

Base Command#

xdr-iocs-disable

Input#

Argument NameDescriptionRequired
indicatorThe indicator to enableRequired

Context Output#

There is no context output for this command.

Command Example#

!xdr-iocs-disable indicator=22.22.22.22

Human Readable Output#

indicators 22.22.22.22 disabled.

xdr-iocs-set-sync-time#


Set sync time manually (Do not use this command unless you unredstandard the consequences).

Base Command#

xdr-iocs-set-sync-time

Input#

Argument NameDescriptionRequired
timeThe time of the file creation (use UTC time zone).Required

Context Output#

There is no context output for this command.

xdr-iocs-create-sync-file#


Creates the sync file for the manual process. Run this command when instructed by the XDR support team.

Base Command#

xdr-iocs-create-sync-file

Input#

Argument NameDescriptionRequired
zipWhether to zip the output file.Required
set_timeWhether to modify the sync time locally.Required

Context Output#

There is no context output for this command.

Base Command#

xdr-iocs-to-keep-file

Input#

There are no input arguments for this command.

Context Output#

There is no context output for this command.