Skip to main content

Palo Alto Networks Cortex XDR - Investigation and Response

Overview#


Cortex XDR is the world's first detection and response app that natively integrates network, endpoint, and cloud data to stop sophisticated attacks. This integration was integrated and tested with version 2.6.5 of Cortex XDR - IR.

Playbooks#


Cortex XDR Incident Handling#

The playbook syncs and updates new XDR alerts that construct the incident. It enriches indicators using Threat Intelligence integrations and Palo Alto Networks AutoFocus. The incident's severity is then updated based on the indicators reputation and an analyst is assigned for manual investigation. If chosen, automated remediation with Palo Alto Networks FireWall is initiated. After a manual review by the SOC analyst, the XDR incident is closed automatically.

Use Cases#


  • Fetch incidents from XDR
  • Enrich incident with alerts and incident from XDR
  • Update incident in XDR
  • Search for endpoints
  • Isolate/unisolate endpoints
  • Insert parsed alerts into XDR
  • Insert CEF alerts into XDR
  • Query for agent audit reports
  • Query for audit management logs
  • Create distribution
  • Get distribution download URL
  • Get distribution versions

Automation#


To sync incidents between Cortex XSOAR and Cortex XDR, you should use the XDRSyncScript script, which you can find in the automation page.

Configuration#


You need to collect several pieces of information in order to configure the integration on Cortex XSOAR.

Generate an API Key and API Key ID#

  1. In your Cortex XDR platform, go to Settings.
  2. Click the +New Key button in the top right corner.
  3. Generate a key of type Advanced.
  4. Copy and paste the key.
  5. From the ID column, copy the Key ID.

URL#

  1. In your Cortex XDR platform, go to Settings.
  2. Click the Copy URL button in the top right corner.

Configure integration parameters#

  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for Cortex XDR - IR.
  3. Click Add instance to create and configure a new integration instance.
    • Name: a textual name for the integration instance.
    • Fetch incidents
    • Incident type
    • Server URL (copy URL from XDR - click ? to see more info.)
    • API Key ID
    • API Key
    • Maximum number of incidents per fetch
    • First fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days)
    • HTTP Timeout (default is 120 seconds)
    • Fetch incident alerts and artifacts
    • First fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days)
    • Incidend Mirroring Direction
    • Sync Incident Owners
    • Trust any certificate (not secure)
    • Use system proxy settings
    • Incident Statuses to Fetch
  4. Click Test to validate the URLs, token, and connection.

Fetched Incidents Data#


incident_id:31
creation_time:1564594008755
modification_time:1566339537617
detection_time:null
status:new
severity:low
description:6 'Microsoft Windows RPC Fragment Evasion Attempt' alerts detected by PAN NGFW on 6 hosts
assigned_user_mail:null
assigned_user_pretty_name:null
alert_count:6
low_severity_alert_count:0
med_severity_alert_count:6
high_severity_alert_count:0
user_count:1
host_count:6
notes:null
resolve_comment:null
manual_severity:low
manual_description:null
xdr_url:https://1111.paloaltonetworks.com/incident-view/31
  • Note: By checking the Fetch incident alerts and artifacts integration configuration parameter, fetched incidents will include additional data.

XDR Incident Mirroring#

Note this feature is available from Cortex XSOAR version 6.0.0

You can enable incident mirroring between Cortex XSOAR incidents and Cortex XDR incidents. To setup the mirroring follow these instructions:

  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for Cortex XDR - IR and select your integration instance.
  3. Enable Fetches incidents.
  4. In the Incident Mirroring Direction integration parameter, select in which direction the incidents should be mirrored:
  • Incoming - Any changes in XDR incidents will be reflected in XSOAR incidents.
  • Outgoing - Any changes in XSOAR incidents will be reflected in XDR incidents.
  • Both - Changes in XSOAR and XDR incidents will be reflected in both directions.
  • None - Choose this to turn off incident mirroring.
  1. Optional: Check the Sync Incident Owners integration parameter to sync the incident owners in both XDR and XSOAR.
  • Note: This feature will only work if the same users are registered in both Cortex XSOAR and Cortex XDR.
  1. Newly fetched incidents will be mirrored in the chosen direction.
  • Note: This will not effect existing incidents.

XDR Mirroring Notes, limitations and Troubleshooting#

  • While you can mirror changes in incident fields both in and out in each incident, you can only mirror in a single direction at a time. For example: If we have an incident with two fields (A and B) in XDR and XSOAR while Incoming And Outgoing mirroring is selected:

    • I can mirror field A from XDR to XSOAR and field B from XSOAR to XDR.
    • I cannot mirror changes from field A in both directions.

    Initially all fields are mirrored in from XDR to XSOAR. Once they are changed in XSOAR, they can only be mirrored out.

  • Do not use the XDRSyncScript automation nor any playbook that uses this automation (e.g Cortex XDR Incident Sync or Cortex XDR incident handling v2), as it impairs the mirroring functionality.

  • When migrating an existing instance to the mirroring feature, or in case the mirroring does not work as expected, make sure that:

    • The default playbook of the Cortex XDR Incident incident type is not Cortex XDR Incident Sync, change it to a different playbook that does not use XDRSyncScript.
    • The XDR integration instance incoming mapper is set to Cortex XDR - Incoming Mapper and the outgoing mapper is set to Cortex XDR - Outgoing Mapper.
  • The API includes a limit rate of 10 API requests per minute. Therefore, in a case of a limit rate exception, the sync loop will stop and will resume from the last incident.

Commands#


You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

1. xdr-get-incidents#


Returns a list of incidents, which you can filter by a list of incident IDs (max. 100), the time the incident was last modified, and the time the incident was created. If you pass multiple filtering arguments, they will be concatenated using the AND condition. The OR condition is not supported. This command requires at least one query argument.

Base Command#

xdr-get-incidents

Input#
Argument NameDescriptionRequired
lte_creation_timeTime format 2019-12-31T23:59:00.Optional
gte_creation_timeReturned incidents that were created on or after the specified date/time, in the format 2019-12-31T23:59:00.Optional
lte_modification_timeFilters returned incidents that were created on or before the specified date/time, in the format 2019-12-31T23:59:00.Optional
gte_modification_timeFilters returned incidents that were modified on or after the specified date/time, in the format 2019-12-31T23:59:00.Optional
incident_id_listAn array or CSV string of incident IDs.Optional
since_creation_timeFilters returned incidents that were created on or after the specified date/time range, for example, 1 month, 2 days, 1 hour, and so on.Optional
since_modification_timeFilters returned incidents that were modified on or after the specified date/time range, for example, 1 month, 2 days, 1 hour, and so on.Optional
sort_by_modification_timeSorts returned incidents by the date/time that the incident was last modified ("asc" - ascending, "desc" - descending).Optional
sort_by_creation_timeSorts returned incidents by the date/time that the incident was created ("asc" - ascending, "desc" - descending).Optional
pagePage number (for pagination). The default is 0 (the first page).Optional
limitMaximum number of incidents to return per page. The default and maximum is 100.Optional
statusFilters only incidents in the specified status. The options are: new, under_investigation, resolved_threat_handled, resolved_known_issue, resolved_false_positive, resolved_other, resolved_autoOptional
Context Output#
PathTypeDescription
PaloAltoNetworksXDR.Incident.incident_idStringUnique ID assigned to each returned incident.
PaloAltoNetworksXDR.Incident.manual_severityStringIncident severity assigned by the user. This does not affect the calculated severity. Can be "low","medium","high"
PaloAltoNetworksXDR.Incident.manual_descriptionStringIncident description provided by the user.
PaloAltoNetworksXDR.Incident.assigned_user_mailStringEmail address of the assigned user.
PaloAltoNetworksXDR.Incident.high_severity_alert_countStringNumber of alerts with the severity HIGH.
PaloAltoNetworksXDR.Incident.host_countnumberNumber of hosts involved in the incident.
PaloAltoNetworksXDR.Incident.xdr_urlStringA link to the incident view on XDR.
PaloAltoNetworksXDR.Incident.assigned_user_pretty_nameStringFull name of the user assigned to the incident.
PaloAltoNetworksXDR.Incident.alert_countnumberTotal number of alerts in the incident.
PaloAltoNetworksXDR.Incident.med_severity_alert_countnumberNumber of alerts with the severity MEDIUM.
PaloAltoNetworksXDR.Incident.user_countnumberNumber of users involved in the incident.
PaloAltoNetworksXDR.Incident.severityStringCalculated severity of the incident. Can be "low", "medium", or "high".
PaloAltoNetworksXDR.Incident.low_severity_alert_countStringNumber of alerts with the severity LOW.
PaloAltoNetworksXDR.Incident.statusStringCurrent status of the incident. Can be "new", "under_investigation", "resolved_threat_handled", "resolved_known_issue", "resolved_duplicate", "resolved_false_positive", or "resolved_other".
PaloAltoNetworksXDR.Incident.descriptionStringDynamic calculated description of the incident.
PaloAltoNetworksXDR.Incident.resolve_commentStringComments entered by the user when the incident was resolved.
PaloAltoNetworksXDR.Incident.notesStringComments entered by the user regarding the incident.
PaloAltoNetworksXDR.Incident.creation_timedateDate and time the incident was created on XDR.
PaloAltoNetworksXDR.Incident.detection_timedateDate and time that the first alert occurred in the incident.
PaloAltoNetworksXDR.Incident.modification_timedateDate and time that the incident was last modified.
Command Example#

!xdr-get-incidents gte_creation_time=2010-10-10T00:00:00 limit=3 sort_by_creation_time=desc

Context Example#
{
"PaloAltoNetworksXDR.Incident": [
{
"host_count": 1,
"incident_id": "4",
"manual_severity": "medium",
"description": "5 'This alert from content TestXDRPlaybook' alerts detected by Checkpoint - SandBlast ",
"severity": "medium",
"modification_time": 1579290004178,
"assigned_user_pretty_name": null,
"notes": null,
"creation_time": 1577276587937,
"alert_count": 5,
"med_severity_alert_count": 1,
"detection_time": null,
"assigned_user_mail": null,
"resolve_comment": "This issue was solved in Incident number 192304",
"status": "new",
"user_count": 1,
"xdr_url": "https://some.xdr.url.com/incident-view/4",
"starred": false,
"low_severity_alert_count": 0,
"high_severity_alert_count": 4,
"manual_description": null
},
{
"host_count": 1,
"incident_id": "3",
"manual_severity": "medium",
"description": "'test 1' generated by Virus Total - Firewall",
"severity": "medium",
"modification_time": 1579237974014,
"assigned_user_pretty_name": "woo@demisto.com",
"notes": null,
"creation_time": 1576100096594,
"alert_count": 1,
"med_severity_alert_count": 0,
"detection_time": null,
"assigned_user_mail": "woo@demisto.com",
"resolve_comment": null,
"status": "new",
"user_count": 1,
"xdr_url": "https://some.xdr.url.com/incident-view/3",
"starred": false,
"low_severity_alert_count": 0,
"high_severity_alert_count": 1,
"manual_description": null
},
{
"host_count": 1,
"incident_id": "2",
"manual_severity": "high",
"description": "'Alert Name Example 333' along with 1 other alert generated by Virus Total - VPN & Firewall-3 and Checkpoint - SandBlast",
"severity": "high",
"modification_time": 1579288790259,
"assigned_user_pretty_name": null,
"notes": null,
"creation_time": 1576062816474,
"alert_count": 2,
"med_severity_alert_count": 0,
"detection_time": null,
"assigned_user_mail": null,
"resolve_comment": null,
"status": "under_investigation",
"user_count": 1,
"xdr_url": "https://some.xdr.url.com/incident-view/2",
"starred": false,
"low_severity_alert_count": 0,
"high_severity_alert_count": 2,
"manual_description": null
}
]
}
Human Readable Output#

Incidents#

alert_countassigned_user_mailassigned_user_pretty_namecreation_timedescriptiondetection_timehigh_severity_alert_counthost_countincident_idlow_severity_alert_countmanual_descriptionmanual_severitymed_severity_alert_countmodification_timenotesresolve_commentseveritystarredstatususer_countxdr_url
515772765879375 'This alert from content TestXDRPlaybook' alerts detected by Checkpoint - SandBlast4140medium11579290004178This issue was solved in Incident number 192304mediumfalsenew1https://some.xdr.url.com/incident-view/4
1woo@demisto.comwoo@demisto.com1576100096594'test 1' generated by Virus Total - Firewall1130medium01579237974014mediumfalsenew1https://some.xdr.url.com/incident-view/3
21576062816474'Alert Name Example 333' along with 1 other alert generated by Virus Total - VPN & Firewall-3 and Checkpoint - SandBlast2120high01579288790259highfalseunder_investigation1https://some.xdr.url.com/incident-view/2

2. xdr-get-incident-extra-data#


Returns additional data for the specified incident, for example, related alerts, file artifacts, network artifacts, and so on.

Base Command#

xdr-get-incident-extra-data

Input#
Argument NameDescriptionRequired
incident_idThe ID of the incident for which to get additional data.Required
alerts_limitMaximum number of alerts to return. Default is 1,000.Optional

Context Output#

PathTypeDescription
PaloAltoNetworksXDR.Incident.incident_idStringUnique ID assigned to each returned incident.
PaloAltoNetworksXDR.Incident.creation_timeDateDate and time the incident was created on XDR.
PaloAltoNetworksXDR.Incident.modification_timeDateDate and time that the incident was last modified.
PaloAltoNetworksXDR.Incident.detection_timeDateDate and time that the first alert occurred in the incident.
PaloAltoNetworksXDR.Incident.statusStringCurrent status of the incident. Valid values are:
"new","under_investigation","resolved_threat_handled","resolved_known_issue","resolved_duplicate","resolved_false_positive","resolved_other"
PaloAltoNetworksXDR.Incident.severityStringCalculated severity of the incident. Valid values are: "low","medium","high"
PaloAltoNetworksXDR.Incident.descriptionStringDynamic calculated description of the incident.
PaloAltoNetworksXDR.Incident.assigned_user_mailStringEmail address of the assigned user.
PaloAltoNetworksXDR.Incident.assigned_user_pretty_nameStringFull name of the user assigned to the incident.
PaloAltoNetworksXDR.Incident.alert_countNumberTotal number of alerts in the incident.
PaloAltoNetworksXDR.Incident.low_severity_alert_countNumberNumber of alerts with the severity LOW.
PaloAltoNetworksXDR.Incident.med_severity_alert_countNumberNumber of alerts with the severity MEDIUM.
PaloAltoNetworksXDR.Incident.high_severity_alert_countNumberNumber of alerts with the severity HIGH.
PaloAltoNetworksXDR.Incident.user_countNumberNumber of users involved in the incident.
PaloAltoNetworksXDR.Incident.host_countNumberNumber of hosts involved in the incident
PaloAltoNetworksXDR.Incident.notesUnknownComments entered by the user regarding the incident.
PaloAltoNetworksXDR.Incident.resolve_commentStringComments entered by the user when the incident was resolved.
PaloAltoNetworksXDR.Incident.manual_severityStringIncident severity assigned by the user. This does not affect the calculated severity of low, medium, or high.
PaloAltoNetworksXDR.Incident.manual_descriptionStringIncident description provided by the user.
PaloAltoNetworksXDR.Incident.xdr_urlStringA link to the incident view on XDR.
PaloAltoNetworksXDR.Incident.starredBooleanIncident starred.
PaloAltoNetworksXDR.Incident.wildfire_hits.mitre_techniques_ids_and_namesStringIncident Mitre techniques ids and names.
PaloAltoNetworksXDR.Incident.wildfire_hits.mitre_tactics_ids_and_namesStringIncident Mitre tactics ids and names.
PaloAltoNetworksXDR.Incident.alerts.alert_idStringUnique ID for each alert.
PaloAltoNetworksXDR.Incident.alerts.detection_timestampDateDate and time that the alert occurred.
PaloAltoNetworksXDR.Incident.alerts.sourceStringSource of the alert. The product/vendor this alert came from.
PaloAltoNetworksXDR.Incident.alerts.severityStringSeverity of the alert.Valid values are: "low","medium","high"""
PaloAltoNetworksXDR.Incident.alerts.nameStringCalculated name of the alert.
PaloAltoNetworksXDR.Incident.alerts.categoryStringCategory of the alert, for example, Spyware Detected via Anti-Spyware profile.
PaloAltoNetworksXDR.Incident.alerts.descriptionStringTextual description of the alert.
PaloAltoNetworksXDR.Incident.alerts.host_ip_listUnknownHost IP involved in the alert.
PaloAltoNetworksXDR.Incident.alerts.host_nameStringHost name involved in the alert.
PaloAltoNetworksXDR.Incident.alerts.user_nameStringUser name involved with the alert.
PaloAltoNetworksXDR.Incident.alerts.event_typeStringEvent type. Valid values are: "Process Execution","Network Event","File Event","Registry Event","Injection Event","Load Image Event","Windows Event Log"
PaloAltoNetworksXDR.Incident.alerts.actionStringThe action that triggered the alert. Valid values are: "REPORTED", "BLOCKED", "POST_DETECTED", "SCANNED", "DOWNLOAD", "PROMPT_ALLOW", "PROMPT_BLOCK", "DETECTED", "BLOCKED_1", "BLOCKED_2", "BLOCKED_3", "BLOCKED_5", "BLOCKED_6", "BLOCKED_7", "BLOCKED_8", "BLOCKED_9", "BLOCKED_10", "BLOCKED_11", "BLOCKED_13", "BLOCKED_14", "BLOCKED_15", "BLOCKED_16", "BLOCKED_17", "BLOCKED_24", "BLOCKED_25", "DETECTED_0", "DETECTED_4", "DETECTED_18", "DETECTED_19", "DETECTED_20", "DETECTED_21", "DETECTED_22", "DETECTED_23"
PaloAltoNetworksXDR.Incident.alerts.action_prettyStringThe action that triggered the alert. Valid values are: "Detected (Reported)" "Prevented (Blocked)" "Detected (Post Detected)" "Detected (Scanned)" "Detected (Download)" "Detected (Prompt Allow)" "Prevented (Prompt Block)" "Detected" "Prevented (Denied The Session)" "Prevented (Dropped The Session)" "Prevented (Dropped The Session And Sent a TCP Reset)" "Prevented (Blocked The URL)" "Prevented (Blocked The IP)" "Prevented (Dropped The Packet)" "Prevented (Dropped All Packets)" "Prevented (Terminated The Session And Sent a TCP Reset To Both Sides Of The Connection)" "Prevented (Terminated The Session And Sent a TCP Reset To The Client)" "Prevented (Terminated The Session And Sent a TCP Reset To The Server)" "Prevented (Continue)" "Prevented (Block-Override)" "Prevented (Override-Lockout)" "Prevented (Override)" "Prevented (Random-Drop)" "Prevented (Silently Dropped The Session With An ICMP Unreachable Message To The Host Or Application)" "Prevented (Block)" "Detected (Allowed The Session)" "Detected (Raised An Alert)" "Detected (Syncookie Sent)" "Detected (Forward)" "Detected (Wildfire Upload Success)" "Detected (Wildfire Upload Failure)" "Detected (Wildfire Upload Skip)" "Detected (Sinkhole)"
PaloAltoNetworksXDR.Incident.alerts.actor_process_image_nameStringImage name.
PaloAltoNetworksXDR.Incident.alerts.actor_process_command_lineStringCommand line.
PaloAltoNetworksXDR.Incident.alerts.actor_process_signature_statusStringSignature status. Valid values are: "Signed" "Invalid Signature" "Unsigned" "Revoked" "Signature Fail" "N/A" "Weak Hash".
PaloAltoNetworksXDR.Incident.alerts.actor_process_signature_vendorStringSingature vendor name.
PaloAltoNetworksXDR.Incident.alerts.causality_actor_process_image_nameStringImage name.
PaloAltoNetworksXDR.Incident.alerts.causality_actor_process_command_lineStringCommand line.
PaloAltoNetworksXDR.Incident.alerts.causality_actor_process_signature_statusStringSignature status. Valid values are: "Signed" "Invalid Signature" "Unsigned" "Revoked" "Signature Fail" "N/A" "Weak Hash"
PaloAltoNetworksXDR.Incident.alerts.causality_actor_process_signature_vendorStringSignature vendor.
PaloAltoNetworksXDR.Incident.alerts.causality_actor_causality_idUnknownCausality id.
PaloAltoNetworksXDR.Incident.alerts.action_process_image_nameStringImage name.
PaloAltoNetworksXDR.Incident.alerts.action_process_image_command_lineStringCommand line.
PaloAltoNetworksXDR.Incident.alerts.action_process_image_sha256StringImage SHA256.
PaloAltoNetworksXDR.Incident.alerts.action_process_signature_statusStringSignature status. Valid values are: "Signed" "Invalid Signature" "Unsigned" "Revoked" "Signature Fail" "N/A" "Weak Hash"
PaloAltoNetworksXDR.Incident.alerts.action_process_signature_vendorStringSignature vendor name.
PaloAltoNetworksXDR.Incident.alerts.action_file_pathStringFile path.
PaloAltoNetworksXDR.Incident.alerts.action_file_md5StringFile MD5.
PaloAltoNetworksXDR.Incident.alerts.action_file_sha256StringFile SHA256.
PaloAltoNetworksXDR.Incident.alerts.action_registry_dataStringRegistry data.
PaloAltoNetworksXDR.Incident.alerts.action_registry_full_keyStringRegistry full key.
PaloAltoNetworksXDR.Incident.alerts.action_local_ipStringLocal IP.
PaloAltoNetworksXDR.Incident.alerts.action_local_portNumberLocal port.
PaloAltoNetworksXDR.Incident.alerts.action_remote_ipStringRemote IP.
PaloAltoNetworksXDR.Incident.alerts.action_remote_portNumberRemote port.
PaloAltoNetworksXDR.Incident.alerts.action_external_hostnameStringExternal hostname.
PaloAltoNetworksXDR.Incident.alerts.fw_app_idUnknownFirewall app id.
PaloAltoNetworksXDR.Incident.alerts.is_whitelistedStringIs the alert whitelisted. Valid values are: "Yes" "No"
PaloAltoNetworksXDR.Incident.alerts.starredBooleanAlert starred.
PaloAltoNetworksXDR.Incident.network_artifacts.typeStringNetwork artifact type.
PaloAltoNetworksXDR.Incident.network_artifacts.network_remote_portnumberThe remote port related to the artifact.
PaloAltoNetworksXDR.Incident.network_artifacts.alert_countnumberNumber of alerts related to the artifact.
PaloAltoNetworksXDR.Incident.network_artifacts.network_remote_ipStringThe remote IP related to the artifact.
PaloAltoNetworksXDR.Incident.network_artifacts.is_manualbooleanWhether the artifact was created by the user (manually).
PaloAltoNetworksXDR.Incident.network_artifacts.network_domainStringThe domain related to the artifact.
PaloAltoNetworksXDR.Incident.network_artifacts.typeStringThe artifact type. Valid values are: "META", "GID", "CID", "HASH", "IP", "DOMAIN", "REGISTRY", "HOSTNAME"
PaloAltoNetworksXDR.Incident.network_artifacts.network_countryStringThe country related to the artifact.
PaloAltoNetworksXDR.Incident.file_artifacts.file_signature_statusStringDigital signature status of the file. Valid values are: "SIGNATURE_UNAVAILABLE" "SIGNATURE_SIGNED" "SIGNATURE_INVALID" "SIGNATURE_UNSIGNED" "SIGNATURE_WEAK_HASH"
PaloAltoNetworksXDR.Incident.file_artifacts.is_processbooleanWhether the file artifact is related to a process execution.
PaloAltoNetworksXDR.Incident.file_artifacts.file_nameStringName of the file.
PaloAltoNetworksXDR.Incident.file_artifacts.file_wildfire_verdictStringThe file verdict, calculated by Wildfire. Valid values are: "BENIGN" "MALWARE" "GRAYWARE" "PHISING" "UNKNOWN".
PaloAltoNetworksXDR.Incident.file_artifacts.alert_countnumberNumber of alerts related to the artifact.
PaloAltoNetworksXDR.Incident.file_artifacts.is_maliciousbooleanWhether the artifact is malicious, as decided by the Wildfire verdict.
PaloAltoNetworksXDR.Incident.file_artifacts.is_manualbooleanWhether the artifact was created by the user (manually).
PaloAltoNetworksXDR.Incident.file_artifacts.typeStringThe artifact type. Valid values are: "META" "GID" "CID" "HASH" "IP" "DOMAIN" "REGISTRY" "HOSTNAME"
PaloAltoNetworksXDR.Incident.file_artifacts.file_sha256StringSHA-256 hash of the file.
PaloAltoNetworksXDR.Incident.file_artifacts.file_signature_vendor_nameStringFile signature vendor name.
Account.UsernameStringThe username in the relevant system.
Endpoint.HostnameStringThe hostname that is mapped to this endpoint.
File.PathStringThe path where the file is located.
File.MD5StringThe MD5 hash of the file.
File.SHA256StringThe SHA256 hash of the file.
File.NameStringThe full file name (including file extension).
Process.NameStringThe name of the process.
Process.MD5StringThe MD5 hash of the process.
Process.SHA256StringThe SHA256 hash of the process.
Process.PIDStringThe PID of the process.
Process.PathStringThe file system path to the binary file.
Process.Start TimeStringThe timestamp of the process start time.
Process.CommandLineStringThe full command line (including arguments).
IP.AddressStringIP address.
IP.Geo.CountryStringThe country in which the IP address is located.
Domain.NameStringThe domain name, for example: "google.com".
Command Example#

!xdr-get-incident-extra-data incident_id=4 alerts_limit=10

Context Example#
{
"Account": {
"Username": [
null
]
},
"Endpoint": {
"Hostname": [
null
]
},
"PaloAltoNetworksXDR.Incident": {
"host_count": 1,
"manual_severity": "medium",
"xdr_url": "https://some.xdr.url.com/incident-view/4",
"assigned_user_pretty_name": null,
"alert_count": 5,
"med_severity_alert_count": 1,
"detection_time": null,
"user_count": 1,
"severity": "medium",
"alerts": [
{
"action_process_signature_status": "N/A",
"action_pretty": [
"VALUE_NA",
"N/A"
],
"event_type": "Network Event",
"alert_id": "6",
"action_file_sha256": null,
"action_external_hostname": null,
"causality_actor_process_command_line": null,
"description": "Test - alert generated by Test XDR Playbook",
"category": null,
"severity": "medium",
"source": "Cisco - Sandblast",
"action_remote_port": 8000,
"causality_actor_process_signature_status": "N/A",
"fw_app_id": null,
"is_whitelisted": "No",
"action_local_ip": "196.168.0.1",
"action_registry_data": null,
"action_process_image_sha256": null,
"user_name": null,
"action_remote_ip": "2.2.2.2",
"action_process_signature_vendor": "N/A",
"actor_process_signature_status": "N/A",
"name": "Test - alert generated by Test XDR Playbook",
"causality_actor_causality_id": null,
"host_ip": null,
"host_ip_list": [],
"action_process_image_name": null,
"detection_timestamp": 1577276586921,
"action_file_md5": null,
"causality_actor_process_image_name": null,
"action_file_path": null,
"action_process_image_command_line": null,
"action_local_port": 7000,
"actor_process_image_name": null,
"action_registry_full_key": null,
"actor_process_signature_vendor": "N/A",
"actor_process_command_line": null,
"host_name": null,
"action": [
"VALUE_NA",
"N/A"
],
"starred": false,
"causality_actor_process_signature_vendor": "N/A"
},
{
"action_process_signature_status": "N/A",
"action_pretty": [
"VALUE_NA",
"N/A"
],
"event_type": "Network Event",
"alert_id": "7",
"action_file_sha256": null,
"action_external_hostname": null,
"causality_actor_process_command_line": null,
"description": "This alert from content TestXDRPlaybook description",
"category": null,
"severity": "high",
"source": "Checkpoint - SandBlast",
"action_remote_port": 6000,
"causality_actor_process_signature_status": "N/A",
"fw_app_id": null,
"is_whitelisted": "No",
"action_local_ip": "196.168.0.111",
"action_registry_data": null,
"action_process_image_sha256": null,
"user_name": null,
"action_remote_ip": "2.2.2.2",
"action_process_signature_vendor": "N/A",
"actor_process_signature_status": "N/A",
"name": "This alert from content TestXDRPlaybook",
"causality_actor_causality_id": null,
"host_ip": null,
"host_ip_list": [],
"action_process_image_name": null,
"detection_timestamp": 1577776701589,
"action_file_md5": null,
"causality_actor_process_image_name": null,
"action_file_path": null,
"action_process_image_command_line": null,
"action_local_port": 2000,
"actor_process_image_name": null,
"action_registry_full_key": null,
"actor_process_signature_vendor": "N/A",
"actor_process_command_line": null,
"host_name": null,
"action": [
"VALUE_NA",
"N/A"
],
"starred": false,
"causality_actor_process_signature_vendor": "N/A"
},
{
"action_process_signature_status": "N/A",
"action_pretty": [
"VALUE_NA",
"N/A"
],
"event_type": "Network Event",
"alert_id": "8",
"action_file_sha256": null,
"action_external_hostname": null,
"causality_actor_process_command_line": null,
"description": "This alert from content TestXDRPlaybook description",
"category": null,
"severity": "high",
"source": "Checkpoint - SandBlast",
"action_remote_port": 6000,
"causality_actor_process_signature_status": "N/A",
"fw_app_id": null,
"is_whitelisted": "No",
"action_local_ip": "196.168.0.111",
"action_registry_data": null,
"action_process_image_sha256": null,
"user_name": null,
"action_remote_ip": "2.2.2.2",
"action_process_signature_vendor": "N/A",
"actor_process_signature_status": "N/A",
"name": "This alert from content TestXDRPlaybook",
"causality_actor_causality_id": null,
"host_ip": null,
"host_ip_list": [],
"action_process_image_name": null,
"detection_timestamp": 1577958479843,
"action_file_md5": null,
"causality_actor_process_image_name": null,
"action_file_path": null,
"action_process_image_command_line": null,
"action_local_port": 2000,
"actor_process_image_name": null,
"action_registry_full_key": null,
"actor_process_signature_vendor": "N/A",
"actor_process_command_line": null,
"host_name": null,
"action": [
"VALUE_NA",
"N/A"
],
"starred": false,
"causality_actor_process_signature_vendor": "N/A"
},
{
"action_process_signature_status": "N/A",
"action_pretty": [
"VALUE_NA",
"N/A"
],
"event_type": "Network Event",
"alert_id": "9",
"action_file_sha256": null,
"action_external_hostname": null,
"causality_actor_process_command_line": null,
"description": "This alert from content TestXDRPlaybook description",
"category": null,
"severity": "high",
"source": "Checkpoint - SandBlast",
"action_remote_port": 6000,
"causality_actor_process_signature_status": "N/A",
"fw_app_id": null,
"is_whitelisted": "No",
"action_local_ip": "196.168.0.111",
"action_registry_data": null,
"action_process_image_sha256": null,
"user_name": null,
"action_remote_ip": "2.2.2.2",
"action_process_signature_vendor": "N/A",
"actor_process_signature_status": "N/A",
"name": "This alert from content TestXDRPlaybook",
"causality_actor_causality_id": null,
"host_ip": null,
"host_ip_list": [],
"action_process_image_name": null,
"detection_timestamp": 1578123895414,
"action_file_md5": null,
"causality_actor_process_image_name": null,
"action_file_path": null,
"action_process_image_command_line": null,
"action_local_port": 2000,
"actor_process_image_name": null,
"action_registry_full_key": null,
"actor_process_signature_vendor": "N/A",
"actor_process_command_line": null,
"host_name": null,
"action": [
"VALUE_NA",
"N/A"
],
"starred": false,
"causality_actor_process_signature_vendor": "N/A"
},
{
"action_process_signature_status": "N/A",
"action_pretty": [
"VALUE_NA",
"N/A"
],
"event_type": "Network Event",
"alert_id": "10",
"action_file_sha256": null,
"action_external_hostname": null,
"causality_actor_process_command_line": null,
"description": "This alert from content TestXDRPlaybook description",
"category": null,
"severity": "high",
"source": "Checkpoint - SandBlast",
"action_remote_port": 6000,
"causality_actor_process_signature_status": "N/A",
"fw_app_id": null,
"is_whitelisted": "No",
"action_local_ip": "196.168.0.111",
"action_registry_data": null,
"action_process_image_sha256": null,
"user_name": null,
"action_remote_ip": "2.2.2.2",
"action_process_signature_vendor": "N/A",
"actor_process_signature_status": "N/A",
"name": "This alert from content TestXDRPlaybook",
"causality_actor_causality_id": null,
"host_ip": null,
"host_ip_list": [],
"action_process_image_name": null,
"detection_timestamp": 1578927443615,
"action_file_md5": null,
"causality_actor_process_image_name": null,
"action_file_path": null,
"action_process_image_command_line": null,
"action_local_port": 2000,
"actor_process_image_name": null,
"action_registry_full_key": null,
"actor_process_signature_vendor": "N/A",
"actor_process_command_line": null,
"host_name": null,
"action": [
"VALUE_NA",
"N/A"
],
"starred": false,
"causality_actor_process_signature_vendor": "N/A"
}
],
"low_severity_alert_count": 0,
"status": "new",
"description": "5 'This alert from content TestXDRPlaybook' alerts detected by Checkpoint - SandBlast ",
"resolve_comment": "This issue was solved in Incident number 192304",
"creation_time": 1577276587937,
"modification_time": 1579290004178,
"network_artifacts": [
{
"network_remote_port": 8000,
"alert_count": 5,
"network_remote_ip": "2.2.2.2",
"is_manual": false,
"network_domain": null,
"type": "IP",
"network_country": null
}
],
"file_artifacts": [],
"manual_description": null,
"incident_id": "4",
"notes": null,
"assigned_user_mail": null,
"starred": false,
"high_severity_alert_count": 4
}
}
Human Readable Output#

Incident 4#

alert_countassigned_user_mailassigned_user_pretty_namecreation_timedescriptiondetection_timehigh_severity_alert_counthost_countincident_idlow_severity_alert_countmanual_descriptionmanual_severitymed_severity_alert_countmodification_timenotesresolve_commentseveritystarredstatususer_countxdr_url
515772765879375 'This alert from content TestXDRPlaybook' alerts detected by Checkpoint - SandBlast4140medium11579290004178This issue was solved in Incident number 192304mediumfalsenew1https://some.xdr.url.com/incident-view/4

Alerts#

actionaction_external_hostnameaction_file_md5action_file_pathaction_file_sha256action_local_ipaction_local_portaction_prettyaction_process_image_command_lineaction_process_image_nameaction_process_image_sha256action_process_signature_statusaction_process_signature_vendoraction_registry_dataaction_registry_full_keyaction_remote_ipaction_remote_portactor_process_command_lineactor_process_image_nameactor_process_signature_statusactor_process_signature_vendoralert_idcategorycausality_actor_causality_idcausality_actor_process_command_linecausality_actor_process_image_namecausality_actor_process_signature_statuscausality_actor_process_signature_vendordescriptiondetection_timestampevent_typefw_app_idhost_ip_listhost_nameis_whitelistednameseveritysourcestarreduser_name
VALUE_NA,
N/A
196.168.0.17000VALUE_NA,
N/A
N/AN/A2.2.2.28000N/AN/A6N/AN/ATest - alert generated by Test XDR Playbook1577276586921Network EventNoTest - alert generated by Test XDR PlaybookmediumCisco - Sandblastfalse
VALUE_NA,
N/A
196.168.0.1112000VALUE_NA,
N/A
N/AN/A2.2.2.26000N/AN/A7N/AN/AThis alert from content TestXDRPlaybook description1577776701589Network EventNoThis alert from content TestXDRPlaybookhighCheckpoint - SandBlastfalse
VALUE_NA,
N/A
196.168.0.1112000VALUE_NA,
N/A
N/AN/A2.2.2.26000N/AN/A8N/AN/AThis alert from content TestXDRPlaybook description1577958479843Network EventNoThis alert from content TestXDRPlaybookhighCheckpoint - SandBlastfalse
VALUE_NA,
N/A
196.168.0.1112000VALUE_NA,
N/A
N/AN/A2.2.2.26000N/AN/A9N/AN/AThis alert from content TestXDRPlaybook description1578123895414Network EventNoThis alert from content TestXDRPlaybookhighCheckpoint - SandBlastfalse
VALUE_NA,
N/A
196.168.0.1112000VALUE_NA,
N/A
N/AN/A2.2.2.26000N/AN/A10N/AN/AThis alert from content TestXDRPlaybook description1578927443615Network EventNoThis alert from content TestXDRPlaybookhighCheckpoint - SandBlastfalse

Network Artifacts#

alert_countis_manualnetwork_countrynetwork_domainnetwork_remote_ipnetwork_remote_porttype
5false2.2.2.28000IP

File Artifacts#

No entries.

3. xdr-update-incident#


Updates one or more fields of a specified incident. Missing fields will be ignored. To remove the assignment for an incident, pass a null value in assignee email argument.

Base Command#

xdr-update-incident

Input#
Argument NameDescriptionRequired
incident_idXDR incident ID. You can get the incident ID from the output of the 'xdr-get-incidents' command or the 'xdr-get-incident-extra-details' command.Required
manual_severitySeverity to assign to the incident (LOW, MEDIUM, or HIGH).Optional
assigned_user_mailEmail address of the user to assigned to the incident.Optional
assigned_user_pretty_nameFull name of the user assigned to the incident.Optional
statusStatus of the incident (NEW, UNDER_INVESTIGATION, RESOLVED_THREAT_HANDLED, RESOLVED_KNOWN_ISSUE, RESOLVED_DUPLICATE, RESOLVED_FALSE_POSITIVE, RESOLVED_OTHER).Optional
resolve_commentComment explaining why the incident was resolved. This should be set when the incident is resolved.Optional
unassign_userIf true, will remove all assigned users from the incident.Optional
Context Output#

There is no context output for this command.

Command Example#

!xdr-update-incident incident_id="4" status="RESOLVED_KNOWN_ISSUE" resolve_comment="This issue was solved in Incident number 192304"

Human Readable Output#

Incident 4 has been updated

4. xdr-insert-parsed-alert#


Upload alert from external alert sources in Cortex XDR format. Cortex XDR displays alerts that are parsed successfully in related incidents and views. You can send 600 alerts per minute. Each request can contain a maximum of 60 alerts.

Base Command#

xdr-insert-parsed-alert

Input#
Argument NameDescriptionRequired
productString value that defines the product.Required
vendorString value that defines the product.Required
local_ipString value for the source IP addressOptional
local_portInteger value for the source port.Required
remote_ipString value of the destination IP
address.
Required
remote_portInteger value for the destination
port.
Required
event_timestampInteger value representing the epoch of the time the alert occurred in milliseconds or String value of date format 2019-10-23T10:00:00. If not set then the event time will be defined as now.Optional
severityString value of alert severity:
Informational, Low, Medium or High
Optional
alert_nameString defining the alert nameRequired
alert_descriptionString defining the alert descriptionOptional
Context Output#

There is no context output for this command.

Command Example#

!xdr-insert-parsed-alert product="SandBlast" vendor="Checkpoint" local_ip="196.168.0.1" local_port="600" remote_ip="5.5.5.5" remote_port="500" event_timestamp="2020-01-01T00:00:00" severity="High" alert_name="some alert" alert_description="this is test alert"

Human Readable Output#

Alert inserted successfully

5. xdr-insert-cef-alerts#


Upload alerts in CEF format from external alert sources. After you map CEF alert fields to Cortex XDR fields, Cortex XDR displays the alerts in related incidents and views. You can send 600 requests per minute. Each request can contain a maximum of 60 alerts.

Base Command#

xdr-insert-cef-alerts

Input#
Argument NameDescriptionRequired
cef_alertsList of alerts in CEF format.Required
Context Output#

There is no context output for this command.

Command Example#

!xdr-insert-cef-alerts cef_alerts="CEF:0|Check Point|VPN-1 & FireWall-1|Check Point|Log|microsoft-ds|Unknown|act=AcceptdeviceDirection=0 rt=1569477512000 spt=56957 dpt=445 cs2Label=Rule Name cs2=ADPrimery layer_name=FW_Device_blackened Securitylayer_uuid=07693fc7-1a5c-4f31-8afe-77ae96c71b8c match_id=1806 parent_rule=0rule_action=Accept rule_uid=8e45f36b-d106-4d81-a1f0-9d1ed9a6be5c ifname=bond2logid=0 loguid={0x5d8c5388,0x61,0x29321fac,0xc0000022} origin=1.1.1.1originsicname=CN=DWdeviceBlackend,O=Blackend sequencenum=363 version=5dst=1.1.1.1 inzone=External outzone=Internal product=VPN-1 & FireWall-1 proto=6service_id=microsoft-ds src=1.1.1.1"

Human Readable Output#

Alerts inserted successfully

6. xdr-isolate-endpoint#


Isolates the specified endpoint.

Base Command#

xdr-isolate-endpoint

Input#
Argument NameDescriptionRequired
endpoint_idThe endpoint ID (string) to isolate. You can retrieve the string from the xdr-get-endpointsRequired
Context Output#
PathTypeDescription
PaloAltoNetworksXDR.Isolation.endpoint_idStringThe endpoint ID.
Command Example#

!xdr-isolate-endpoint endpoint_id="f8a2f58846b542579c12090652e79f3d"

Human Readable Output#

Endpoint f8a2f58846b542579c12090652e79f3d has isolated successfully

7. xdr-unisolate-endpoint#


Reverses the isolation of an endpoint.

Base Command#

xdr-unisolate-endpoint

Input#
Argument NameDescriptionRequired
endpoint_idThe endpoint ID (string) for which to reverse the isolation. You can retrieve it from the xdr-get-endpointsRequired
Context Output#
PathTypeDescription
PaloAltoNetworksXDR.UnIsolation.endpoint_idStringIsolates the specified endpoint.
Command Example#

!xdr-unisolate-endpoint endpoint_id="f8a2f58846b542579c12090652e79f3d"

Human Readable Output#

Endpoint f8a2f58846b542579c12090652e79f3d already unisolated

8. xdr-get-endpoints#


Gets a list of endpoints, according to the passed filters. Filtering by multiple fields will be concatenated using AND condition (OR is not supported). Maximum result set size is 100. Offset is the zero-based number of endpoint from the start of the result set (start by counting from 0).

Base Command#

xdr-get-endpoints

Input#
Argument NameDescriptionRequired
endpoint_id_listA comma-separated list of endpoint IDs.Optional
dist_nameA comma-separated list of distribution package names or installation package names.
Example: dist_name1,dist_name2
Optional
ip_listA comma-separated list of IP addresses.
Example: 8.8.8.8,1.1.1.1
Optional
group_nameThe group name to which the agent belongs.
Example: group_name1,group_name2
Optional
platformThe endpoint platform. Can be "windows", "linux", "macos", or "android".Optional
alias_nameA comma-separated list of alias names.
Examples: alias_name1,alias_name2
Optional
isolate"Specifies whether the endpoint was isolated or unisolated. Can be "isolated" or "unisolated".Optional
hostnameHostname
Example: hostname1,hostname2
Optional
first_seen_gteAll the agents that were first seen after {first_seen_gte}.
Supported values:
1579039377301 (time in milliseconds)
"3 days" (relative date)
"2019-10-21T23:45:00" (date)
Optional
first_seen_lteAll the agents that were first seen before {first_seen_lte}.
Supported values:
1579039377301 (time in milliseconds)
"3 days" (relative date)
"2019-10-21T23:45:00" (date)
Optional
last_seen_gteAll the agents that were last seen before {last_seen_gte}.
Supported values:
1579039377301 (time in milliseconds)
"3 days" (relative date)
"2019-10-21T23:45:00" (date)
Optional
last_seen_lteAll the agents that were last seen before {last_seen_lte}.
Supported values:
1579039377301 (time in milliseconds)
"3 days" (relative date)
"2019-10-21T23:45:00" (date)
Optional
pagePage number (for pagination). The default is 0 (the first page).Optional
limitMaximum number of endpoints to return per page. The default and maximum is 30.Optional
sort_bySpecifies whether to sort endpoints by the first time or last time they were seen. Can be "first_seen" or "last_seen".Optional
sort_orderThe order by which to sort results. Can be "asc" (ascending) or "desc" ( descending). Default set to asc.Optional

Context Output#

PathTypeDescription
PaloAltoNetworksXDR.Endpoint.endpoint_idStringThe endpoint ID.
PaloAltoNetworksXDR.Endpoint.endpoint_nameStringThe endpoint name.
PaloAltoNetworksXDR.Endpoint.endpoint_typeStringThe endpoint type.
PaloAltoNetworksXDR.Endpoint.endpoint_statusStringThe status of the endpoint.
PaloAltoNetworksXDR.Endpoint.os_typeStringThe endpoint OS type.
PaloAltoNetworksXDR.Endpoint.ipUnknownA list of IP addresses.
PaloAltoNetworksXDR.Endpoint.usersUnknownA list of users.
PaloAltoNetworksXDR.Endpoint.domainStringThe endpoint domain.
PaloAltoNetworksXDR.Endpoint.aliasStringThe endpoint's aliases.
PaloAltoNetworksXDR.Endpoint.first_seenUnknownFirst seen date/time in Epoch (milliseconds).
PaloAltoNetworksXDR.Endpoint.last_seenDateLast seen date/time in Epoch (milliseconds).
PaloAltoNetworksXDR.Endpoint.content_versionStringContent version.
PaloAltoNetworksXDR.Endpoint.installation_packageStringInstallation package.
PaloAltoNetworksXDR.Endpoint.active_directoryStringActive directory.
PaloAltoNetworksXDR.Endpoint.install_dateDateInstall date in Epoch (milliseconds).
PaloAltoNetworksXDR.Endpoint.endpoint_versionStringEndpoint version.
PaloAltoNetworksXDR.Endpoint.is_isolatedStringWhether the endpoint is isolated.
PaloAltoNetworksXDR.Endpoint.group_nameStringThe name of the group to which the endpoint belongs.
Endpoint.HostnameStringThe hostname that is mapped to this endpoint.
Endpoint.IDStringThe unique ID within the tool retrieving the endpoint.
Endpoint.IPAddressStringThe IP address of the endpoint.
Endpoint.DomainStringThe domain of the endpoint.
Endpoint.OSStringThe endpoint's operation system.
Account.UsernameStringThe username in the relevant system.
Account.DomainStringThe domain of the account.
Endpoint.StatusStringThe endpoint's status.
Endpoint.IsIsolatedStringThe endpoint's isolation status.
Endpoint.MACAddressStringThe endpoint's MAC address.
Endpoint.VendorStringThe integration name of the endpoint vendor.
Command Example#

!xdr-get-endpoints isolate="unisolated" first_seen_gte="3 month" page="0" limit="30" sort_order="asc"

Context Example#
{
"Endpoint": [
{
"Domain": "WORKGROUP",
"Hostname": "aaaaa.compute.internal",
"ID": "ea303670c76e4ad09600c8b346f7c804",
"IPAddress": [
"172.31.11.11"
],
"OS": "Windows",
"Status" : "Online",
"IsIsolated" : "No",
"Vendor": "Cortex XDR - IR"
},
{
"Domain": "WORKGROUP",
"Hostname": "EC2AMAZ-P7PPOI4",
"ID": "f8a2f58846b542579c12090652e79f3d",
"IPAddress": [
"2.2.2.2"
],
"OS": "Windows",
"Status" : "Online",
"IsIsolated" : "No",
"Vendor": "Cortex XDR - IR"
}
],
"PaloAltoNetworksXDR.Endpoint": [
{
"domain": "",
"users": [
"ec2-user"
],
"endpoint_name": "aaaaa.compute.internal",
"ip": [
"172.31.11.11"
],
"install_date": 1575795969644,
"endpoint_version": "7.0.0.1915",
"group_name": null,
"installation_package": "linux",
"alias": "",
"active_directory": null,
"endpoint_status": "CONNECTED",
"os_type": "AGENT_OS_LINUX",
"endpoint_id": "ea303670c76e4ad09600c8b346f7c804",
"content_version": "111-17757",
"first_seen": 1575795969644,
"endpoint_type": "AGENT_TYPE_SERVER",
"is_isolated": "AGENT_UNISOLATED",
"last_seen": 1579290023629
},
{
"domain": "WORKGROUP",
"users": [
"Administrator"
],
"endpoint_name": "EC2AMAZ-P7PPOI4",
"ip": [
"2.2.2.2"
],
"install_date": 1575796381739,
"endpoint_version": "7.0.0.27797",
"group_name": null,
"installation_package": "Windows Server 2016",
"alias": "",
"active_directory": null,
"endpoint_status": "CONNECTED",
"os_type": "AGENT_OS_WINDOWS",
"endpoint_id": "f8a2f58846b542579c12090652e79f3d",
"content_version": "111-17757",
"first_seen": 1575796381739,
"endpoint_type": "AGENT_TYPE_SERVER",
"is_isolated": "AGENT_UNISOLATED",
"last_seen": 1579289957412
}
]
}
Human Readable Output#

Endpoints#

active_directoryaliascontent_versiondomainendpoint_idendpoint_nameendpoint_statusendpoint_typeendpoint_versionfirst_seengroup_nameinstall_dateinstallation_packageipis_isolatedlast_seenos_typeusers
111-17757ea303670c76e4ad09600c8b346f7c804aaaaa.compute.internalCONNECTEDAGENT_TYPE_SERVER7.0.0.191515757959696441575795969644linux172.31.11.11AGENT_UNISOLATED1579290023629AGENT_OS_LINUXec2-user
111-17757WORKGROUPf8a2f58846b542579c12090652e79f3dEC2AMAZ-P7PPOI4CONNECTEDAGENT_TYPE_SERVER7.0.0.2779715757963817391575796381739Windows Server 20162.2.2.2AGENT_UNISOLATED1579289957412AGENT_OS_WINDOWSAdministrator

9. xdr-get-distribution-versions#


Gets a list of all the agent versions to use for creating a distribution list.

Base Command#

xdr-get-distribution-versions

Input#

There are no input arguments for this command.

Context Output#
PathTypeDescription
PaloAltoNetworksXDR.DistributionVersions.windowsUnknownA list of Windows agent versions.
PaloAltoNetworksXDR.DistributionVersions.linuxUnknownA list of Linux agent versions.
PaloAltoNetworksXDR.DistributionVersions.macosUnknownA list of Mac agent versions.
Command Example#

!xdr-get-distribution-versions

Context Example#
{
"PaloAltoNetworksXDR.DistributionVersions": {
"windows": [
"5.0.8.29673",
"5.0.9.30963",
"6.1.4.28751",
"7.0.0.28644"
],
"macos": [
"6.1.4.1681",
"7.0.0.1914"
],
"linux": [
"6.1.4.1680",
"7.0.0.1916"
]
}
}
Human Readable Output#

windows#

versions
5.0.8.29673
5.0.9.30963
6.1.4.28751
7.0.0.28644

linux#

versions
6.1.4.1680
7.0.0.1916

macos#

versions
6.1.4.1681
7.0.0.1914

10. xdr-create-distribution#


Creates an installation package. This is an asynchronous call that returns the distribution ID. This does not mean that the creation succeeded. To confirm that the package has been created, check the status of the distribution by running the Get Distribution Status API.

Base Command#

xdr-create-distribution

Input#
Argument NameDescriptionRequired
nameA string representing the name of the installation package.Required
platformString, valid values are:
• windows
• linux
• macos
• android
Required
package_typeA string representing the type of package to create.
standalone - An installation for a new agent
upgrade - An upgrade of an agent from ESM
Required
agent_versionagent_version returned from xdr-get-distribution-versions. Not required for Android platfomRequired
descriptionInformation about the package.Optional
Context Output#
PathTypeDescription
PaloAltoNetworksXDR.Distribution.idStringThe installation package ID.
PaloAltoNetworksXDR.Distribution.nameStringThe name of the installation package.
PaloAltoNetworksXDR.Distribution.platformStringThe installation OS.
PaloAltoNetworksXDR.Distribution.agent_versionStringAgent version.
PaloAltoNetworksXDR.Distribution.descriptionStringInformation about the package.
Command Example#

!xdr-create-distribution agent_version=6.1.4.1680 name="dist_1" package_type=standalone platform=linux description="some description"

Context Example#
{
"PaloAltoNetworksXDR.Distribution": {
"description": "some description",
"package_type": "standalone",
"platform": "linux",
"agent_version": "6.1.4.1680",
"id": "43aede7f846846fa92b50149663fbb25",
"name": "dist_1"
}
}
Human Readable Output#

Distribution 43aede7f846846fa92b50149663fbb25 created successfully

11. xdr-get-distribution-url#


Gets the distribution URL for downloading the installation package.

Base Command#

xdr-get-distribution-url

Input#
Argument NameDescriptionRequired
distribution_idThe ID of the installation package.
Copy the distribution_id from the "id" field on Endpoints > Agent Installation page.
Required
package_typeThe installation package type. Valid
values are:
• upgrade
• sh - For Linux
• rpm - For Linux
• deb - For Linux
• pkg - For Mac
• x86 - For Windows
• x64 - For Windows
Required
Context Output#
PathTypeDescription
PaloAltoNetworksXDR.Distribution.idStringDistribution ID.
PaloAltoNetworksXDR.Distribution.urlStringURL for downloading the installation package.
Command Example#

!xdr-get-distribution-url distribution_id=2c74c11b63074653aa01d575a82bf52a package_type=sh

Human Readable Output#

12. xdr-get-create-distribution-status#


Gets the status of the installation package.

Base Command#

xdr-get-create-distribution-status

Input#
Argument NameDescriptionRequired
distribution_idsA comma-separated list of distribution IDs to get the status of.Required
Context Output#
PathTypeDescription
PaloAltoNetworksXDR.Distribution.idStringDistribution ID.
PaloAltoNetworksXDR.Distribution.statusStringThe status of installation package.
Command Example#

!xdr-get-create-distribution-status distribution_ids=2c74c11b63074653aa01d575a82bf52a

Context Example#
{
"PaloAltoNetworksXDR.Distribution": [
{
"status": "Completed",
"id": "2c74c11b63074653aa01d575a82bf52a"
}
]
}
Human Readable Output#

Distribution Status#

idstatus
2c74c11b63074653aa01d575a82bf52aCompleted

13. xdr-get-audit-management-logs#


Gets management logs. You can filter by multiple fields, which will be concatenated using AND condition (OR is not supported). Maximum result set size is 100. Offset is the zero-based number of management logs from the start of the result set (start by counting from 0).

Base Command#

xdr-get-audit-management-logs

Input#
Argument NameDescriptionRequired
emailUser’s email address.Optional
typeThe audit log type.Optional
sub_typeThe audit log subtype.Optional
resultResult typeOptional
timestamp_gteReturn logs for which the timestamp is after 'log_time_after'.
Supported values:
1579039377301 (time in milliseconds)
"3 days" (relative date)
"2019-10-21T23:45:00" (date)
Optional
timestamp_lteReturn logs for which the timestamp is before the 'log_time_after'.
Supported values:
1579039377301 (time in milliseconds)
"3 days" (relative date)
"2019-10-21T23:45:00" (date)
Optional
pagePage number (for pagination). The default is 0 (the first page).Optional
limitMaximum number of audit logs to return per page. The default and maximum is 30.Optional
sort_bySpecifies the field by which to sort the results. By default the sort is defined as creation-time and DESC. Can be "type", "sub_type", "result", or "timestamp".Optional
sort_orderThe sort order. Can be "asc" (ascending) or "desc" (descending). Default set to "desc".Optional
Context Output#
PathTypeDescription
PaloAltoNetworksXDR.AuditManagementLogs.AUDIT_IDNumberAudit log ID.
PaloAltoNetworksXDR.AuditManagementLogs.AUDIT_OWNER_NAMEStringAudit owner name.
PaloAltoNetworksXDR.AuditManagementLogs.AUDIT_OWNER_EMAILStringAudit owner email address.
PaloAltoNetworksXDR.AuditManagementLogs.AUDIT_ASSET_JSONStringAsset JSON.
PaloAltoNetworksXDR.AuditManagementLogs.AUDIT_ASSET_NAMESStringAudit asset names.
PaloAltoNetworksXDR.AuditManagementLogs.AUDIT_HOSTNAMEStringHost name.
PaloAltoNetworksXDR.AuditManagementLogs.AUDIT_RESULTStringAudit result.
PaloAltoNetworksXDR.AuditManagementLogs.AUDIT_REASONStringAudit reason.
PaloAltoNetworksXDR.AuditManagementLogs.AUDIT_DESCRIPTIONStringDescription of the audit.
PaloAltoNetworksXDR.AuditManagementLogs.AUDIT_ENTITYStringAudit entity (e.g., AUTH, DISTRIBUTIONS).
PaloAltoNetworksXDR.AuditManagementLogs.AUDIT_ENTITY_SUBTYPEStringEntity subtype (e.g., Login, Create).
PaloAltoNetworksXDR.AuditManagementLogs.AUDIT_CASE_IDNumberAudit case ID.
PaloAltoNetworksXDR.AuditManagementLogs.AUDIT_INSERT_TIMEDateLog's insert time.
Command Example#

!xdr-get-audit-management-logs result=SUCCESS type=DISTRIBUTIONS limit=2 timestamp_gte="3 month"

Context Example#
{
"PaloAltoNetworksXDR.AuditManagementLogs": [
{
"AUDIT_OWNER_EMAIL": "",
"AUDIT_SESSION_ID": null,
"AUDIT_ID": 217,
"AUDIT_REASON": null,
"AUDIT_CASE_ID": null,
"AUDIT_DESCRIPTION": "Created a Linux Standalone installer installation package 'dist_1' with agent version 6.1.4.1680",
"AUDIT_INSERT_TIME": 1579287926547,
"AUDIT_ENTITY": "DISTRIBUTIONS",
"AUDIT_OWNER_NAME": "Public API - 1",
"AUDIT_ASSET_JSON": "{}",
"AUDIT_RESULT": "SUCCESS",
"AUDIT_ASSET_NAMES": "",
"AUDIT_HOSTNAME": null,
"AUDIT_ENTITY_SUBTYPE": "Create"
},
{
"AUDIT_OWNER_EMAIL": "",
"AUDIT_SESSION_ID": null,
"AUDIT_ID": 214,
"AUDIT_REASON": null,
"AUDIT_CASE_ID": null,
"AUDIT_DESCRIPTION": "Created a Linux Standalone installer installation package 'ddd' with agent version 6.1.4.1680",
"AUDIT_INSERT_TIME": 1579121478199,
"AUDIT_ENTITY": "DISTRIBUTIONS",
"AUDIT_OWNER_NAME": "Public API - 1",
"AUDIT_ASSET_JSON": "{}",
"AUDIT_RESULT": "SUCCESS",
"AUDIT_ASSET_NAMES": "",
"AUDIT_HOSTNAME": null,
"AUDIT_ENTITY_SUBTYPE": "Create"
}
]
}
Human Readable Output#

Audit Management Logs#

AUDIT_IDAUDIT_RESULTAUDIT_DESCRIPTIONAUDIT_OWNER_NAMEAUDIT_OWNER_EMAILAUDIT_ASSET_JSONAUDIT_ASSET_NAMESAUDIT_HOSTNAMEAUDIT_REASONAUDIT_ENTITYAUDIT_ENTITY_SUBTYPEAUDIT_SESSION_IDAUDIT_CASE_IDAUDIT_INSERT_TIME
217SUCCESSCreated a Linux Standalone installer installation package 'dist_1' with agent version 6.1.4.1680Public API - 1{}DISTRIBUTIONSCreate1579287926547
214SUCCESSCreated a Linux Standalone installer installation package 'ddd' with agent version 6.1.4.1680Public API - 1{}DISTRIBUTIONSCreate1579121478199

14. xdr-get-audit-agent-reports#


Gets agent event reports. You can filter by multiple fields, which will be concatenated using AND condition (OR is not supported). Maximum result set size is 100. Offset is the zero-based number of reports from the start of the result set (start by counting from 0).

Base Command#

xdr-get-audit-agent-reports

Input#
Argument NameDescriptionRequired
endpoint_idsA comma-separated list of endpoint IDs.Optional
endpoint_namesA comma-separated list of endpoint names.Optional
typeThe report type. Can be "Installation", "Policy", "Action", "Agent Service", "Agent Modules", or "Agent Status".Optional
sub_typeThe report subtype.Optional
resultThe result type. Can be "Success" or "Fail". If not passed, returns all event reports.Optional
timestamp_gteReturn logs that their timestamp is greater than 'log_time_after'.
Supported values:
1579039377301 (time in milliseconds)
"3 days" (relative date)
"2019-10-21T23:45:00" (date)
Optional
timestamp_lteReturn logs for which the timestamp is before the 'timestamp_lte'.

Supported values:
1579039377301 (time in milliseconds)
"3 days" (relative date)
"2019-10-21T23:45:00" (date)
Optional
pagePage number (for pagination). The default is 0 (the first page).Optional
limitThe maximum number of reports to return. Default and maximum is 30.Optional
sort_byThe field by which to sort results. Can be "type", "category", "trapsversion", "timestamp", or "domain").Optional
sort_orderThe sort order. Can be "asc" (ascending) or "desc" (descending). Default is "asc".Optional

Context Output#

PathTypeDescription
PaloAltoNetworksXDR.AuditAgentReports.ENDPOINTIDStringEndpoint ID.
PaloAltoNetworksXDR.AuditAgentReports.ENDPOINTNAMEStringEndpoint name.
PaloAltoNetworksXDR.AuditAgentReports.DOMAINStringAgent domain.
PaloAltoNetworksXDR.AuditAgentReports.TRAPSVERSIONStringTraps version.
PaloAltoNetworksXDR.AuditAgentReports.RECEIVEDTIMEDateReceived time in Epoch time.
PaloAltoNetworksXDR.AuditAgentReports.TIMESTAMPDateTimestamp in Epoch time.
PaloAltoNetworksXDR.AuditAgentReports.CATEGORYStringReport category (e.g., Audit).
PaloAltoNetworksXDR.AuditAgentReports.TYPEStringReport type (e.g., Action, Policy).
PaloAltoNetworksXDR.AuditAgentReports.SUBTYPEStringReport subtype (e.g., Fully Protected,Policy Update,Cancel Isolation).
PaloAltoNetworksXDR.AuditAgentReports.RESULTStringReport result.
PaloAltoNetworksXDR.AuditAgentReports.REASONStringReport reason.
PaloAltoNetworksXDR.AuditAgentReports.DESCRIPTIONStringAgent report description.
Endpoint.IDStringThe unique ID within the tool retrieving the endpoint.
Endpoint.HostnameStringThe hostname that is mapped to this endpoint.
Endpoint.DomainStringThe domain of the endpoint.
Command Example#

!xdr-get-audit-agent-reports result=Success timestamp_gte="100 days" endpoint_ids=ea303670c76e4ad09600c8b346f7c804 type=Policy limit=2

Context Example#
{
"PaloAltoNetworksXDR.AuditAgentReports": [
{
"CATEGORY": "Audit",
"DOMAIN": "",
"DESCRIPTION": "XDR Agent policy updated on aaaaa.compute.internal",
"TIMESTAMP": 1579284369143.7048,
"RECEIVEDTIME": 1579286565904.3281,
"REASON": null,
"SUBTYPE": "Policy Update",
"ENDPOINTNAME": "aaaaa.compute.internal",
"RESULT": "Success",
"ENDPOINTID": "ea303670c76e4ad09600c8b346f7c804",
"TRAPSVERSION": "7.0.0.1915",
"TYPE": "Policy"
},
{
"CATEGORY": "Audit",
"DOMAIN": "",
"DESCRIPTION": "XDR Agent policy updated on aaaaa.compute.internal",
"TIMESTAMP": 1579280769141.43,
"RECEIVEDTIME": 1579282965742.36,
"REASON": null,
"SUBTYPE": "Policy Update",
"ENDPOINTNAME": "aaaaa.compute.internal",
"RESULT": "Success",
"ENDPOINTID": "ea303670c76e4ad09600c8b346f7c804",
"TRAPSVERSION": "7.0.0.1915",
"TYPE": "Policy"
}
]
}
Human Readable Output#

Audit Agent Reports#

CATEGORYDESCRIPTIONDOMAINENDPOINTIDENDPOINTNAMEREASONRECEIVEDTIMERESULTSUBTYPETIMESTAMPTRAPSVERSIONTYPE
AuditXDR Agent policy updated on aaaaa.compute.internalea303670c76e4ad09600c8b346f7c804aaaaa.compute.internal1579286565904.3281SuccessPolicy Update1579284369143.70487.0.0.1915Policy
AuditXDR Agent policy updated on aaaaa.compute.internalea303670c76e4ad09600c8b346f7c804aaaaa.compute.internal1579282965742.36SuccessPolicy Update1579280769141.437.0.0.1915Policy

Troubleshooting#

  • In case you encounter ReadTimeoutError, we recommend increasing the HTTP request timeout by setting it in the HTTP Timeout integration parameter.

15. xdr-get-policy#


Gets the policy name for a specific endpoint.

Base Command#

xdr-get-policy

Input#

Argument NameDescriptionRequired
endpoint_idThe endpoint ID. Can be retrieved by running the xdr-get-endpoints command.Required

Context Output#

PathTypeDescription
PaloAltoNetworksXDR.PolicystringThe policy allocated with the endpoint.
PaloAltoNetworksXDR.Policy.policy_namestringName of the policy allocated with the endpoint.
PaloAltoNetworksXDR.Policy.endpoint_idstringEndpoint ID.

Command Example#

!xdr-get-policy endpoint_id="f8a2f58846b542579c12090652e79f3d"

Context Example#

{
"PaloAltoNetworksXDR": {
"policyName": {
"endpoint_id": "f8a2f58846b542579c12090652e79f3d",
"policy_name": "Windows Default"
}
}
}

Human Readable Output#

The policy name of endpoint f8a2f58846b542579c12090652e79f3d is Windows default.

16. xdr-get-endpoint-device-control-violations#


Gets a list of device control violations filtered by selected fields. You can retrieve up to 100 violations.

Base Command#

xdr-get-endpoint-device-control-violations

Input#

Argument NameDescriptionRequired
endpoint_idsComma-separated list of endpoint IDs.Optional
typeype of violation. Possible values are: "cd-rom", "disk drive", "floppy disk", "portable device"Optional
timestamp_gteTimestamp of the violation. Violations that are greater than or equal to this timestamp will be returned. Values could be in either ISO date format, relative time or epoch timestamp. For example: "2019-10-21T23:45:00" (ISO date format), "3 days ago" (relative time) 1579039377301 (epoch time).Optional
timestamp_lteTimestamp of the violation. Violations that are less than or equal to this timestamp will be returned. Values could be in either ISO date format, relative time or epoch timestamp. For example: "2019-10-21T23:45:00" (ISO date format), "3 days ago" (relative time) 1579039377301 (epoch time).Optional
ip_listComma-separated list of IP addressesOptional
vendorName of vendor.Optional
vendor_idVendor ID.Optional
productName of the product.Optional
product_idProduct ID.Optional
serialSerial number.Optional
hostnameHostname.Optional
violation_id_listComma-separated list of violation IDs.Optional
usernameUsername.Optional

Context Output#

PathTypeDescription
PaloAltoNetworksXDR.EndpointViolationsunknownEndpoint violations command results.
PaloAltoNetworksXDR.EndpointViolations.violationsunknownA list of violations.
PaloAltoNetworksXDR.EndpointViolations.violations.os_typestringType of the operating system.
PaloAltoNetworksXDR.EndpointViolations.violations.hostnamestringHostname of the violation.
PaloAltoNetworksXDR.EndpointViolations.violations.usernamestringUsername of the violation.
PaloAltoNetworksXDR.EndpointViolations.violations.ipstringIP address of the violation.
PaloAltoNetworksXDR.EndpointViolations.violations.timestampnumberTimestamp of the violation.
PaloAltoNetworksXDR.EndpointViolations.violations.violation_idnumberViolation ID.
PaloAltoNetworksXDR.EndpointViolations.violations.typestringType of violation.
PaloAltoNetworksXDR.EndpointViolations.violations.vendor_idstringVendor ID of the violation.
PaloAltoNetworksXDR.EndpointViolations.violations.vendorstringName of the vendor of the violation.
PaloAltoNetworksXDR.EndpointViolations.violations.product_idstringProduct ID of the violation.
PaloAltoNetworksXDR.EndpointViolations.violations.productstringName of the product of the violation.
PaloAltoNetworksXDR.EndpointViolations.violations.serialstringSerial number of the violation.
PaloAltoNetworksXDR.EndpointViolations.violations.endpoint_idstringEndpoint ID of the violation.

Command Example#

!xdr-get-endpoint-device-control-violations violation_id_list=100,90,80

Context Example#

{
"PaloAltoNetworksXDR": {
"EndpointViolations": [
{
"date": "2020-04-13T21:39:24",
"endpoint_id": "eca20ea25d4e4cfdad3a317997322693",
"hostname": "win-2020-04-14---12-39",
"ip": "1.1.1.1",
"os_type": "AGENT_OS_WINDOWS",
"product": "Cruzer Blade",
"product_id": "0x5567",
"serial": "4C530010060624106156",
"timestamp": 1586813964000,
"type": "Disk Drive",
"username": "st3.local\\assaflevi",
"vendor": "SanDisk Corp.",
"vendor_id": "0x0781",
"violation_id": 100
},
{
"date": "2020-04-13T21:39:13",
"endpoint_id": "e4b83018ae2c411899d847930e68d398",
"hostname": "win-2020-04-14---12-39",
"ip": "1.1.1.1",
"os_type": "AGENT_OS_WINDOWS",
"product": "Cruzer Blade",
"product_id": "0x5567",
"serial": "4C530010060624106156",
"timestamp": 1586813953000,
"type": "Disk Drive",
"username": "st3.local\\assaflevi",
"vendor": "SanDisk Corp.",
"vendor_id": "0x0781",
"violation_id": 90
},
{
"date": "2020-04-13T21:39:02",
"endpoint_id": "bef78d0ddbcc4ae488190bab0dcb31cd",
"hostname": "win-2020-04-14---12-39",
"ip": "1.1.1.1",
"os_type": "AGENT_OS_WINDOWS",
"product": "Cruzer Blade",
"product_id": "0x5567",
"serial": "4C530010060624106156",
"timestamp": 1586813942000,
"type": "Disk Drive",
"username": "st3.local\\assaflevi",
"vendor": "SanDisk Corp.",
"vendor_id": "0x0781",
"violation_id": 80
}
]
}
}

Human Readable Output#

Endpoint Device Control Violation#

DateHostnameUsernameIpTypeViolation IdVendorProductSerial
2020-04-13T21:39:24win-2020-04-14---12-39st3.local\assaflevi1.1.1.1Disk Drive100SanDisk Corp.Cruzer Blade4C530010060624106156
2020-04-13T21:39:13win-2020-04-14---12-39st3.local\assaflevi1.1.1.1Disk Drive90SanDisk Corp.Cruzer Blade4C530010060624106156
2020-04-13T21:39:02win-2020-04-14---12-39st3.local\assaflevi1.1.1.1Disk Drive80SanDisk Corp.Cruzer Blade4C530010060624106156

17. xdr-retrieve-files#


Retrieve files from selected endpoints. You can retrieve up to 20 files, from no more than 10 endpoints. At least one endpoint ID and one file path are necessary in order to run the command. After running this command, you can use the xdr-action-status-get command with returned action_id, to check the action status.

Base Command#

xdr-retrieve-files

Input#

Argument NameDescriptionRequired
endpoint_idsComma-separated list of endpoint IDs.Required
windows_file_pathsA comma-separated list of file paths on the Windows platform.Optional
linux_file_pathsA comma-separated list of file paths on the Linux platform.Optional
mac_file_pathsA comma-separated list of file paths on the Mac platform.Optional
generic_file_pathA comma-separated list of file paths in any platform. Can be used instead of the mac/windows/linux file paths. The order of the files path list must be parallel to the endpoints list order, therefore, the first file path in the list is related to the first endpoint and so on, e.g.,"C:\Users\demisto\Desktop\CortexXSOAR.txt".Optional

Context Output#

PathTypeDescription
PaloAltoNetworksXDR.RetrievedFiles.action_idstringID of the action to retrieve files from selected endpoints.

Command Examples#

!xdr-retrieve-files endpoint_ids=aeec6a2cc92e46fab3b6f621722e9916 windows_file_paths="C:\Users\demisto\Desktop\demisto.txt" !xdr-retrieve-files endpoint_ids=aeec6a2cc92e46fab3b6f621722e9916 generic_file_path="C:\Users\demisto\Desktop\demisto.txt"

Context Example#

{
"PaloAltoNetworksXDR": {
"retrievedFiles": {
"actionId": 2056
}
}
}

Human Readable Output#

Retrieve files#

Action Id
2056

18. xdr-retrieve-file-details#


View the file retrieved by the xdr-retrieve-files command according to the action ID. Before running this command, you can use the xdr-action-status-get command to check if this action completed successfully.

Base Command#

xdr-retrieve-file-details

Input#

Argument NameDescriptionRequired
action_idAction ID retrieved from the xdr-retrieve-files command.Required
attach_filesChoose whether you want to attach retrieved files in the War Room. Default is "true".Optional

Context Output#

PathTypeDescription
FileunknownThe file details command results.
File.NameStringThe full file name (including the file extension).
File.EntryIDStringThe ID for locating the file in the War Room.
File.SizeNumberThe size of the file in bytes.
File.MD5StringThe MD5 hash of the file.
File.SHA1StringThe SHA1 hash of the file.
File.SHA256StringThe SHA256 hash of the file.
File.SHA512StringThe SHA512 hash of the file.
File.ExtensionStringThe file extension. For example: 'xls'.
File.TypeStringThe file type, as determined by libmagic (same as displayed in file entries).

Command Example#

!xdr-retrieve-file-details action_id=1763

Context Example#

{
"File": {
"EntryID": "3212@e99f97d1-7225-4c75-896c-3c960febbe8c",
"Extension": "zip",
"Info": "application/zip",
"MD5": "fcbcda832825a1bd75dfb6fcd4edf39e",
"Name": "aeec6a2cc92e46fab3b6f621722e9916_1.zip",
"SHA1": "cdf0d37daa1bc951703b9c4ea7a592455074318d",
"SHA256": "25005641c0609d8416815f22653acb20125bd6a692fd9c987004667465a9f93a",
"SHA512": "1089185b2e5e573e1563f3f9b2c8cdb2a78461555cbd90d12a65bb6aa180733c3ae768c22d4a6cbf70eb9992fd43fb565a2eb14f892e3c1b1fe345cd7e2ea7ef",
"SSDeep": "384:rnhvs3/gOdk9MCPCTMpCirGyXEnLdyXdWeesfnvg:u3o3NC0Mvd5eesfn4",
"Size": 16004,
"Type": "HTML document text, UTF-8 Unicode text, with very long lines, with CRLF line terminators"
}
}

Human Readable Output#

Action id : 1763 Retrieved 1 files from 1 endpoints.

19. xdr-get-scripts#


Gets a list of scripts available in the scripts library.

Base Command#

xdr-get-scripts

Input#

Argument NameDescriptionRequired
script_nameA comma-separated list of the script names.Optional
descriptionA comma-separated list of the script descriptions.Optional
created_byA comma-separated list of the users who created the script.Optional
limitMaximum number of scripts returned to the War Room. Default limit is 50.Optional
offset(Int) Offset in the data set. Default offset is 0.Optional
windows_supportedWhether the script can be executed on a Windows operating system.Optional
linux_supportedWhether the script can be executed on a Linux operating system.Optional
macos_supportedWhether the script can be executed on a Mac operating system.Optional
is_high_riskWhether the script has a high-risk outcome.Optional

Context Output#

PathTypeDescription
PaloAltoNetworksXDR.ScriptsunknownGet scripts command results.
PaloAltoNetworksXDR.Scripts.script_idunknownScript ID.
PaloAltoNetworksXDR.Scripts.namestringName of the script.
PaloAltoNetworksXDR.Scripts.descriptionstringDescription of the script.
PaloAltoNetworksXDR.Scripts.modification_dateunknownTimestamp of when the script was last modified.
PaloAltoNetworksXDR.Scripts.created_bystringName of the user who created the script.
PaloAltoNetworksXDR.Scripts.windows_supportedbooleanWhether the script can be executed on a Windows operating system.
PaloAltoNetworksXDR.Scripts.linux_supportedbooleanWhether the script can be executed on a Linux operating system.
PaloAltoNetworksXDR.Scripts.macos_supportedbooleanWhether the script can be executed on Mac operating system.
PaloAltoNetworksXDR.Scripts.is_high_riskbooleanWhether the script has a high-risk outcome.
PaloAltoNetworksXDR.Scripts.script_uidstringGUID, global ID of the script, used to identify the script when executing.

Command Example#

!xdr-get-scripts created_by="Palo Alto Networks" is_high_risk=true

Context Example#

{
"PaloAltoNetworksXDR": {
"Scripts": [
{
"created_by": "Palo Alto Networks",
"description": "Delete a file by path",
"is_high_risk": true,
"linux_supported": true,
"macos_supported": true,
"modification_date": "2020-04-21T11:01:31",
"modification_date_timestamp": 1587466891981,
"name": "delete_file",
"script_id": 1,
"script_uid": "548023b6e4a01ec51a495ba6e5d2a15d",
"windows_supported": true
},
{
"created_by": "Palo Alto Networks",
"description": "Execute list of shell commands",
"is_high_risk": true,
"linux_supported": true,
"macos_supported": true,
"modification_date": "2020-04-21T11:01:32",
"modification_date_timestamp": 1587466892157,
"name": "execute_commands",
"script_id": 2,
"script_uid": "a6f7683c8e217d85bd3c398f0d3fb6bf",
"windows_supported": true
},
{
"created_by": "Palo Alto Networks",
"description": "Kill all processes with a CPU usage higher than specified",
"is_high_risk": true,
"linux_supported": true,
"macos_supported": true,
"modification_date": "2020-04-21T11:01:32",
"modification_date_timestamp": 1587466892247,
"name": "process_kill_cpu",
"script_id": 6,
"script_uid": "3d928a24f61cd3c1116544900c424098",
"windows_supported": true
},
{
"created_by": "Palo Alto Networks",
"description": "Kill all processes with a RAM usage higher than specified",
"is_high_risk": true,
"linux_supported": true,
"macos_supported": true,
"modification_date": "2020-04-21T11:01:32",
"modification_date_timestamp": 1587466892260,
"name": "process_kill_mem",
"script_id": 7,
"script_uid": "87d4547df6d4882a3c006ec58c3b8bf4",
"windows_supported": true
},
{
"created_by": "Palo Alto Networks",
"description": "Kill processes by name",
"is_high_risk": true,
"linux_supported": true,
"macos_supported": true,
"modification_date": "2020-04-21T11:01:32",
"modification_date_timestamp": 1587466892269,
"name": "process_kill_name",
"script_id": 8,
"script_uid": "fd0a544a99a9421222b4f57a11839481",
"windows_supported": true
},
{
"created_by": "Palo Alto Networks",
"description": "Delete registry value or delete registry key with all its values",
"is_high_risk": true,
"linux_supported": false,
"macos_supported": false,
"modification_date": "2020-04-21T11:01:32",
"modification_date_timestamp": 1587466892277,
"name": "registry_delete",
"script_id": 9,
"script_uid": "ad36488a20cdbdd1604ec4bec9da5c41",
"windows_supported": true
},
{
"created_by": "Palo Alto Networks",
"description": "Get registry value data and its type",
"is_high_risk": true,
"linux_supported": false,
"macos_supported": false,
"modification_date": "2020-04-21T11:01:32",
"modification_date_timestamp": 1587466892337,
"name": "registry_get",
"script_id": 10,
"script_uid": "699fa2e98ab1eb5677489dce54125769",
"windows_supported": true
},
{
"created_by": "Palo Alto Networks",
"description": "Set registry value",
"is_high_risk": true,
"linux_supported": false,
"macos_supported": false,
"modification_date": "2020-09-06T09:41:47",
"modification_date_timestamp": 1599385307669,
"name": "registry_set",
"script_id": 11,
"script_uid": "896392a13b2ef0ae75b3f2396125037d",
"windows_supported": true
}
]
}
}

Human Readable Output#

Scripts#

NameDescriptionScript UidModification DateCreated ByWindows SupportedLinux SupportedMacos SupportedIs High Risk
delete_fileDelete a file by path548023b6e4a01ec51a495ba6e5d2a15d2020-04-21T11:01:31Palo Alto Networkstruetruetruetrue
execute_commandsExecute list of shell commandsa6f7683c8e217d85bd3c398f0d3fb6bf2020-04-21T11:01:32Palo Alto Networkstruetruetruetrue
process_kill_cpuKill all processes with a CPU usage higher than specified3d928a24f61cd3c1116544900c4240982020-04-21T11:01:32Palo Alto Networkstruetruetruetrue
process_kill_memKill all processes with a RAM usage higher than specified87d4547df6d4882a3c006ec58c3b8bf42020-04-21T11:01:32Palo Alto Networkstruetruetruetrue
process_kill_nameKill processes by namefd0a544a99a9421222b4f57a118394812020-04-21T11:01:32Palo Alto Networkstruetruetruetrue
registry_deleteDelete registry value or delete registry key with all its valuesad36488a20cdbdd1604ec4bec9da5c412020-04-21T11:01:32Palo Alto Networkstruefalsefalsetrue
registry_getGet registry value data and its type699fa2e98ab1eb5677489dce541257692020-04-21T11:01:32Palo Alto Networkstruefalsefalsetrue
registry_setSet registry value896392a13b2ef0ae75b3f2396125037d2020-09-06T09:41:47Palo Alto Networkstruefalsefalsetrue

20. xdr-get-script-metadata#


Gets the full definition of a specific script in the scripts library.

Base Command#

xdr-get-script-metadata

Input#

Argument NameDescriptionRequired
script_uidUnique identifier of the script, returned by the xdr-get-scripts command.Required

Context Output#

PathTypeDescription
PaloAltoNetworksXDR.ScriptMetadataUnknownThe script metadata command results.
PaloAltoNetworksXDR.ScriptMetadata.script_idnumberScript ID.
PaloAltoNetworksXDR.ScriptMetadata.namestringScript name.
PaloAltoNetworksXDR.ScriptMetadata.descriptionstringScript description.
PaloAltoNetworksXDR.ScriptMetadata.modification_dateunknownTimestamp of when the script was last modified.
PaloAltoNetworksXDR.ScriptMetadata.created_bystringName of the user who created the script.
PaloAltoNetworksXDR.ScriptMetadata.is_high_riskbooleanWhether the script has a high-risk outcome.
PaloAltoNetworksXDR.ScriptMetadata.windows_supportedbooleanWhether the script can be executed on a Windows operating system.
PaloAltoNetworksXDR.ScriptMetadata.linux_supportedbooleanWhether the script can be executed on a Linux operating system.
PaloAltoNetworksXDR.ScriptMetadata.macos_supportedbooleanWhether the script can be executed on a Mac operating system.
PaloAltoNetworksXDR.ScriptMetadata.entry_pointstringName of the entry point selected for the script. An empty string indicates the script defined as just run.
PaloAltoNetworksXDR.ScriptMetadata.script_inputstringName and type for the specified entry point.
PaloAltoNetworksXDR.ScriptMetadata.script_output_typestringType of the output.
PaloAltoNetworksXDR.ScriptMetadata.script_output_dictionary_definitionsUnknownIf the script_output_type is a dictionary, an array with friendly name, name, and type for each output.

Command Example#

!xdr-get-script-metadata script_uid=43973479d389f2ac7e99b6db88eaee40

Context Example#

{
"PaloAltoNetworksXDR": {
"scriptMetadata": {
"created_by": "Palo Alto Networks",
"description": "List all directories under path",
"entry_point": "run",
"is_high_risk": false,
"linux_supported": true,
"macos_supported": true,
"modification_date": 1587466892181,
"name": "list_directories",
"script_id": 4,
"script_input": [
{
"name": "path",
"type": "string"
},
{
"name": "number_of_levels",
"type": "number"
}
],
"script_output_dictionary_definitions": null,
"script_output_type": "string_list",
"script_uid": "43973479d389f2ac7e99b6db88eaee40",
"windows_supported": true
}
}
}

Human Readable Output#

Script Metadata#

script_idnamedescriptionmodification_datecreated_byis_high_riskwindows_supportedlinux_supportedmacos_supportedscript_uidentry_pointscript_inputscript_output_type
4list_directoriesList all directories under path1587466892181Palo Alto Networksfalsetruetruetrue43973479d389f2ac7e99b6db88eaee40run{'name': 'path', 'type': 'string'},
{'name': 'number_of_levels', 'type': 'number'}
string_list

21. xdr-get-script-code#


Get the code of a specific script in the script library.

Base Command#

xdr-get-script-code

Input#

Argument NameDescriptionRequired
script_uidUnique identifier of the script, returned by the xdr-get-scripts command.Required

Context Output#

PathTypeDescription
PaloAltoNetworksXDR.ScriptCodeUnknownThe script code command results.
PaloAltoNetworksXDR.ScriptCode.codestringThe code of a specific script in the script library.
PaloAltoNetworksXDR.ScriptCode.script_uidstringUnique identifier of the script.

Command Example#

!xdr-get-script-code script_uid=548023b6e4a01ec51a495ba6e5d2a15d

Context Example#

{
"PaloAltoNetworksXDR": {
"scriptCode": {
"code": "import os
import sys
import traceback
def run(file_path):
path = os.path.expanduser(file_path)
path = os.path.expandvars(path)
if os.path.isabs(path):
try:
os.remove(path)
except IOError:
sys.stderr.write(f\"File not accessible: {path}\")
return False
except Exception as e:
sys.stderr.write(f\"Exception occured: {traceback.format_exc()}\")
return False
return True
",
"script_uid": "548023b6e4a01ec51a495ba6e5d2a15d"
}
}
}

Human Readable Output#

Script code is : import os import sys import traceback

def run(file_path): path = os.path.expanduser(file_path) path = os.path.expandvars(path) if os.path.isabs(path): try: os.remove(path) except IOError: sys.stderr.write(f"File not accessible: {path}") return False except Exception as e: sys.stderr.write(f"Exception occured: {traceback.format_exc()}") return False return True

22. xdr-action-status-get#


Retrieves the status of the requested actions according to the action ID.

Base Command#

xdr-action-status-get

Input#

Argument NameDescriptionRequired
action_idThe action ID of the selected request. After performing an action, you will receive an action ID.Required

Context Output#

PathTypeDescription
PaloAltoNetworksXDR.GetActionStatusUnknownThe action status command results.
PaloAltoNetworksXDR.GetActionStatus.endpoint_idstringEndpoint ID.
PaloAltoNetworksXDR.GetActionStatus.statusstringThe status of the specific endpoint ID.
PaloAltoNetworksXDR.GetActionStatus.action_idnumberThe specified action ID.

Command Example#

!xdr-action-status-get action_id="1819"

Context Example#

{
"PaloAltoNetworksXDR": {
"getActionStatus": {
"action_id": 1819,
"endpoint_id": "aeec6a2cc92e46fab3b6f621722e9916",
"status": "COMPLETED_SUCCESSFULLY"
}
}
}

Human Readable Output#

Get Action Status#

endpoint_idstatus
aeec6a2cc92e46fab3b6f621722e9916COMPLETED_SUCCESSFULLY

23. xdr-delete-endpoints#


Delete selected endpoints in the Cortex XDR app. You can delete up to 1000 endpoints.

Base Command#

xdr-delete-endpoints

Input#

Argument NameDescriptionRequired
endpoint_idsComma-separated list of endpoint IDs.Required

Context Output#

There is no context output for this command.

Command Example#

!xdr-delete-endpoints endpoint_ids=aeec6a2cc92e46fab3b6f621722e9916

Human Readable Output#

Endpoints aeec6a2cc92e46fab3b6f621722e9916 successfully deleted

24. xdr-run-script#


Initiates a new endpoint script execution action using a script from the script library.

Base Command#

xdr-run-script

Required Permissions#

Run Standard Script Run High-Risk Script

Input#

Argument NameDescriptionRequired
endpoint_idsComma-separated list of endpoint IDs. Can be retrieved by running the xdr-get-endpoints command.Required
script_uidUnique identifier of the script. Can be retrieved by running the xdr-get-scripts command.Required
parametersDictionary contains the parameter name as key and its value for this execution as the value. For example, {"path":"test.txt"}. Can be retrieved by running the xdr-get-script-metadata command.Optional
timeoutThe timeout in seconds for this execution. Default is 600.Optional

Context Output#

PathTypeDescription
PaloAltoNetworksXDR.ScriptRun.action_idNumberID of the action initiated.
PaloAltoNetworksXDR.ScriptRun.endpoints_countNumberNumber of endpoints the action was initiated on.

Command Example#

!xdr-run-script script_uid=414763381b5bfb7b05796c9fe690df46 endpoint_ids=23a86310665d413a958926fce5b794b3 parameters={"path":"test.txt"}

Context Example#

{
"PaloAltoNetworksXDR": {
"ScriptRun": {
"action_id": 3653,
"endpoints_count": 1
}
}
}

Human Readable Output#

Run Script#

action_idendpoints_count
36531

25. xdr-run-snippet-code-script#


Initiates a new endpoint script execution action using provided snippet code.

Base Command#

xdr-run-snippet-code-script

Required Permissions#

Script Configurations Run High-Risk Script

Input#

Argument NameDescriptionRequired
endpoint_idsComma-separated list of endpoint IDs. Can be retrieved by running the xdr-get-endpoints command.Required
snippet_codeSection of a script you want to initiate on an endpoint (e.g. print("7")).Required

Context Output#

PathTypeDescription
PaloAltoNetworksXDR.ScriptRun.action_idNumberID of the action initiated.
PaloAltoNetworksXDR.ScriptRun.endpoints_countNumberNumber of endpoints the action was initiated on.

Command Example#

!xdr-run-snippet-code-script endpoint_ids=23a86310665d413a958926fce5b794b3 snippet_code="print('hello world')"

Context Example#

{
"PaloAltoNetworksXDR": {
"ScriptRun": {
"action_id": 3654,
"endpoints_count": 1
}
}
}

Human Readable Output#

Run Snippet Code Script#

action_idendpoints_count
36541

26. xdr-get-script-execution-status#


Retrieves the status of a script execution action.

Base Command#

xdr-get-script-execution-status

Required Permissions#

Script Configurations

Input#

Argument NameDescriptionRequired
action_idAction IDs retrieved from the xdr-run-script command.Required

Context Output#

PathTypeDescription
PaloAltoNetworksXDR.ScriptStatus.general_statusStringGeneral status of the action, considering the status of all the endpoints.
PaloAltoNetworksXDR.ScriptStatus.error_messageStringError message regarding permissions for running APIs or the action doesn’t exist.
PaloAltoNetworksXDR.ScriptStatus.endpoints_timeoutNumberNumber of endpoints in "timeout" status.
PaloAltoNetworksXDR.ScriptStatus.action_idNumberID of the action initiated.
PaloAltoNetworksXDR.ScriptStatus.endpoints_pending_abortNumberNumber of endpoints in "pending abort" status.
PaloAltoNetworksXDR.ScriptStatus.endpoints_pendingNumberNumber of endpoints in "pending" status.
PaloAltoNetworksXDR.ScriptStatus.endpoints_in_progressNumberNumber of endpoints in "in progress" status.
PaloAltoNetworksXDR.ScriptStatus.endpoints_failedNumberNumber of endpoints in "failed" status.
PaloAltoNetworksXDR.ScriptStatus.endpoints_expiredNumberNumber of endpoints in "expired" status.
PaloAltoNetworksXDR.ScriptStatus.endpoints_completed_successfullyNumberNumber of endpoints in "completed successfully" status.
PaloAltoNetworksXDR.ScriptStatus.endpoints_canceledNumberNumber of endpoints in "canceled" status.
PaloAltoNetworksXDR.ScriptStatus.endpoints_abortedNumberNumber of endpoints in "aborted" status.

Command Example#

!xdr-get-script-execution-status action_id=3641

Context Example#

{
"PaloAltoNetworksXDR": {
"ScriptStatus": {
"action_id": "3641",
"endpoints_aborted": 0,
"endpoints_canceled": 0,
"endpoints_completed_successfully": 1,
"endpoints_expired": 0,
"endpoints_failed": 0,
"endpoints_in_progress": 0,
"endpoints_pending": 0,
"endpoints_pending_abort": 0,
"endpoints_timeout": 0,
"general_status": "COMPLETED_SUCCESSFULLY"
}
}
}

Human Readable Output#

Script Execution Status - 3641#

action_idendpoints_abortedendpoints_canceledendpoints_completed_successfullyendpoints_expiredendpoints_failedendpoints_in_progressendpoints_pendingendpoints_pending_abortendpoints_timeoutgeneral_status
3641001000000COMPLETED_SUCCESSFULLY

27. xdr-get-script-execution-results#


Retrieves the results of a script execution action.

Base Command#

xdr-get-script-execution-results

Input#

Argument NameDescriptionRequired
action_idAction IDs retrieved from the xdr-run-script command.Required

Context Output#

PathTypeDescription
PaloAltoNetworksXDR.ScriptResult.action_idNumberID of the action initiated.
PaloAltoNetworksXDR.ScriptResult.results.retrieved_filesNumberNumber of successfully retrieved files.
PaloAltoNetworksXDR.ScriptResult.results.endpoint_ip_addressStringEndpoint IP address.
PaloAltoNetworksXDR.ScriptResult.results.endpoint_nameStringNumber of successfully retrieved files.
PaloAltoNetworksXDR.ScriptResult.results.failed_filesNumberNumber of files failed to retrieve.
PaloAltoNetworksXDR.ScriptResult.results.endpoint_statusStringEndpoint status.
PaloAltoNetworksXDR.ScriptResult.results.domainStringDomain to which the endpoint belongs.
PaloAltoNetworksXDR.ScriptResult.results.endpoint_idStringEndpoint ID.
PaloAltoNetworksXDR.ScriptResult.results.execution_statusStringExecution status of this endpoint.
PaloAltoNetworksXDR.ScriptResult.results.return_valueStringValue returned by the script in case the type is not a dictionary.
PaloAltoNetworksXDR.ScriptResult.results.standard_outputStringThe STDOUT and the STDERR logged by the script during the execution.
PaloAltoNetworksXDR.ScriptResult.results.retention_dateDateTimestamp in which the retrieved files will be deleted from the server.

Command Example#

!xdr-get-script-execution-results action_id=3641

Context Example#

{
"PaloAltoNetworksXDR": {
"ScriptResult": {
"action_id": "3641",
"results": [
{
"_return_value": false,
"domain": "WORKGROUP",
"endpoint_id": "23a86310665d413a958926fce5b794b3",
"endpoint_ip_address": [
"196.168.0.1"
],
"endpoint_name": "DESKTOP-S2455R8",
"endpoint_status": "STATUS_010_CONNECTED",
"execution_status": "COMPLETED_SUCCESSFULLY",
"failed_files": 0,
"retention_date": null,
"retrieved_files": 0,
"standard_output": "Input path <test.txt> not valid, must be an absolute path"
}
]
}
}
}

Human Readable Output#

Script Execution Results - 3641#

_return_valuedomainendpoint_idendpoint_ip_addressendpoint_nameendpoint_statusexecution_statusfailed_filesretrieved_filesstandard_output
falseWORKGROUP23a86310665d413a958926fce5b794b3196.168.0.1DESKTOP-S2455R8STATUS_010_CONNECTEDCOMPLETED_SUCCESSFULLY00Input path \<test.txt> not valid, must be an absolute path

28. xdr-get-script-execution-result-files#


Gets the files retrieved from a specific endpoint during a script execution.

Base Command#

xdr-get-script-execution-result-files

Required Permissions#

Script Configurations

Input#

Argument NameDescriptionRequired
action_idAction ID retrieved from the xdr-run-script command.Required
endpoint_idEndpoint ID. Can be retrieved by running the xdr-get-endpoints command.Required

Context Output#

PathTypeDescription
File.SizeStringThe size of the file.
File.SHA1StringThe SHA1 hash of the file.
File.SHA256StringThe SHA256 hash of the file.
File.SHA512StringThe SHA512 hash of the file.
File.NameStringThe name of the file.
File.SSDeepStringThe SSDeep hash of the file.
File.EntryIDStringEntryID of the file
File.InfoStringInformation about the file.
File.TypeStringThe file type.
File.MD5StringThe MD5 hash of the file.
File.ExtensionStringThe extension of the file.

Command Example#

!xdr-get-script-execution-result-files action_id=3641 endpoint_id=23a86310665d413a958926fce5b794b3

29. xdr-run-script-execute-commands#


Initiates a new endpoint script execution of shell commands.

Base Command#

xdr-run-script-execute-commands

Required Permissions#

Run High-Risk Script

Input#

Argument NameDescriptionRequired
endpoint_idsComma-separated list of endpoint IDs. Can be retrieved by running the xdr-get-endpoints command.Required
commandsComma-separated list of shell commands to execute.Required
timeoutThe timeout in seconds for this execution. Default is 600.Optional

Context Output#

PathTypeDescription
PaloAltoNetworksXDR.ScriptRun.action_idNumberID of the action initiated.
PaloAltoNetworksXDR.ScriptRun.endpoints_countNumberNumber of endpoints the action was initiated on.

Command Example#

!xdr-run-script-execute-commands endpoint_ids=23a86310665d413a958926fce5b794b3 commands_list=tasklist

Context Example#

{
"PaloAltoNetworksXDR": {
"ScriptRun": {
"action_id": 3655,
"endpoints_count": 1
}
}
}

Human Readable Output#

Run Script Execute Commands#

action_idendpoints_count
36551

30. xdr-run-script-delete-file#


Initiates a new endpoint script execution to delete the specified file.

Base Command#

xdr-run-script-delete-file

Required Permissions#

Run High-Risk Script

Input#

Argument NameDescriptionRequired
endpoint_idsComma-separated list of endpoint IDs. Can be retrieved by running the xdr-get-endpoints command.Required
file_pathPaths of the files to delete, in a comma-separated list. Paths of the files to check for existence. All of the given file paths will run on all of the endpoints.Required
timeoutThe timeout in seconds for this execution. Default is 600.Optional

Context Output#

PathTypeDescription
PaloAltoNetworksXDR.ScriptRun.action_idNumberID of the action initiated.
PaloAltoNetworksXDR.ScriptRun.endpoints_countNumberNumber of endpoints the action was initiated on.

Command Example#

!xdr-run-script-delete-file endpoint_ids=23a86310665d413a958926fce5b794b3 file_path=test.txt

Context Example#

{
"PaloAltoNetworksXDR": {
"ScriptRun": {
"action_id": 3656,
"endpoints_count": 1
}
}
}

Human Readable Output#

Run Script Execute Commands#

action_idendpoints_count
36561

31. xdr-run-script-file-exists#


Initiates a new endpoint script execution to check if the file exists.

Base Command#

xdr-run-script-file-exists

Required Permissions#

Run Standard Script

Input#

Argument NameDescriptionRequired
endpoint_idsComma-separated list of endpoint IDs. Can be retrieved by running the xdr-get-endpoints command.Required
file_pathPaths of the files to check for existence, in a comma-separated list. All of the given file paths will run on all of the endpoints.Required
timeoutThe timeout in seconds for this execution. Default is 600.Optional

Context Output#

PathTypeDescription
PaloAltoNetworksXDR.ScriptRun.action_idNumberID of the action initiated.
PaloAltoNetworksXDR.ScriptRun.endpoints_countNumberNumber of endpoints the action was initiated on.

Command Example#

!xdr-run-script-file-exists endpoint_ids=23a86310665d413a958926fce5b794b3 file_path=test.txt

Context Example#

{
"PaloAltoNetworksXDR": {
"ScriptRun": {
"action_id": 3657,
"endpoints_count": 1
}
}
}

Human Readable Output#

Run Script Execute Commands#

action_idendpoints_count
36571

32. xdr-run-script-kill-process#


Initiates a new endpoint script execution kill process.

Base Command#

xdr-run-script-kill-process

Required Permissions#

Run High-Risk Script

Input#

Argument NameDescriptionRequired
endpoint_idsComma-separated list of endpoint IDs. Can be retrieved by running the xdr-get-endpoints command.Required
process_nameNames of processes to kill. Will run all processes on all endpoints.Required
timeoutThe timeout in seconds for this execution. Default is 600.Optional

Context Output#

PathTypeDescription
PaloAltoNetworksXDR.ScriptRun.action_idNumberID of the action initiated.
PaloAltoNetworksXDR.ScriptRun.endpoints_countNumberNumber of endpoints the action was initiated on.

Command Example#

!xdr-run-script-kill-process endpoint_ids=23a86310665d413a958926fce5b794b3 process_name=calculator.exe

Context Example#

{
"PaloAltoNetworksXDR": {
"ScriptRun": {
"action_id": 3658,
"endpoints_count": 1
}
}
}

Human Readable Output#

Run Script Execute Commands#

action_idendpoints_count
36581

33. xdr-endpoint-scan#


Runs a scan on a selected endpoint. To scan all endpoints, run this command with argument all=true. Do note that scanning all the endpoints may cause performance issues and latency.

Base Command#

xdr-endpoint-scan

Input#

Argument NameDescriptionRequired
endpoint_id_listList of endpoint IDs.Optional
dist_nameName of the distribution list.Optional
gte_first_seenEpoch timestamp in milliseconds.Optional
gte_last_seenEpoch timestamp in milliseconds.Optional
lte_first_seenEpoch timestamp in milliseconds.Optional
lte_last_seenEpoch timestamp in milliseconds.Optional
ip_listList of IP addresses.Optional
group_nameName of the endpoint group.Optional
platformType of operating system. Possible values are: windows, linux, macos, android.Optional
aliasEndpoint alias name.Optional
isolateWhether an endpoint has been isolated. Can be "isolated" or "unisolated". Possible values are: isolated, unisolated.Optional
hostnameName of the host.Optional
allWhether to scan all of the endpoints or not. Default is false. Do note that scanning all the endpoints may cause performance issues and latency. Possible values are: true, false. Default is false.Optional

Context Output#

PathTypeDescription
PaloAltoNetworksXDR.endpointScan.actionIdNumberThe action ID of the scan request.
PaloAltoNetworksXDR.endpointScan.abortedBooleanCheck if the scan aborted or not.

Command Example#

!xdr-endpoint-scan endpoint_id_list=12386310665d413a958926fce5b794b3

Context Example#

{
"PaloAltoNetworksXDR": {
"endpointScan": {
"aborted": true,
"actionId": 4205
}
}
}

Human Readable Output#

Endpoint scan#

Action Id
4205

34. xdr-endpoint-scan-abort#


Cancel the scan of selected endpoints. A scan can only be aborted if the selected endpoints are Pending or In Progress. To scan all endpoints, run the command with the argument all=true. Note that scanning all of the endpoints may cause performance issues and latency.

Base Command#

xdr-endpoint-scan-abort

Input#

Argument NameDescriptionRequired
endpoint_id_listList of endpoint IDs.Optional
dist_nameName of the distribution list.Optional
gte_first_seenEpoch timestamp in milliseconds.Optional
gte_last_seenEpoch timestamp in milliseconds.Optional
lte_first_seenEpoch timestamp in milliseconds.Optional
lte_last_seenEpoch timestamp in milliseconds.Optional
ip_listList of IP addresses.Optional
group_nameName of the endpoint group.Optional
platformType of operating system. Possible values are: windows, linux, macos, android.Optional
aliasEndpoint alias name.Optional
isolateWhether an endpoint has been isolated. Can be "isolated" or "unisolated". Possible values are: isolated, unisolated.Optional
hostnameName of the host.Optional
allWhether to scan all of the endpoints or not. Default is false. Note that scanning all of the endpoints may cause performance issues and latency. Possible values are: true, false. Default is false.Optional

Context Output#

PathTypeDescription
PaloAltoNetworksXDR.endpointScan.actionIdUnknownThe action id of the abort scan request.
PaloAltoNetworksXDR.endpointScan.abortedBooleanCheck if the scan aborted or not.

Command Example#

!xdr-endpoint-scan-abort endpoint_id_list=12386310665d413a958926fce5b794b3

Context Example#

{
"PaloAltoNetworksXDR": {
"endpointScan": {
"aborted": true,
"actionId": 4227
}
}
}

Human Readable Output#

Endpoint abort scan#

Action Id
4227

35. endpoint#


Returns information about an endpoint.

Base Command#

endpoint

Input#

Argument NameDescriptionRequired
idEndpoint ID.Required

Context Output#

PathTypeDescription
Endpoint.HostnameStringThe endpoint's hostname.
Endpoint.OSStringThe endpoint's operation system.
Endpoint.IPAddressStringThe endpoint's IP address.
Endpoint.IDStringThe endpoint's ID.
Endpoint.StatusStringThe endpoint's status.
Endpoint.IsIsolatedStringThe endpoint's isolation status.
Endpoint.MACAddressStringThe endpoint's MAC address.
Endpoint.VendorStringThe integration name of the endpoint vendor.

Command Example#

!endpoint id=15dbb9d5fe9f61eb46e829d986

Context Example#

{
"Endpoint":
{
"Hostname": "Hostname",
"ID": "15dbb9d5fe9f61eb46e829d986",
"IPAddress": "1.1.1.1",
"OS": "Windows",
"Status": "Online",
"Domain": "WORK",
"IsIsolated" : "No",
"Vendor": "Cortex XDR - IR"
}
}

Human Readable Output#

Endpoints#

IDIPOSHostnameStatusDomainIsIsolatedVendor
15dbb9d8f06b45fe9f61eb46e829d9861.1.1.1WindowsHostnameOnlineWORKNoCortex XDR - IR

36. xdr-get-script-metadata#


Gets the full definition of a specific script in the scripts library.

Base Command#

xdr-get-script-metadata

Input#

Argument NameDescriptionRequired
script_uidUnique identifier of the script, returned by the xdr-get-scripts command.Required

Context Output#

PathTypeDescription
PaloAltoNetworksXDR.ScriptMetadataUnknownThe script metadata command results.
PaloAltoNetworksXDR.ScriptMetadata.script_idnumberScript ID.
PaloAltoNetworksXDR.ScriptMetadata.namestringScript name.
PaloAltoNetworksXDR.ScriptMetadata.descriptionstringScript description.
PaloAltoNetworksXDR.ScriptMetadata.modification_dateunknownTimestamp of when the script was last modified.
PaloAltoNetworksXDR.ScriptMetadata.created_bystringName of the user who created the script.
PaloAltoNetworksXDR.ScriptMetadata.is_high_riskbooleanWhether the script has a high-risk outcome.
PaloAltoNetworksXDR.ScriptMetadata.windows_supportedbooleanWhether the script can be executed on a Windows operating system.
PaloAltoNetworksXDR.ScriptMetadata.linux_supportedbooleanWhether the script can be executed on a Linux operating system.
PaloAltoNetworksXDR.ScriptMetadata.macos_supportedbooleanWhether the script can be executed on a Mac operating system.
PaloAltoNetworksXDR.ScriptMetadata.entry_pointstringName of the entry point selected for the script. An empty string indicates the script defined as just run.
PaloAltoNetworksXDR.ScriptMetadata.script_inputstringName and type for the specified entry point.
PaloAltoNetworksXDR.ScriptMetadata.script_output_typestringType of the output.
PaloAltoNetworksXDR.ScriptMetadata.script_output_dictionary_definitionsUnknownIf the script_output_type is a dictionary, an array with friendly name, name, and type for each output.

Command Example#

Human Readable Output#

Script Metadata#

Created ByDescriptionEntry PointIs High RiskLinux SupportedMacos SupportedModification DateModification Date TimestampNameScript IdScript InputScript Output TypeScript UidWindows Supported
Palo Alto NetworksKill all processes with a CPU usage higher than specifiedruntruetruetrue2020-04-21T11:01:321587466892247process_kill_cpu6{'name': 'CPU_treshold', 'type': 'number'}number3d928a24f61cd3c1116544900c424098true

36. xdr-blacklist-files#


Blacklists requested files which have not already been blacklisted or whitelisted.

Base Command#

xdr-blacklist-files

Input#

Argument NameDescriptionRequired
hash_listString that represents a list of hashed files you want to blacklist. Must be a valid SHA256 hash.Required
commentString that represents additional information regarding the action.Optional

Context Output#

There is no context output for this command.

Command Example#

!xdr-blacklist-files hash_list=3d928a24f61cd3c1116544900c424098

37. xdr-whitelist-files#


Whitelists requested files which have not already been blacklisted or whitelisted.

Base Command#

xdr-whitelist-files

Input#

Argument NameDescriptionRequired
hash_listString that represents a list of hashed files you want to whitelist. Must be a valid SHA256 hash.Required
commentString that represents additional information regarding the action.Optional

Context Output#

There is no context output for this command.

Command Example#

!xdr-whitelist-files hash_list=3d928a24f61cd3c1116544900c424098

38. xdr-quarantine-files#


Quarantines a file on selected endpoints. You can select up to 1000 endpoints.

Base Command#

xdr-quarantine-files

Input#

Argument NameDescriptionRequired
endpoint_id_listList of endpoint IDs.Required
file_pathString that represents the path of the file you want to quarantine.Required
file_hashString that represents the file’s hash. Must be a valid SHA256 hash.Required

Context Output#

There is no context output for this command.

Command Example#

!xdr-quarantine-files endpoint_id_list=f8a2f58846b542579c12090652e79f3d file_hash=55f8718109829bf506b09d8af615b9f107a266e19f7a311039d1035f180b22d4 file_path=/home/ec2-user/test_file.t

Human Readable#

Quarantine files#

Endpoint Id ListFile PathFile HashAction Id
f8a2f58846b542579c12090652e79f3d/home/ec2-user/test_file.txt55f8718109829bf506b09d8af615b9f107a266e19f7a311039d1035f180b22d44788

39. xdr-get-quarantine-status#


Retrieves the quarantine status for a selected file.

Base Command#

xdr-get-quarantine-status

Input#

Argument NameDescriptionRequired
endpoint_idString the represents the endpoint ID.Required
file_hashString that represents the file hash. Must be a valid SHA256 hash.Required
file_pathString that represents the file path.Required

Context Output#

There is no context output for this command.

Command Example#

!xdr-get-quarantine-status endpoint_id=f8a2f58846b542579c12090652e79f3d file_hash=55f8718109829bf506b09d8af615b9f107a266e19f7a311039d1035f180b22d4 file_path=/home/ec2-user/test_file.txt

Human Readable Output#

Quarantine files#

StatusEndpoint IdFile PathFile Hash
falsef8a2f58846b542579c12090652e79f3d/home/ec2-user/test_file.txt55f8718109829bf506b09d8af615b9f107a266e19f7a311039d1035f180b22d4

40. xdr-restore-file#


Restores a quarantined file on requested endpoints.

Base Command#

xdr-restore-file

Input#

Argument NameDescriptionRequired
file_hashString that represents the file in hash. Must be a valid SHA256 hash.Required
endpoint_idString that represents the endpoint ID. If you do not enter a specific endpoint ID, the request will run restore on all endpoints which relate to the quarantined file you defined.Optional

Context Output#

There is no context output for this command.

Command Example#

!xdr-restore-file file_hash=55f8718109829bf506b09d8af615b9f107a266e19f7a311039d1035f180b22d4