Palo Alto Networks Cortex XDR - Investigation and Response
Overview#
Cortex XDR is the world's first detection and response app that natively integrates network, endpoint, and cloud data to stop sophisticated attacks. This integration was integrated and tested with version 2.6.5 of Cortex XDR - IR.
Playbooks#
Cortex XDR Incident Handling#
The playbook syncs and updates new XDR alerts that construct the incident. It enriches indicators using Threat Intelligence integrations and Palo Alto Networks AutoFocus. The incident's severity is then updated based on the indicators reputation and an analyst is assigned for manual investigation. If chosen, automated remediation with Palo Alto Networks FireWall is initiated. After a manual review by the SOC analyst, the XDR incident is closed automatically.
Use Cases#
- Fetch incidents from XDR
- Enrich incident with alerts and incident from XDR
- Update incident in XDR
- Search for endpoints
- Isolate/unisolate endpoints
- Insert parsed alerts into XDR
- Insert CEF alerts into XDR
- Query for agent audit reports
- Query for audit management logs
- Create distribution
- Get distribution download URL
- Get distribution versions
Automation#
To sync incidents between Cortex XSOAR and Cortex XDR, you should use the XDRSyncScript script, which you can find in the automation page.
Configuration#
You need to collect several pieces of information in order to configure the integration on Cortex XSOAR.
Generate an API Key and API Key ID#
- In your Cortex XDR platform, go to Settings.
- Click the +New Key button in the top right corner.
- Generate a key of type Advanced.
- Copy and paste the key.
- From the ID column, copy the Key ID.
URL#
- In your Cortex XDR platform, go to Settings.
- Click the Copy URL button in the top right corner.
Configure integration parameters#
- Navigate to Settings > Integrations > Servers & Services.
- Search for Cortex XDR - IR.
- Click Add instance to create and configure a new integration instance.
- Name: a textual name for the integration instance.
- Fetch incidents
- Incident type
- Server URL (copy URL from XDR - click ? to see more info.)
- API Key ID
- API Key
- Maximum number of incidents per fetch
- First fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days)
- HTTP Timeout (default is 120 seconds)
- Fetch incident alerts and artifacts
- First fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days)
- Incidend Mirroring Direction
- Sync Incident Owners
- Trust any certificate (not secure)
- Use system proxy settings
- Incident Statuses to Fetch
- Click Test to validate the URLs, token, and connection.
Fetched Incidents Data#
- Note: By checking the Fetch incident alerts and artifacts integration configuration parameter, fetched incidents will include additional data.
XDR Incident Mirroring#
Note this feature is available from Cortex XSOAR version 6.0.0
You can enable incident mirroring between Cortex XSOAR incidents and Cortex XDR incidents. To setup the mirroring follow these instructions:
- Navigate to Settings > Integrations > Servers & Services.
- Search for Cortex XDR - IR and select your integration instance.
- Enable Fetches incidents.
- In the Incident Mirroring Direction integration parameter, select in which direction the incidents should be mirrored:
- Incoming - Any changes in XDR incidents will be reflected in XSOAR incidents.
- Outgoing - Any changes in XSOAR incidents will be reflected in XDR incidents.
- Both - Changes in XSOAR and XDR incidents will be reflected in both directions.
- None - Choose this to turn off incident mirroring.
- Optional: Check the Sync Incident Owners integration parameter to sync the incident owners in both XDR and XSOAR.
- Note: This feature will only work if the same users are registered in both Cortex XSOAR and Cortex XDR.
- Newly fetched incidents will be mirrored in the chosen direction.
- Note: This will not effect existing incidents.
XDR Mirroring Notes, limitations and Troubleshooting#
While you can mirror changes in incident fields both in and out in each incident, you can only mirror in a single direction at a time. For example: If we have an incident with two fields (A and B) in XDR and XSOAR while Incoming And Outgoing mirroring is selected:
- I can mirror field A from XDR to XSOAR and field B from XSOAR to XDR.
- I cannot mirror changes from field A in both directions.
Initially all fields are mirrored in from XDR to XSOAR. Once they are changed in XSOAR, they can only be mirrored out.
Do not use the
XDRSyncScriptautomation nor any playbook that uses this automation (e.gCortex XDR Incident SyncorCortex XDR incident handling v2), as it impairs the mirroring functionality.When migrating an existing instance to the mirroring feature, or in case the mirroring does not work as expected, make sure that:
- The default playbook of the Cortex XDR Incident incident type is not Cortex XDR Incident Sync, change it to a
different playbook that does not use
XDRSyncScript. - The XDR integration instance incoming mapper is set to
Cortex XDR - Incoming Mapperand the outgoing mapper is set toCortex XDR - Outgoing Mapper.
- The default playbook of the Cortex XDR Incident incident type is not Cortex XDR Incident Sync, change it to a
different playbook that does not use
The API includes a limit rate of 10 API requests per minute. Therefore, in a case of a limit rate exception, the sync loop will stop and will resume from the last incident.
Commands#
You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
1. xdr-get-incidents#
Returns a list of incidents, which you can filter by a list of incident IDs (max. 100), the time the incident was last modified, and the time the incident was created. If you pass multiple filtering arguments, they will be concatenated using the AND condition. The OR condition is not supported. This command requires at least one query argument.
Base Command#
xdr-get-incidents
Input#
| Argument Name | Description | Required |
|---|---|---|
| lte_creation_time | Time format 2019-12-31T23:59:00. | Optional |
| gte_creation_time | Returned incidents that were created on or after the specified date/time, in the format 2019-12-31T23:59:00. | Optional |
| lte_modification_time | Filters returned incidents that were created on or before the specified date/time, in the format 2019-12-31T23:59:00. | Optional |
| gte_modification_time | Filters returned incidents that were modified on or after the specified date/time, in the format 2019-12-31T23:59:00. | Optional |
| incident_id_list | An array or CSV string of incident IDs. | Optional |
| since_creation_time | Filters returned incidents that were created on or after the specified date/time range, for example, 1 month, 2 days, 1 hour, and so on. | Optional |
| since_modification_time | Filters returned incidents that were modified on or after the specified date/time range, for example, 1 month, 2 days, 1 hour, and so on. | Optional |
| sort_by_modification_time | Sorts returned incidents by the date/time that the incident was last modified ("asc" - ascending, "desc" - descending). | Optional |
| sort_by_creation_time | Sorts returned incidents by the date/time that the incident was created ("asc" - ascending, "desc" - descending). | Optional |
| page | Page number (for pagination). The default is 0 (the first page). | Optional |
| limit | Maximum number of incidents to return per page. The default and maximum is 100. | Optional |
| status | Filters only incidents in the specified status. The options are: new, under_investigation, resolved_threat_handled, resolved_known_issue, resolved_false_positive, resolved_other, resolved_auto | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| PaloAltoNetworksXDR.Incident.incident_id | String | Unique ID assigned to each returned incident. |
| PaloAltoNetworksXDR.Incident.manual_severity | String | Incident severity assigned by the user. This does not affect the calculated severity. Can be "low","medium","high" |
| PaloAltoNetworksXDR.Incident.manual_description | String | Incident description provided by the user. |
| PaloAltoNetworksXDR.Incident.assigned_user_mail | String | Email address of the assigned user. |
| PaloAltoNetworksXDR.Incident.high_severity_alert_count | String | Number of alerts with the severity HIGH. |
| PaloAltoNetworksXDR.Incident.host_count | number | Number of hosts involved in the incident. |
| PaloAltoNetworksXDR.Incident.xdr_url | String | A link to the incident view on XDR. |
| PaloAltoNetworksXDR.Incident.assigned_user_pretty_name | String | Full name of the user assigned to the incident. |
| PaloAltoNetworksXDR.Incident.alert_count | number | Total number of alerts in the incident. |
| PaloAltoNetworksXDR.Incident.med_severity_alert_count | number | Number of alerts with the severity MEDIUM. |
| PaloAltoNetworksXDR.Incident.user_count | number | Number of users involved in the incident. |
| PaloAltoNetworksXDR.Incident.severity | String | Calculated severity of the incident. Can be "low", "medium", or "high". |
| PaloAltoNetworksXDR.Incident.low_severity_alert_count | String | Number of alerts with the severity LOW. |
| PaloAltoNetworksXDR.Incident.status | String | Current status of the incident. Can be "new", "under_investigation", "resolved_threat_handled", "resolved_known_issue", "resolved_duplicate", "resolved_false_positive", or "resolved_other". |
| PaloAltoNetworksXDR.Incident.description | String | Dynamic calculated description of the incident. |
| PaloAltoNetworksXDR.Incident.resolve_comment | String | Comments entered by the user when the incident was resolved. |
| PaloAltoNetworksXDR.Incident.notes | String | Comments entered by the user regarding the incident. |
| PaloAltoNetworksXDR.Incident.creation_time | date | Date and time the incident was created on XDR. |
| PaloAltoNetworksXDR.Incident.detection_time | date | Date and time that the first alert occurred in the incident. |
| PaloAltoNetworksXDR.Incident.modification_time | date | Date and time that the incident was last modified. |
Command Example#
!xdr-get-incidents gte_creation_time=2010-10-10T00:00:00 limit=3 sort_by_creation_time=desc
Context Example#
Human Readable Output#
Incidents#
alert_count assigned_user_mail assigned_user_pretty_name creation_time description detection_time high_severity_alert_count host_count incident_id low_severity_alert_count manual_description manual_severity med_severity_alert_count modification_time notes resolve_comment severity starred status user_count xdr_url 5 1577276587937 5 'This alert from content TestXDRPlaybook' alerts detected by Checkpoint - SandBlast 4 1 4 0 medium 1 1579290004178 This issue was solved in Incident number 192304 medium false new 1 https://some.xdr.url.com/incident-view/41 woo@demisto.com woo@demisto.com 1576100096594 'test 1' generated by Virus Total - Firewall 1 1 3 0 medium 0 1579237974014 medium false new 1 https://some.xdr.url.com/incident-view/32 1576062816474 'Alert Name Example 333' along with 1 other alert generated by Virus Total - VPN & Firewall-3 and Checkpoint - SandBlast 2 1 2 0 high 0 1579288790259 high false under_investigation 1 https://some.xdr.url.com/incident-view/2
2. xdr-get-incident-extra-data#
Returns additional data for the specified incident, for example, related alerts, file artifacts, network artifacts, and so on.
Base Command#
xdr-get-incident-extra-data
Input#
| Argument Name | Description | Required |
|---|---|---|
| incident_id | The ID of the incident for which to get additional data. | Required |
| alerts_limit | Maximum number of alerts to return. Default is 1,000. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| PaloAltoNetworksXDR.Incident.incident_id | String | Unique ID assigned to each returned incident. |
| PaloAltoNetworksXDR.Incident.creation_time | Date | Date and time the incident was created on XDR. |
| PaloAltoNetworksXDR.Incident.modification_time | Date | Date and time that the incident was last modified. |
| PaloAltoNetworksXDR.Incident.detection_time | Date | Date and time that the first alert occurred in the incident. |
| PaloAltoNetworksXDR.Incident.status | String | Current status of the incident. Valid values are: |
| "new","under_investigation","resolved_threat_handled","resolved_known_issue","resolved_duplicate","resolved_false_positive","resolved_other" | ||
| PaloAltoNetworksXDR.Incident.severity | String | Calculated severity of the incident. Valid values are: "low","medium","high" |
| PaloAltoNetworksXDR.Incident.description | String | Dynamic calculated description of the incident. |
| PaloAltoNetworksXDR.Incident.assigned_user_mail | String | Email address of the assigned user. |
| PaloAltoNetworksXDR.Incident.assigned_user_pretty_name | String | Full name of the user assigned to the incident. |
| PaloAltoNetworksXDR.Incident.alert_count | Number | Total number of alerts in the incident. |
| PaloAltoNetworksXDR.Incident.low_severity_alert_count | Number | Number of alerts with the severity LOW. |
| PaloAltoNetworksXDR.Incident.med_severity_alert_count | Number | Number of alerts with the severity MEDIUM. |
| PaloAltoNetworksXDR.Incident.high_severity_alert_count | Number | Number of alerts with the severity HIGH. |
| PaloAltoNetworksXDR.Incident.user_count | Number | Number of users involved in the incident. |
| PaloAltoNetworksXDR.Incident.host_count | Number | Number of hosts involved in the incident |
| PaloAltoNetworksXDR.Incident.notes | Unknown | Comments entered by the user regarding the incident. |
| PaloAltoNetworksXDR.Incident.resolve_comment | String | Comments entered by the user when the incident was resolved. |
| PaloAltoNetworksXDR.Incident.manual_severity | String | Incident severity assigned by the user. This does not affect the calculated severity of low, medium, or high. |
| PaloAltoNetworksXDR.Incident.manual_description | String | Incident description provided by the user. |
| PaloAltoNetworksXDR.Incident.xdr_url | String | A link to the incident view on XDR. |
| PaloAltoNetworksXDR.Incident.starred | Boolean | Incident starred. |
| PaloAltoNetworksXDR.Incident.wildfire_hits.mitre_techniques_ids_and_names | String | Incident Mitre techniques ids and names. |
| PaloAltoNetworksXDR.Incident.wildfire_hits.mitre_tactics_ids_and_names | String | Incident Mitre tactics ids and names. |
| PaloAltoNetworksXDR.Incident.alerts.alert_id | String | Unique ID for each alert. |
| PaloAltoNetworksXDR.Incident.alerts.detection_timestamp | Date | Date and time that the alert occurred. |
| PaloAltoNetworksXDR.Incident.alerts.source | String | Source of the alert. The product/vendor this alert came from. |
| PaloAltoNetworksXDR.Incident.alerts.severity | String | Severity of the alert.Valid values are: "low","medium","high""" |
| PaloAltoNetworksXDR.Incident.alerts.name | String | Calculated name of the alert. |
| PaloAltoNetworksXDR.Incident.alerts.category | String | Category of the alert, for example, Spyware Detected via Anti-Spyware profile. |
| PaloAltoNetworksXDR.Incident.alerts.description | String | Textual description of the alert. |
| PaloAltoNetworksXDR.Incident.alerts.host_ip_list | Unknown | Host IP involved in the alert. |
| PaloAltoNetworksXDR.Incident.alerts.host_name | String | Host name involved in the alert. |
| PaloAltoNetworksXDR.Incident.alerts.user_name | String | User name involved with the alert. |
| PaloAltoNetworksXDR.Incident.alerts.event_type | String | Event type. Valid values are: "Process Execution","Network Event","File Event","Registry Event","Injection Event","Load Image Event","Windows Event Log" |
| PaloAltoNetworksXDR.Incident.alerts.action | String | The action that triggered the alert. Valid values are: "REPORTED", "BLOCKED", "POST_DETECTED", "SCANNED", "DOWNLOAD", "PROMPT_ALLOW", "PROMPT_BLOCK", "DETECTED", "BLOCKED_1", "BLOCKED_2", "BLOCKED_3", "BLOCKED_5", "BLOCKED_6", "BLOCKED_7", "BLOCKED_8", "BLOCKED_9", "BLOCKED_10", "BLOCKED_11", "BLOCKED_13", "BLOCKED_14", "BLOCKED_15", "BLOCKED_16", "BLOCKED_17", "BLOCKED_24", "BLOCKED_25", "DETECTED_0", "DETECTED_4", "DETECTED_18", "DETECTED_19", "DETECTED_20", "DETECTED_21", "DETECTED_22", "DETECTED_23" |
| PaloAltoNetworksXDR.Incident.alerts.action_pretty | String | The action that triggered the alert. Valid values are: "Detected (Reported)" "Prevented (Blocked)" "Detected (Post Detected)" "Detected (Scanned)" "Detected (Download)" "Detected (Prompt Allow)" "Prevented (Prompt Block)" "Detected" "Prevented (Denied The Session)" "Prevented (Dropped The Session)" "Prevented (Dropped The Session And Sent a TCP Reset)" "Prevented (Blocked The URL)" "Prevented (Blocked The IP)" "Prevented (Dropped The Packet)" "Prevented (Dropped All Packets)" "Prevented (Terminated The Session And Sent a TCP Reset To Both Sides Of The Connection)" "Prevented (Terminated The Session And Sent a TCP Reset To The Client)" "Prevented (Terminated The Session And Sent a TCP Reset To The Server)" "Prevented (Continue)" "Prevented (Block-Override)" "Prevented (Override-Lockout)" "Prevented (Override)" "Prevented (Random-Drop)" "Prevented (Silently Dropped The Session With An ICMP Unreachable Message To The Host Or Application)" "Prevented (Block)" "Detected (Allowed The Session)" "Detected (Raised An Alert)" "Detected (Syncookie Sent)" "Detected (Forward)" "Detected (Wildfire Upload Success)" "Detected (Wildfire Upload Failure)" "Detected (Wildfire Upload Skip)" "Detected (Sinkhole)" |
| PaloAltoNetworksXDR.Incident.alerts.actor_process_image_name | String | Image name. |
| PaloAltoNetworksXDR.Incident.alerts.actor_process_command_line | String | Command line. |
| PaloAltoNetworksXDR.Incident.alerts.actor_process_signature_status | String | Signature status. Valid values are: "Signed" "Invalid Signature" "Unsigned" "Revoked" "Signature Fail" "N/A" "Weak Hash". |
| PaloAltoNetworksXDR.Incident.alerts.actor_process_signature_vendor | String | Singature vendor name. |
| PaloAltoNetworksXDR.Incident.alerts.causality_actor_process_image_name | String | Image name. |
| PaloAltoNetworksXDR.Incident.alerts.causality_actor_process_command_line | String | Command line. |
| PaloAltoNetworksXDR.Incident.alerts.causality_actor_process_signature_status | String | Signature status. Valid values are: "Signed" "Invalid Signature" "Unsigned" "Revoked" "Signature Fail" "N/A" "Weak Hash" |
| PaloAltoNetworksXDR.Incident.alerts.causality_actor_process_signature_vendor | String | Signature vendor. |
| PaloAltoNetworksXDR.Incident.alerts.causality_actor_causality_id | Unknown | Causality id. |
| PaloAltoNetworksXDR.Incident.alerts.action_process_image_name | String | Image name. |
| PaloAltoNetworksXDR.Incident.alerts.action_process_image_command_line | String | Command line. |
| PaloAltoNetworksXDR.Incident.alerts.action_process_image_sha256 | String | Image SHA256. |
| PaloAltoNetworksXDR.Incident.alerts.action_process_signature_status | String | Signature status. Valid values are: "Signed" "Invalid Signature" "Unsigned" "Revoked" "Signature Fail" "N/A" "Weak Hash" |
| PaloAltoNetworksXDR.Incident.alerts.action_process_signature_vendor | String | Signature vendor name. |
| PaloAltoNetworksXDR.Incident.alerts.action_file_path | String | File path. |
| PaloAltoNetworksXDR.Incident.alerts.action_file_md5 | String | File MD5. |
| PaloAltoNetworksXDR.Incident.alerts.action_file_sha256 | String | File SHA256. |
| PaloAltoNetworksXDR.Incident.alerts.action_registry_data | String | Registry data. |
| PaloAltoNetworksXDR.Incident.alerts.action_registry_full_key | String | Registry full key. |
| PaloAltoNetworksXDR.Incident.alerts.action_local_ip | String | Local IP. |
| PaloAltoNetworksXDR.Incident.alerts.action_local_port | Number | Local port. |
| PaloAltoNetworksXDR.Incident.alerts.action_remote_ip | String | Remote IP. |
| PaloAltoNetworksXDR.Incident.alerts.action_remote_port | Number | Remote port. |
| PaloAltoNetworksXDR.Incident.alerts.action_external_hostname | String | External hostname. |
| PaloAltoNetworksXDR.Incident.alerts.fw_app_id | Unknown | Firewall app id. |
| PaloAltoNetworksXDR.Incident.alerts.is_whitelisted | String | Is the alert whitelisted. Valid values are: "Yes" "No" |
| PaloAltoNetworksXDR.Incident.alerts.starred | Boolean | Alert starred. |
| PaloAltoNetworksXDR.Incident.network_artifacts.type | String | Network artifact type. |
| PaloAltoNetworksXDR.Incident.network_artifacts.network_remote_port | number | The remote port related to the artifact. |
| PaloAltoNetworksXDR.Incident.network_artifacts.alert_count | number | Number of alerts related to the artifact. |
| PaloAltoNetworksXDR.Incident.network_artifacts.network_remote_ip | String | The remote IP related to the artifact. |
| PaloAltoNetworksXDR.Incident.network_artifacts.is_manual | boolean | Whether the artifact was created by the user (manually). |
| PaloAltoNetworksXDR.Incident.network_artifacts.network_domain | String | The domain related to the artifact. |
| PaloAltoNetworksXDR.Incident.network_artifacts.type | String | The artifact type. Valid values are: "META", "GID", "CID", "HASH", "IP", "DOMAIN", "REGISTRY", "HOSTNAME" |
| PaloAltoNetworksXDR.Incident.network_artifacts.network_country | String | The country related to the artifact. |
| PaloAltoNetworksXDR.Incident.file_artifacts.file_signature_status | String | Digital signature status of the file. Valid values are: "SIGNATURE_UNAVAILABLE" "SIGNATURE_SIGNED" "SIGNATURE_INVALID" "SIGNATURE_UNSIGNED" "SIGNATURE_WEAK_HASH" |
| PaloAltoNetworksXDR.Incident.file_artifacts.is_process | boolean | Whether the file artifact is related to a process execution. |
| PaloAltoNetworksXDR.Incident.file_artifacts.file_name | String | Name of the file. |
| PaloAltoNetworksXDR.Incident.file_artifacts.file_wildfire_verdict | String | The file verdict, calculated by Wildfire. Valid values are: "BENIGN" "MALWARE" "GRAYWARE" "PHISING" "UNKNOWN". |
| PaloAltoNetworksXDR.Incident.file_artifacts.alert_count | number | Number of alerts related to the artifact. |
| PaloAltoNetworksXDR.Incident.file_artifacts.is_malicious | boolean | Whether the artifact is malicious, as decided by the Wildfire verdict. |
| PaloAltoNetworksXDR.Incident.file_artifacts.is_manual | boolean | Whether the artifact was created by the user (manually). |
| PaloAltoNetworksXDR.Incident.file_artifacts.type | String | The artifact type. Valid values are: "META" "GID" "CID" "HASH" "IP" "DOMAIN" "REGISTRY" "HOSTNAME" |
| PaloAltoNetworksXDR.Incident.file_artifacts.file_sha256 | String | SHA-256 hash of the file. |
| PaloAltoNetworksXDR.Incident.file_artifacts.file_signature_vendor_name | String | File signature vendor name. |
| Account.Username | String | The username in the relevant system. |
| Endpoint.Hostname | String | The hostname that is mapped to this endpoint. |
| File.Path | String | The path where the file is located. |
| File.MD5 | String | The MD5 hash of the file. |
| File.SHA256 | String | The SHA256 hash of the file. |
| File.Name | String | The full file name (including file extension). |
| Process.Name | String | The name of the process. |
| Process.MD5 | String | The MD5 hash of the process. |
| Process.SHA256 | String | The SHA256 hash of the process. |
| Process.PID | String | The PID of the process. |
| Process.Path | String | The file system path to the binary file. |
| Process.Start Time | String | The timestamp of the process start time. |
| Process.CommandLine | String | The full command line (including arguments). |
| IP.Address | String | IP address. |
| IP.Geo.Country | String | The country in which the IP address is located. |
| Domain.Name | String | The domain name, for example: "google.com". |
Command Example#
!xdr-get-incident-extra-data incident_id=4 alerts_limit=10
Context Example#
Human Readable Output#
Incident 4#
alert_count assigned_user_mail assigned_user_pretty_name creation_time description detection_time high_severity_alert_count host_count incident_id low_severity_alert_count manual_description manual_severity med_severity_alert_count modification_time notes resolve_comment severity starred status user_count xdr_url 5 1577276587937 5 'This alert from content TestXDRPlaybook' alerts detected by Checkpoint - SandBlast 4 1 4 0 medium 1 1579290004178 This issue was solved in Incident number 192304 medium false new 1 https://some.xdr.url.com/incident-view/4Alerts#
action action_external_hostname action_file_md5 action_file_path action_file_sha256 action_local_ip action_local_port action_pretty action_process_image_command_line action_process_image_name action_process_image_sha256 action_process_signature_status action_process_signature_vendor action_registry_data action_registry_full_key action_remote_ip action_remote_port actor_process_command_line actor_process_image_name actor_process_signature_status actor_process_signature_vendor alert_id category causality_actor_causality_id causality_actor_process_command_line causality_actor_process_image_name causality_actor_process_signature_status causality_actor_process_signature_vendor description detection_timestamp event_type fw_app_id host_ip_list host_name is_whitelisted name severity source starred user_name VALUE_NA,
N/A196.168.0.1 7000 VALUE_NA,
N/AN/A N/A 2.2.2.2 8000 N/A N/A 6 N/A N/A Test - alert generated by Test XDR Playbook 1577276586921 Network Event No Test - alert generated by Test XDR Playbook medium Cisco - Sandblast false VALUE_NA,
N/A196.168.0.111 2000 VALUE_NA,
N/AN/A N/A 2.2.2.2 6000 N/A N/A 7 N/A N/A This alert from content TestXDRPlaybook description 1577776701589 Network Event No This alert from content TestXDRPlaybook high Checkpoint - SandBlast false VALUE_NA,
N/A196.168.0.111 2000 VALUE_NA,
N/AN/A N/A 2.2.2.2 6000 N/A N/A 8 N/A N/A This alert from content TestXDRPlaybook description 1577958479843 Network Event No This alert from content TestXDRPlaybook high Checkpoint - SandBlast false VALUE_NA,
N/A196.168.0.111 2000 VALUE_NA,
N/AN/A N/A 2.2.2.2 6000 N/A N/A 9 N/A N/A This alert from content TestXDRPlaybook description 1578123895414 Network Event No This alert from content TestXDRPlaybook high Checkpoint - SandBlast false VALUE_NA,
N/A196.168.0.111 2000 VALUE_NA,
N/AN/A N/A 2.2.2.2 6000 N/A N/A 10 N/A N/A This alert from content TestXDRPlaybook description 1578927443615 Network Event No This alert from content TestXDRPlaybook high Checkpoint - SandBlast false Network Artifacts#
alert_count is_manual network_country network_domain network_remote_ip network_remote_port type 5 false 2.2.2.2 8000 IP File Artifacts#
No entries.
3. xdr-update-incident#
Updates one or more fields of a specified incident. Missing fields will be ignored. To remove the assignment for an incident, pass a null value in assignee email argument.
Base Command#
xdr-update-incident
Input#
| Argument Name | Description | Required |
|---|---|---|
| incident_id | XDR incident ID. You can get the incident ID from the output of the 'xdr-get-incidents' command or the 'xdr-get-incident-extra-details' command. | Required |
| manual_severity | Severity to assign to the incident (LOW, MEDIUM, or HIGH). | Optional |
| assigned_user_mail | Email address of the user to assigned to the incident. | Optional |
| assigned_user_pretty_name | Full name of the user assigned to the incident. | Optional |
| status | Status of the incident (NEW, UNDER_INVESTIGATION, RESOLVED_THREAT_HANDLED, RESOLVED_KNOWN_ISSUE, RESOLVED_DUPLICATE, RESOLVED_FALSE_POSITIVE, RESOLVED_OTHER). | Optional |
| resolve_comment | Comment explaining why the incident was resolved. This should be set when the incident is resolved. | Optional |
| unassign_user | If true, will remove all assigned users from the incident. | Optional |
Context Output#
There is no context output for this command.
Command Example#
!xdr-update-incident incident_id="4" status="RESOLVED_KNOWN_ISSUE" resolve_comment="This issue was solved in Incident number 192304"
Human Readable Output#
Incident 4 has been updated
4. xdr-insert-parsed-alert#
Upload alert from external alert sources in Cortex XDR format. Cortex XDR displays alerts that are parsed successfully in related incidents and views. You can send 600 alerts per minute. Each request can contain a maximum of 60 alerts.
Base Command#
xdr-insert-parsed-alert
Input#
| Argument Name | Description | Required |
|---|---|---|
| product | String value that defines the product. | Required |
| vendor | String value that defines the product. | Required |
| local_ip | String value for the source IP address | Optional |
| local_port | Integer value for the source port. | Required |
| remote_ip | String value of the destination IP address. | Required |
| remote_port | Integer value for the destination port. | Required |
| event_timestamp | Integer value representing the epoch of the time the alert occurred in milliseconds or String value of date format 2019-10-23T10:00:00. If not set then the event time will be defined as now. | Optional |
| severity | String value of alert severity: Informational, Low, Medium or High | Optional |
| alert_name | String defining the alert name | Required |
| alert_description | String defining the alert description | Optional |
Context Output#
There is no context output for this command.
Command Example#
!xdr-insert-parsed-alert product="SandBlast" vendor="Checkpoint" local_ip="196.168.0.1" local_port="600" remote_ip="5.5.5.5" remote_port="500" event_timestamp="2020-01-01T00:00:00" severity="High" alert_name="some alert" alert_description="this is test alert"
Human Readable Output#
Alert inserted successfully
5. xdr-insert-cef-alerts#
Upload alerts in CEF format from external alert sources. After you map CEF alert fields to Cortex XDR fields, Cortex XDR displays the alerts in related incidents and views. You can send 600 requests per minute. Each request can contain a maximum of 60 alerts.
Base Command#
xdr-insert-cef-alerts
Input#
| Argument Name | Description | Required |
|---|---|---|
| cef_alerts | List of alerts in CEF format. | Required |
Context Output#
There is no context output for this command.
Command Example#
!xdr-insert-cef-alerts cef_alerts="CEF:0|Check Point|VPN-1 & FireWall-1|Check Point|Log|microsoft-ds|Unknown|act=AcceptdeviceDirection=0 rt=1569477512000 spt=56957 dpt=445 cs2Label=Rule Name cs2=ADPrimery layer_name=FW_Device_blackened Securitylayer_uuid=07693fc7-1a5c-4f31-8afe-77ae96c71b8c match_id=1806 parent_rule=0rule_action=Accept rule_uid=8e45f36b-d106-4d81-a1f0-9d1ed9a6be5c ifname=bond2logid=0 loguid={0x5d8c5388,0x61,0x29321fac,0xc0000022} origin=1.1.1.1originsicname=CN=DWdeviceBlackend,O=Blackend sequencenum=363 version=5dst=1.1.1.1 inzone=External outzone=Internal product=VPN-1 & FireWall-1 proto=6service_id=microsoft-ds src=1.1.1.1"
Human Readable Output#
Alerts inserted successfully
6. xdr-isolate-endpoint#
Isolates the specified endpoint.
Base Command#
xdr-isolate-endpoint
Input#
| Argument Name | Description | Required |
|---|---|---|
| endpoint_id | The endpoint ID (string) to isolate. You can retrieve the string from the xdr-get-endpoints | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| PaloAltoNetworksXDR.Isolation.endpoint_id | String | The endpoint ID. |
Command Example#
!xdr-isolate-endpoint endpoint_id="f8a2f58846b542579c12090652e79f3d"
Human Readable Output#
Endpoint f8a2f58846b542579c12090652e79f3d has isolated successfully
7. xdr-unisolate-endpoint#
Reverses the isolation of an endpoint.
Base Command#
xdr-unisolate-endpoint
Input#
| Argument Name | Description | Required |
|---|---|---|
| endpoint_id | The endpoint ID (string) for which to reverse the isolation. You can retrieve it from the xdr-get-endpoints | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| PaloAltoNetworksXDR.UnIsolation.endpoint_id | String | Isolates the specified endpoint. |
Command Example#
!xdr-unisolate-endpoint endpoint_id="f8a2f58846b542579c12090652e79f3d"
Human Readable Output#
Endpoint f8a2f58846b542579c12090652e79f3d already unisolated
8. xdr-get-endpoints#
Gets a list of endpoints, according to the passed filters. Filtering by multiple fields will be concatenated using AND condition (OR is not supported). Maximum result set size is 100. Offset is the zero-based number of endpoint from the start of the result set (start by counting from 0).
Base Command#
xdr-get-endpoints
Input#
| Argument Name | Description | Required |
|---|---|---|
| endpoint_id_list | A comma-separated list of endpoint IDs. | Optional |
| dist_name | A comma-separated list of distribution package names or installation package names. Example: dist_name1,dist_name2 | Optional |
| ip_list | A comma-separated list of IP addresses. Example: 8.8.8.8,1.1.1.1 | Optional |
| group_name | The group name to which the agent belongs. Example: group_name1,group_name2 | Optional |
| platform | The endpoint platform. Can be "windows", "linux", "macos", or "android". | Optional |
| alias_name | A comma-separated list of alias names. Examples: alias_name1,alias_name2 | Optional |
| isolate | "Specifies whether the endpoint was isolated or unisolated. Can be "isolated" or "unisolated". | Optional |
| hostname | Hostname Example: hostname1,hostname2 | Optional |
| first_seen_gte | All the agents that were first seen after {first_seen_gte}. Supported values: 1579039377301 (time in milliseconds) "3 days" (relative date) "2019-10-21T23:45:00" (date) | Optional |
| first_seen_lte | All the agents that were first seen before {first_seen_lte}. Supported values: 1579039377301 (time in milliseconds) "3 days" (relative date) "2019-10-21T23:45:00" (date) | Optional |
| last_seen_gte | All the agents that were last seen before {last_seen_gte}. Supported values: 1579039377301 (time in milliseconds) "3 days" (relative date) "2019-10-21T23:45:00" (date) | Optional |
| last_seen_lte | All the agents that were last seen before {last_seen_lte}. Supported values: 1579039377301 (time in milliseconds) "3 days" (relative date) "2019-10-21T23:45:00" (date) | Optional |
| page | Page number (for pagination). The default is 0 (the first page). | Optional |
| limit | Maximum number of endpoints to return per page. The default and maximum is 30. | Optional |
| sort_by | Specifies whether to sort endpoints by the first time or last time they were seen. Can be "first_seen" or "last_seen". | Optional |
| sort_order | The order by which to sort results. Can be "asc" (ascending) or "desc" ( descending). Default set to asc. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| PaloAltoNetworksXDR.Endpoint.endpoint_id | String | The endpoint ID. |
| PaloAltoNetworksXDR.Endpoint.endpoint_name | String | The endpoint name. |
| PaloAltoNetworksXDR.Endpoint.endpoint_type | String | The endpoint type. |
| PaloAltoNetworksXDR.Endpoint.endpoint_status | String | The status of the endpoint. |
| PaloAltoNetworksXDR.Endpoint.os_type | String | The endpoint OS type. |
| PaloAltoNetworksXDR.Endpoint.ip | Unknown | A list of IP addresses. |
| PaloAltoNetworksXDR.Endpoint.users | Unknown | A list of users. |
| PaloAltoNetworksXDR.Endpoint.domain | String | The endpoint domain. |
| PaloAltoNetworksXDR.Endpoint.alias | String | The endpoint's aliases. |
| PaloAltoNetworksXDR.Endpoint.first_seen | Unknown | First seen date/time in Epoch (milliseconds). |
| PaloAltoNetworksXDR.Endpoint.last_seen | Date | Last seen date/time in Epoch (milliseconds). |
| PaloAltoNetworksXDR.Endpoint.content_version | String | Content version. |
| PaloAltoNetworksXDR.Endpoint.installation_package | String | Installation package. |
| PaloAltoNetworksXDR.Endpoint.active_directory | String | Active directory. |
| PaloAltoNetworksXDR.Endpoint.install_date | Date | Install date in Epoch (milliseconds). |
| PaloAltoNetworksXDR.Endpoint.endpoint_version | String | Endpoint version. |
| PaloAltoNetworksXDR.Endpoint.is_isolated | String | Whether the endpoint is isolated. |
| PaloAltoNetworksXDR.Endpoint.group_name | String | The name of the group to which the endpoint belongs. |
| Endpoint.Hostname | String | The hostname that is mapped to this endpoint. |
| Endpoint.ID | String | The unique ID within the tool retrieving the endpoint. |
| Endpoint.IPAddress | String | The IP address of the endpoint. |
| Endpoint.Domain | String | The domain of the endpoint. |
| Endpoint.OS | String | The endpoint's operation system. |
| Account.Username | String | The username in the relevant system. |
| Account.Domain | String | The domain of the account. |
| Endpoint.Status | String | The endpoint's status. |
| Endpoint.IsIsolated | String | The endpoint's isolation status. |
| Endpoint.MACAddress | String | The endpoint's MAC address. |
| Endpoint.Vendor | String | The integration name of the endpoint vendor. |
Command Example#
!xdr-get-endpoints isolate="unisolated" first_seen_gte="3 month" page="0" limit="30" sort_order="asc"
Context Example#
Human Readable Output#
Endpoints#
active_directory alias content_version domain endpoint_id endpoint_name endpoint_status endpoint_type endpoint_version first_seen group_name install_date installation_package ip is_isolated last_seen os_type users 111-17757 ea303670c76e4ad09600c8b346f7c804 aaaaa.compute.internal CONNECTED AGENT_TYPE_SERVER 7.0.0.1915 1575795969644 1575795969644 linux 172.31.11.11 AGENT_UNISOLATED 1579290023629 AGENT_OS_LINUX ec2-user 111-17757 WORKGROUP f8a2f58846b542579c12090652e79f3d EC2AMAZ-P7PPOI4 CONNECTED AGENT_TYPE_SERVER 7.0.0.27797 1575796381739 1575796381739 Windows Server 2016 2.2.2.2 AGENT_UNISOLATED 1579289957412 AGENT_OS_WINDOWS Administrator
9. xdr-get-distribution-versions#
Gets a list of all the agent versions to use for creating a distribution list.
Base Command#
xdr-get-distribution-versions
Input#
There are no input arguments for this command.
Context Output#
| Path | Type | Description |
|---|---|---|
| PaloAltoNetworksXDR.DistributionVersions.windows | Unknown | A list of Windows agent versions. |
| PaloAltoNetworksXDR.DistributionVersions.linux | Unknown | A list of Linux agent versions. |
| PaloAltoNetworksXDR.DistributionVersions.macos | Unknown | A list of Mac agent versions. |
Command Example#
!xdr-get-distribution-versions
Context Example#
Human Readable Output#
windows#
versions 5.0.8.29673 5.0.9.30963 6.1.4.28751 7.0.0.28644 linux#
versions 6.1.4.1680 7.0.0.1916 macos#
versions 6.1.4.1681 7.0.0.1914
10. xdr-create-distribution#
Creates an installation package. This is an asynchronous call that returns the distribution ID. This does not mean that the creation succeeded. To confirm that the package has been created, check the status of the distribution by running the Get Distribution Status API.
Base Command#
xdr-create-distribution
Input#
| Argument Name | Description | Required |
|---|---|---|
| name | A string representing the name of the installation package. | Required |
| platform | String, valid values are: • windows • linux • macos • android | Required |
| package_type | A string representing the type of package to create. standalone - An installation for a new agent upgrade - An upgrade of an agent from ESM | Required |
| agent_version | agent_version returned from xdr-get-distribution-versions. Not required for Android platfom | Required |
| description | Information about the package. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| PaloAltoNetworksXDR.Distribution.id | String | The installation package ID. |
| PaloAltoNetworksXDR.Distribution.name | String | The name of the installation package. |
| PaloAltoNetworksXDR.Distribution.platform | String | The installation OS. |
| PaloAltoNetworksXDR.Distribution.agent_version | String | Agent version. |
| PaloAltoNetworksXDR.Distribution.description | String | Information about the package. |
Command Example#
!xdr-create-distribution agent_version=6.1.4.1680 name="dist_1" package_type=standalone platform=linux description="some description"
Context Example#
Human Readable Output#
Distribution 43aede7f846846fa92b50149663fbb25 created successfully
11. xdr-get-distribution-url#
Gets the distribution URL for downloading the installation package.
Base Command#
xdr-get-distribution-url
Input#
| Argument Name | Description | Required |
|---|---|---|
| distribution_id | The ID of the installation package. Copy the distribution_id from the "id" field on Endpoints > Agent Installation page. | Required |
| package_type | The installation package type. Valid values are: • upgrade • sh - For Linux • rpm - For Linux • deb - For Linux • pkg - For Mac • x86 - For Windows • x64 - For Windows | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| PaloAltoNetworksXDR.Distribution.id | String | Distribution ID. |
| PaloAltoNetworksXDR.Distribution.url | String | URL for downloading the installation package. |
Command Example#
!xdr-get-distribution-url distribution_id=2c74c11b63074653aa01d575a82bf52a package_type=sh
Human Readable Output#
12. xdr-get-create-distribution-status#
Gets the status of the installation package.
Base Command#
xdr-get-create-distribution-status
Input#
| Argument Name | Description | Required |
|---|---|---|
| distribution_ids | A comma-separated list of distribution IDs to get the status of. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| PaloAltoNetworksXDR.Distribution.id | String | Distribution ID. |
| PaloAltoNetworksXDR.Distribution.status | String | The status of installation package. |
Command Example#
!xdr-get-create-distribution-status distribution_ids=2c74c11b63074653aa01d575a82bf52a
Context Example#
Human Readable Output#
Distribution Status#
id status 2c74c11b63074653aa01d575a82bf52a Completed
13. xdr-get-audit-management-logs#
Gets management logs. You can filter by multiple fields, which will be concatenated using AND condition (OR is not supported). Maximum result set size is 100. Offset is the zero-based number of management logs from the start of the result set (start by counting from 0).
Base Command#
xdr-get-audit-management-logs
Input#
| Argument Name | Description | Required |
|---|---|---|
| User’s email address. | Optional | |
| type | The audit log type. | Optional |
| sub_type | The audit log subtype. | Optional |
| result | Result type | Optional |
| timestamp_gte | Return logs for which the timestamp is after 'log_time_after'. Supported values: 1579039377301 (time in milliseconds) "3 days" (relative date) "2019-10-21T23:45:00" (date) | Optional |
| timestamp_lte | Return logs for which the timestamp is before the 'log_time_after'. Supported values: 1579039377301 (time in milliseconds) "3 days" (relative date) "2019-10-21T23:45:00" (date) | Optional |
| page | Page number (for pagination). The default is 0 (the first page). | Optional |
| limit | Maximum number of audit logs to return per page. The default and maximum is 30. | Optional |
| sort_by | Specifies the field by which to sort the results. By default the sort is defined as creation-time and DESC. Can be "type", "sub_type", "result", or "timestamp". | Optional |
| sort_order | The sort order. Can be "asc" (ascending) or "desc" (descending). Default set to "desc". | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| PaloAltoNetworksXDR.AuditManagementLogs.AUDIT_ID | Number | Audit log ID. |
| PaloAltoNetworksXDR.AuditManagementLogs.AUDIT_OWNER_NAME | String | Audit owner name. |
| PaloAltoNetworksXDR.AuditManagementLogs.AUDIT_OWNER_EMAIL | String | Audit owner email address. |
| PaloAltoNetworksXDR.AuditManagementLogs.AUDIT_ASSET_JSON | String | Asset JSON. |
| PaloAltoNetworksXDR.AuditManagementLogs.AUDIT_ASSET_NAMES | String | Audit asset names. |
| PaloAltoNetworksXDR.AuditManagementLogs.AUDIT_HOSTNAME | String | Host name. |
| PaloAltoNetworksXDR.AuditManagementLogs.AUDIT_RESULT | String | Audit result. |
| PaloAltoNetworksXDR.AuditManagementLogs.AUDIT_REASON | String | Audit reason. |
| PaloAltoNetworksXDR.AuditManagementLogs.AUDIT_DESCRIPTION | String | Description of the audit. |
| PaloAltoNetworksXDR.AuditManagementLogs.AUDIT_ENTITY | String | Audit entity (e.g., AUTH, DISTRIBUTIONS). |
| PaloAltoNetworksXDR.AuditManagementLogs.AUDIT_ENTITY_SUBTYPE | String | Entity subtype (e.g., Login, Create). |
| PaloAltoNetworksXDR.AuditManagementLogs.AUDIT_CASE_ID | Number | Audit case ID. |
| PaloAltoNetworksXDR.AuditManagementLogs.AUDIT_INSERT_TIME | Date | Log's insert time. |
Command Example#
!xdr-get-audit-management-logs result=SUCCESS type=DISTRIBUTIONS limit=2 timestamp_gte="3 month"
Context Example#
Human Readable Output#
Audit Management Logs#
AUDIT_ID AUDIT_RESULT AUDIT_DESCRIPTION AUDIT_OWNER_NAME AUDIT_OWNER_EMAIL AUDIT_ASSET_JSON AUDIT_ASSET_NAMES AUDIT_HOSTNAME AUDIT_REASON AUDIT_ENTITY AUDIT_ENTITY_SUBTYPE AUDIT_SESSION_ID AUDIT_CASE_ID AUDIT_INSERT_TIME 217 SUCCESS Created a Linux Standalone installer installation package 'dist_1' with agent version 6.1.4.1680 Public API - 1 {} DISTRIBUTIONS Create 1579287926547 214 SUCCESS Created a Linux Standalone installer installation package 'ddd' with agent version 6.1.4.1680 Public API - 1 {} DISTRIBUTIONS Create 1579121478199
14. xdr-get-audit-agent-reports#
Gets agent event reports. You can filter by multiple fields, which will be concatenated using AND condition (OR is not supported). Maximum result set size is 100. Offset is the zero-based number of reports from the start of the result set (start by counting from 0).
Base Command#
xdr-get-audit-agent-reports
Input#
| Argument Name | Description | Required |
|---|---|---|
| endpoint_ids | A comma-separated list of endpoint IDs. | Optional |
| endpoint_names | A comma-separated list of endpoint names. | Optional |
| type | The report type. Can be "Installation", "Policy", "Action", "Agent Service", "Agent Modules", or "Agent Status". | Optional |
| sub_type | The report subtype. | Optional |
| result | The result type. Can be "Success" or "Fail". If not passed, returns all event reports. | Optional |
| timestamp_gte | Return logs that their timestamp is greater than 'log_time_after'. Supported values: 1579039377301 (time in milliseconds) "3 days" (relative date) "2019-10-21T23:45:00" (date) | Optional |
| timestamp_lte | Return logs for which the timestamp is before the 'timestamp_lte'. Supported values: 1579039377301 (time in milliseconds) "3 days" (relative date) "2019-10-21T23:45:00" (date) | Optional |
| page | Page number (for pagination). The default is 0 (the first page). | Optional |
| limit | The maximum number of reports to return. Default and maximum is 30. | Optional |
| sort_by | The field by which to sort results. Can be "type", "category", "trapsversion", "timestamp", or "domain"). | Optional |
| sort_order | The sort order. Can be "asc" (ascending) or "desc" (descending). Default is "asc". | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| PaloAltoNetworksXDR.AuditAgentReports.ENDPOINTID | String | Endpoint ID. |
| PaloAltoNetworksXDR.AuditAgentReports.ENDPOINTNAME | String | Endpoint name. |
| PaloAltoNetworksXDR.AuditAgentReports.DOMAIN | String | Agent domain. |
| PaloAltoNetworksXDR.AuditAgentReports.TRAPSVERSION | String | Traps version. |
| PaloAltoNetworksXDR.AuditAgentReports.RECEIVEDTIME | Date | Received time in Epoch time. |
| PaloAltoNetworksXDR.AuditAgentReports.TIMESTAMP | Date | Timestamp in Epoch time. |
| PaloAltoNetworksXDR.AuditAgentReports.CATEGORY | String | Report category (e.g., Audit). |
| PaloAltoNetworksXDR.AuditAgentReports.TYPE | String | Report type (e.g., Action, Policy). |
| PaloAltoNetworksXDR.AuditAgentReports.SUBTYPE | String | Report subtype (e.g., Fully Protected,Policy Update,Cancel Isolation). |
| PaloAltoNetworksXDR.AuditAgentReports.RESULT | String | Report result. |
| PaloAltoNetworksXDR.AuditAgentReports.REASON | String | Report reason. |
| PaloAltoNetworksXDR.AuditAgentReports.DESCRIPTION | String | Agent report description. |
| Endpoint.ID | String | The unique ID within the tool retrieving the endpoint. |
| Endpoint.Hostname | String | The hostname that is mapped to this endpoint. |
| Endpoint.Domain | String | The domain of the endpoint. |
Command Example#
!xdr-get-audit-agent-reports result=Success timestamp_gte="100 days" endpoint_ids=ea303670c76e4ad09600c8b346f7c804 type=Policy limit=2
Context Example#
Human Readable Output#
Audit Agent Reports#
CATEGORY DESCRIPTION DOMAIN ENDPOINTID ENDPOINTNAME REASON RECEIVEDTIME RESULT SUBTYPE TIMESTAMP TRAPSVERSION TYPE Audit XDR Agent policy updated on aaaaa.compute.internal ea303670c76e4ad09600c8b346f7c804 aaaaa.compute.internal 1579286565904.3281 Success Policy Update 1579284369143.7048 7.0.0.1915 Policy Audit XDR Agent policy updated on aaaaa.compute.internal ea303670c76e4ad09600c8b346f7c804 aaaaa.compute.internal 1579282965742.36 Success Policy Update 1579280769141.43 7.0.0.1915 Policy Troubleshooting#
- In case you encounter ReadTimeoutError, we recommend increasing the HTTP request timeout by setting it in the HTTP Timeout integration parameter.
15. xdr-get-policy#
Gets the policy name for a specific endpoint.
Base Command#
xdr-get-policy
Input#
| Argument Name | Description | Required |
|---|---|---|
| endpoint_id | The endpoint ID. Can be retrieved by running the xdr-get-endpoints command. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| PaloAltoNetworksXDR.Policy | string | The policy allocated with the endpoint. |
| PaloAltoNetworksXDR.Policy.policy_name | string | Name of the policy allocated with the endpoint. |
| PaloAltoNetworksXDR.Policy.endpoint_id | string | Endpoint ID. |
Command Example#
!xdr-get-policy endpoint_id="f8a2f58846b542579c12090652e79f3d"
Context Example#
Human Readable Output#
The policy name of endpoint f8a2f58846b542579c12090652e79f3d is Windows default.
16. xdr-get-endpoint-device-control-violations#
Gets a list of device control violations filtered by selected fields. You can retrieve up to 100 violations.
Base Command#
xdr-get-endpoint-device-control-violations
Input#
| Argument Name | Description | Required |
|---|---|---|
| endpoint_ids | Comma-separated list of endpoint IDs. | Optional |
| type | ype of violation. Possible values are: "cd-rom", "disk drive", "floppy disk", "portable device" | Optional |
| timestamp_gte | Timestamp of the violation. Violations that are greater than or equal to this timestamp will be returned. Values could be in either ISO date format, relative time or epoch timestamp. For example: "2019-10-21T23:45:00" (ISO date format), "3 days ago" (relative time) 1579039377301 (epoch time). | Optional |
| timestamp_lte | Timestamp of the violation. Violations that are less than or equal to this timestamp will be returned. Values could be in either ISO date format, relative time or epoch timestamp. For example: "2019-10-21T23:45:00" (ISO date format), "3 days ago" (relative time) 1579039377301 (epoch time). | Optional |
| ip_list | Comma-separated list of IP addresses | Optional |
| vendor | Name of vendor. | Optional |
| vendor_id | Vendor ID. | Optional |
| product | Name of the product. | Optional |
| product_id | Product ID. | Optional |
| serial | Serial number. | Optional |
| hostname | Hostname. | Optional |
| violation_id_list | Comma-separated list of violation IDs. | Optional |
| username | Username. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| PaloAltoNetworksXDR.EndpointViolations | unknown | Endpoint violations command results. |
| PaloAltoNetworksXDR.EndpointViolations.violations | unknown | A list of violations. |
| PaloAltoNetworksXDR.EndpointViolations.violations.os_type | string | Type of the operating system. |
| PaloAltoNetworksXDR.EndpointViolations.violations.hostname | string | Hostname of the violation. |
| PaloAltoNetworksXDR.EndpointViolations.violations.username | string | Username of the violation. |
| PaloAltoNetworksXDR.EndpointViolations.violations.ip | string | IP address of the violation. |
| PaloAltoNetworksXDR.EndpointViolations.violations.timestamp | number | Timestamp of the violation. |
| PaloAltoNetworksXDR.EndpointViolations.violations.violation_id | number | Violation ID. |
| PaloAltoNetworksXDR.EndpointViolations.violations.type | string | Type of violation. |
| PaloAltoNetworksXDR.EndpointViolations.violations.vendor_id | string | Vendor ID of the violation. |
| PaloAltoNetworksXDR.EndpointViolations.violations.vendor | string | Name of the vendor of the violation. |
| PaloAltoNetworksXDR.EndpointViolations.violations.product_id | string | Product ID of the violation. |
| PaloAltoNetworksXDR.EndpointViolations.violations.product | string | Name of the product of the violation. |
| PaloAltoNetworksXDR.EndpointViolations.violations.serial | string | Serial number of the violation. |
| PaloAltoNetworksXDR.EndpointViolations.violations.endpoint_id | string | Endpoint ID of the violation. |
Command Example#
!xdr-get-endpoint-device-control-violations violation_id_list=100,90,80
Context Example#
Human Readable Output#
Endpoint Device Control Violation#
Date Hostname Username Ip Type Violation Id Vendor Product Serial 2020-04-13T21:39:24 win-2020-04-14---12-39 st3.local\assaflevi 1.1.1.1 Disk Drive 100 SanDisk Corp. Cruzer Blade 4C530010060624106156 2020-04-13T21:39:13 win-2020-04-14---12-39 st3.local\assaflevi 1.1.1.1 Disk Drive 90 SanDisk Corp. Cruzer Blade 4C530010060624106156 2020-04-13T21:39:02 win-2020-04-14---12-39 st3.local\assaflevi 1.1.1.1 Disk Drive 80 SanDisk Corp. Cruzer Blade 4C530010060624106156
17. xdr-retrieve-files#
Retrieve files from selected endpoints. You can retrieve up to 20 files, from no more than 10 endpoints. At least one endpoint ID and one file path are necessary in order to run the command. After running this command, you can use the xdr-action-status-get command with returned action_id, to check the action status.
Base Command#
xdr-retrieve-files
Input#
| Argument Name | Description | Required |
|---|---|---|
| endpoint_ids | Comma-separated list of endpoint IDs. | Required |
| windows_file_paths | A comma-separated list of file paths on the Windows platform. | Optional |
| linux_file_paths | A comma-separated list of file paths on the Linux platform. | Optional |
| mac_file_paths | A comma-separated list of file paths on the Mac platform. | Optional |
| generic_file_path | A comma-separated list of file paths in any platform. Can be used instead of the mac/windows/linux file paths. The order of the files path list must be parallel to the endpoints list order, therefore, the first file path in the list is related to the first endpoint and so on, e.g.,"C:\Users\demisto\Desktop\CortexXSOAR.txt". | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| PaloAltoNetworksXDR.RetrievedFiles.action_id | string | ID of the action to retrieve files from selected endpoints. |
Command Examples#
!xdr-retrieve-files endpoint_ids=aeec6a2cc92e46fab3b6f621722e9916 windows_file_paths="C:\Users\demisto\Desktop\demisto.txt"
!xdr-retrieve-files endpoint_ids=aeec6a2cc92e46fab3b6f621722e9916 generic_file_path="C:\Users\demisto\Desktop\demisto.txt"
Context Example#
Human Readable Output#
Retrieve files#
Action Id 2056
18. xdr-retrieve-file-details#
View the file retrieved by the xdr-retrieve-files command according to the action ID. Before running this command, you can use the xdr-action-status-get command to check if this action completed successfully.
Base Command#
xdr-retrieve-file-details
Input#
| Argument Name | Description | Required |
|---|---|---|
| action_id | Action ID retrieved from the xdr-retrieve-files command. | Required |
| attach_files | Choose whether you want to attach retrieved files in the War Room. Default is "true". | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| File | unknown | The file details command results. |
| File.Name | String | The full file name (including the file extension). |
| File.EntryID | String | The ID for locating the file in the War Room. |
| File.Size | Number | The size of the file in bytes. |
| File.MD5 | String | The MD5 hash of the file. |
| File.SHA1 | String | The SHA1 hash of the file. |
| File.SHA256 | String | The SHA256 hash of the file. |
| File.SHA512 | String | The SHA512 hash of the file. |
| File.Extension | String | The file extension. For example: 'xls'. |
| File.Type | String | The file type, as determined by libmagic (same as displayed in file entries). |
Command Example#
!xdr-retrieve-file-details action_id=1763
Context Example#
Human Readable Output#
Action id : 1763 Retrieved 1 files from 1 endpoints.
19. xdr-get-scripts#
Gets a list of scripts available in the scripts library.
Base Command#
xdr-get-scripts
Input#
| Argument Name | Description | Required |
|---|---|---|
| script_name | A comma-separated list of the script names. | Optional |
| description | A comma-separated list of the script descriptions. | Optional |
| created_by | A comma-separated list of the users who created the script. | Optional |
| limit | Maximum number of scripts returned to the War Room. Default limit is 50. | Optional |
| offset | (Int) Offset in the data set. Default offset is 0. | Optional |
| windows_supported | Whether the script can be executed on a Windows operating system. | Optional |
| linux_supported | Whether the script can be executed on a Linux operating system. | Optional |
| macos_supported | Whether the script can be executed on a Mac operating system. | Optional |
| is_high_risk | Whether the script has a high-risk outcome. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| PaloAltoNetworksXDR.Scripts | unknown | Get scripts command results. |
| PaloAltoNetworksXDR.Scripts.script_id | unknown | Script ID. |
| PaloAltoNetworksXDR.Scripts.name | string | Name of the script. |
| PaloAltoNetworksXDR.Scripts.description | string | Description of the script. |
| PaloAltoNetworksXDR.Scripts.modification_date | unknown | Timestamp of when the script was last modified. |
| PaloAltoNetworksXDR.Scripts.created_by | string | Name of the user who created the script. |
| PaloAltoNetworksXDR.Scripts.windows_supported | boolean | Whether the script can be executed on a Windows operating system. |
| PaloAltoNetworksXDR.Scripts.linux_supported | boolean | Whether the script can be executed on a Linux operating system. |
| PaloAltoNetworksXDR.Scripts.macos_supported | boolean | Whether the script can be executed on Mac operating system. |
| PaloAltoNetworksXDR.Scripts.is_high_risk | boolean | Whether the script has a high-risk outcome. |
| PaloAltoNetworksXDR.Scripts.script_uid | string | GUID, global ID of the script, used to identify the script when executing. |
Command Example#
!xdr-get-scripts created_by="Palo Alto Networks" is_high_risk=true
Context Example#
Human Readable Output#
Scripts#
Name Description Script Uid Modification Date Created By Windows Supported Linux Supported Macos Supported Is High Risk delete_file Delete a file by path 548023b6e4a01ec51a495ba6e5d2a15d 2020-04-21T11:01:31 Palo Alto Networks true true true true execute_commands Execute list of shell commands a6f7683c8e217d85bd3c398f0d3fb6bf 2020-04-21T11:01:32 Palo Alto Networks true true true true process_kill_cpu Kill all processes with a CPU usage higher than specified 3d928a24f61cd3c1116544900c424098 2020-04-21T11:01:32 Palo Alto Networks true true true true process_kill_mem Kill all processes with a RAM usage higher than specified 87d4547df6d4882a3c006ec58c3b8bf4 2020-04-21T11:01:32 Palo Alto Networks true true true true process_kill_name Kill processes by name fd0a544a99a9421222b4f57a11839481 2020-04-21T11:01:32 Palo Alto Networks true true true true registry_delete Delete registry value or delete registry key with all its values ad36488a20cdbdd1604ec4bec9da5c41 2020-04-21T11:01:32 Palo Alto Networks true false false true registry_get Get registry value data and its type 699fa2e98ab1eb5677489dce54125769 2020-04-21T11:01:32 Palo Alto Networks true false false true registry_set Set registry value 896392a13b2ef0ae75b3f2396125037d 2020-09-06T09:41:47 Palo Alto Networks true false false true
20. xdr-get-script-metadata#
Gets the full definition of a specific script in the scripts library.
Base Command#
xdr-get-script-metadata
Input#
| Argument Name | Description | Required |
|---|---|---|
| script_uid | Unique identifier of the script, returned by the xdr-get-scripts command. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| PaloAltoNetworksXDR.ScriptMetadata | Unknown | The script metadata command results. |
| PaloAltoNetworksXDR.ScriptMetadata.script_id | number | Script ID. |
| PaloAltoNetworksXDR.ScriptMetadata.name | string | Script name. |
| PaloAltoNetworksXDR.ScriptMetadata.description | string | Script description. |
| PaloAltoNetworksXDR.ScriptMetadata.modification_date | unknown | Timestamp of when the script was last modified. |
| PaloAltoNetworksXDR.ScriptMetadata.created_by | string | Name of the user who created the script. |
| PaloAltoNetworksXDR.ScriptMetadata.is_high_risk | boolean | Whether the script has a high-risk outcome. |
| PaloAltoNetworksXDR.ScriptMetadata.windows_supported | boolean | Whether the script can be executed on a Windows operating system. |
| PaloAltoNetworksXDR.ScriptMetadata.linux_supported | boolean | Whether the script can be executed on a Linux operating system. |
| PaloAltoNetworksXDR.ScriptMetadata.macos_supported | boolean | Whether the script can be executed on a Mac operating system. |
| PaloAltoNetworksXDR.ScriptMetadata.entry_point | string | Name of the entry point selected for the script. An empty string indicates the script defined as just run. |
| PaloAltoNetworksXDR.ScriptMetadata.script_input | string | Name and type for the specified entry point. |
| PaloAltoNetworksXDR.ScriptMetadata.script_output_type | string | Type of the output. |
| PaloAltoNetworksXDR.ScriptMetadata.script_output_dictionary_definitions | Unknown | If the script_output_type is a dictionary, an array with friendly name, name, and type for each output. |
Command Example#
!xdr-get-script-metadata script_uid=43973479d389f2ac7e99b6db88eaee40
Context Example#
Human Readable Output#
Script Metadata#
script_id name description modification_date created_by is_high_risk windows_supported linux_supported macos_supported script_uid entry_point script_input script_output_type 4 list_directories List all directories under path 1587466892181 Palo Alto Networks false true true true 43973479d389f2ac7e99b6db88eaee40 run {'name': 'path', 'type': 'string'},
{'name': 'number_of_levels', 'type': 'number'}string_list
21. xdr-get-script-code#
Get the code of a specific script in the script library.
Base Command#
xdr-get-script-code
Input#
| Argument Name | Description | Required |
|---|---|---|
| script_uid | Unique identifier of the script, returned by the xdr-get-scripts command. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| PaloAltoNetworksXDR.ScriptCode | Unknown | The script code command results. |
| PaloAltoNetworksXDR.ScriptCode.code | string | The code of a specific script in the script library. |
| PaloAltoNetworksXDR.ScriptCode.script_uid | string | Unique identifier of the script. |
Command Example#
!xdr-get-script-code script_uid=548023b6e4a01ec51a495ba6e5d2a15d
Context Example#
Human Readable Output#
Script code is : import os import sys import traceback
def run(file_path): path = os.path.expanduser(file_path) path = os.path.expandvars(path) if os.path.isabs(path): try: os.remove(path) except IOError: sys.stderr.write(f"File not accessible: {path}") return False except Exception as e: sys.stderr.write(f"Exception occured: {traceback.format_exc()}") return False return True
22. xdr-action-status-get#
Retrieves the status of the requested actions according to the action ID.
Base Command#
xdr-action-status-get
Input#
| Argument Name | Description | Required |
|---|---|---|
| action_id | The action ID of the selected request. After performing an action, you will receive an action ID. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| PaloAltoNetworksXDR.GetActionStatus | Unknown | The action status command results. |
| PaloAltoNetworksXDR.GetActionStatus.endpoint_id | string | Endpoint ID. |
| PaloAltoNetworksXDR.GetActionStatus.status | string | The status of the specific endpoint ID. |
| PaloAltoNetworksXDR.GetActionStatus.action_id | number | The specified action ID. |
Command Example#
!xdr-action-status-get action_id="1819"
Context Example#
Human Readable Output#
Get Action Status#
endpoint_id status aeec6a2cc92e46fab3b6f621722e9916 COMPLETED_SUCCESSFULLY
23. xdr-delete-endpoints#
Delete selected endpoints in the Cortex XDR app. You can delete up to 1000 endpoints.
Base Command#
xdr-delete-endpoints
Input#
| Argument Name | Description | Required |
|---|---|---|
| endpoint_ids | Comma-separated list of endpoint IDs. | Required |
Context Output#
There is no context output for this command.
Command Example#
!xdr-delete-endpoints endpoint_ids=aeec6a2cc92e46fab3b6f621722e9916
Human Readable Output#
Endpoints aeec6a2cc92e46fab3b6f621722e9916 successfully deleted
24. xdr-run-script#
Initiates a new endpoint script execution action using a script from the script library.
Base Command#
xdr-run-script
Required Permissions#
Run Standard Script
Run High-Risk Script
Input#
| Argument Name | Description | Required |
|---|---|---|
| endpoint_ids | Comma-separated list of endpoint IDs. Can be retrieved by running the xdr-get-endpoints command. | Required |
| script_uid | Unique identifier of the script. Can be retrieved by running the xdr-get-scripts command. | Required |
| parameters | Dictionary contains the parameter name as key and its value for this execution as the value. For example, {"path":"test.txt"}. Can be retrieved by running the xdr-get-script-metadata command. | Optional |
| timeout | The timeout in seconds for this execution. Default is 600. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| PaloAltoNetworksXDR.ScriptRun.action_id | Number | ID of the action initiated. |
| PaloAltoNetworksXDR.ScriptRun.endpoints_count | Number | Number of endpoints the action was initiated on. |
Command Example#
!xdr-run-script script_uid=414763381b5bfb7b05796c9fe690df46 endpoint_ids=23a86310665d413a958926fce5b794b3 parameters={"path":"test.txt"}
Context Example#
Human Readable Output#
Run Script#
action_id endpoints_count 3653 1
25. xdr-run-snippet-code-script#
Initiates a new endpoint script execution action using provided snippet code.
Base Command#
xdr-run-snippet-code-script
Required Permissions#
Script Configurations
Run High-Risk Script
Input#
| Argument Name | Description | Required |
|---|---|---|
| endpoint_ids | Comma-separated list of endpoint IDs. Can be retrieved by running the xdr-get-endpoints command. | Required |
| snippet_code | Section of a script you want to initiate on an endpoint (e.g. print("7")). | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| PaloAltoNetworksXDR.ScriptRun.action_id | Number | ID of the action initiated. |
| PaloAltoNetworksXDR.ScriptRun.endpoints_count | Number | Number of endpoints the action was initiated on. |
Command Example#
!xdr-run-snippet-code-script endpoint_ids=23a86310665d413a958926fce5b794b3 snippet_code="print('hello world')"
Context Example#
Human Readable Output#
Run Snippet Code Script#
action_id endpoints_count 3654 1
26. xdr-get-script-execution-status#
Retrieves the status of a script execution action.
Base Command#
xdr-get-script-execution-status
Required Permissions#
Script Configurations
Input#
| Argument Name | Description | Required |
|---|---|---|
| action_id | Action IDs retrieved from the xdr-run-script command. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| PaloAltoNetworksXDR.ScriptStatus.general_status | String | General status of the action, considering the status of all the endpoints. |
| PaloAltoNetworksXDR.ScriptStatus.error_message | String | Error message regarding permissions for running APIs or the action doesn’t exist. |
| PaloAltoNetworksXDR.ScriptStatus.endpoints_timeout | Number | Number of endpoints in "timeout" status. |
| PaloAltoNetworksXDR.ScriptStatus.action_id | Number | ID of the action initiated. |
| PaloAltoNetworksXDR.ScriptStatus.endpoints_pending_abort | Number | Number of endpoints in "pending abort" status. |
| PaloAltoNetworksXDR.ScriptStatus.endpoints_pending | Number | Number of endpoints in "pending" status. |
| PaloAltoNetworksXDR.ScriptStatus.endpoints_in_progress | Number | Number of endpoints in "in progress" status. |
| PaloAltoNetworksXDR.ScriptStatus.endpoints_failed | Number | Number of endpoints in "failed" status. |
| PaloAltoNetworksXDR.ScriptStatus.endpoints_expired | Number | Number of endpoints in "expired" status. |
| PaloAltoNetworksXDR.ScriptStatus.endpoints_completed_successfully | Number | Number of endpoints in "completed successfully" status. |
| PaloAltoNetworksXDR.ScriptStatus.endpoints_canceled | Number | Number of endpoints in "canceled" status. |
| PaloAltoNetworksXDR.ScriptStatus.endpoints_aborted | Number | Number of endpoints in "aborted" status. |
Command Example#
!xdr-get-script-execution-status action_id=3641
Context Example#
Human Readable Output#
Script Execution Status - 3641#
action_id endpoints_aborted endpoints_canceled endpoints_completed_successfully endpoints_expired endpoints_failed endpoints_in_progress endpoints_pending endpoints_pending_abort endpoints_timeout general_status 3641 0 0 1 0 0 0 0 0 0 COMPLETED_SUCCESSFULLY
27. xdr-get-script-execution-results#
Retrieves the results of a script execution action.
Base Command#
xdr-get-script-execution-results
Input#
| Argument Name | Description | Required |
|---|---|---|
| action_id | Action IDs retrieved from the xdr-run-script command. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| PaloAltoNetworksXDR.ScriptResult.action_id | Number | ID of the action initiated. |
| PaloAltoNetworksXDR.ScriptResult.results.retrieved_files | Number | Number of successfully retrieved files. |
| PaloAltoNetworksXDR.ScriptResult.results.endpoint_ip_address | String | Endpoint IP address. |
| PaloAltoNetworksXDR.ScriptResult.results.endpoint_name | String | Number of successfully retrieved files. |
| PaloAltoNetworksXDR.ScriptResult.results.failed_files | Number | Number of files failed to retrieve. |
| PaloAltoNetworksXDR.ScriptResult.results.endpoint_status | String | Endpoint status. |
| PaloAltoNetworksXDR.ScriptResult.results.domain | String | Domain to which the endpoint belongs. |
| PaloAltoNetworksXDR.ScriptResult.results.endpoint_id | String | Endpoint ID. |
| PaloAltoNetworksXDR.ScriptResult.results.execution_status | String | Execution status of this endpoint. |
| PaloAltoNetworksXDR.ScriptResult.results.return_value | String | Value returned by the script in case the type is not a dictionary. |
| PaloAltoNetworksXDR.ScriptResult.results.standard_output | String | The STDOUT and the STDERR logged by the script during the execution. |
| PaloAltoNetworksXDR.ScriptResult.results.retention_date | Date | Timestamp in which the retrieved files will be deleted from the server. |
Command Example#
!xdr-get-script-execution-results action_id=3641
Context Example#
Human Readable Output#
Script Execution Results - 3641#
_return_value domain endpoint_id endpoint_ip_address endpoint_name endpoint_status execution_status failed_files retrieved_files standard_output false WORKGROUP 23a86310665d413a958926fce5b794b3 196.168.0.1 DESKTOP-S2455R8 STATUS_010_CONNECTED COMPLETED_SUCCESSFULLY 0 0 Input path \<test.txt> not valid, must be an absolute path
28. xdr-get-script-execution-result-files#
Gets the files retrieved from a specific endpoint during a script execution.
Base Command#
xdr-get-script-execution-result-files
Required Permissions#
Script Configurations
Input#
| Argument Name | Description | Required |
|---|---|---|
| action_id | Action ID retrieved from the xdr-run-script command. | Required |
| endpoint_id | Endpoint ID. Can be retrieved by running the xdr-get-endpoints command. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| File.Size | String | The size of the file. |
| File.SHA1 | String | The SHA1 hash of the file. |
| File.SHA256 | String | The SHA256 hash of the file. |
| File.SHA512 | String | The SHA512 hash of the file. |
| File.Name | String | The name of the file. |
| File.SSDeep | String | The SSDeep hash of the file. |
| File.EntryID | String | EntryID of the file |
| File.Info | String | Information about the file. |
| File.Type | String | The file type. |
| File.MD5 | String | The MD5 hash of the file. |
| File.Extension | String | The extension of the file. |
Command Example#
!xdr-get-script-execution-result-files action_id=3641 endpoint_id=23a86310665d413a958926fce5b794b3
29. xdr-run-script-execute-commands#
Initiates a new endpoint script execution of shell commands.
Base Command#
xdr-run-script-execute-commands
Required Permissions#
Run High-Risk Script
Input#
| Argument Name | Description | Required |
|---|---|---|
| endpoint_ids | Comma-separated list of endpoint IDs. Can be retrieved by running the xdr-get-endpoints command. | Required |
| commands | Comma-separated list of shell commands to execute. | Required |
| timeout | The timeout in seconds for this execution. Default is 600. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| PaloAltoNetworksXDR.ScriptRun.action_id | Number | ID of the action initiated. |
| PaloAltoNetworksXDR.ScriptRun.endpoints_count | Number | Number of endpoints the action was initiated on. |
Command Example#
!xdr-run-script-execute-commands endpoint_ids=23a86310665d413a958926fce5b794b3 commands_list=tasklist
Context Example#
Human Readable Output#
Run Script Execute Commands#
action_id endpoints_count 3655 1
30. xdr-run-script-delete-file#
Initiates a new endpoint script execution to delete the specified file.
Base Command#
xdr-run-script-delete-file
Required Permissions#
Run High-Risk Script
Input#
| Argument Name | Description | Required |
|---|---|---|
| endpoint_ids | Comma-separated list of endpoint IDs. Can be retrieved by running the xdr-get-endpoints command. | Required |
| file_path | Paths of the files to delete, in a comma-separated list. Paths of the files to check for existence. All of the given file paths will run on all of the endpoints. | Required |
| timeout | The timeout in seconds for this execution. Default is 600. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| PaloAltoNetworksXDR.ScriptRun.action_id | Number | ID of the action initiated. |
| PaloAltoNetworksXDR.ScriptRun.endpoints_count | Number | Number of endpoints the action was initiated on. |
Command Example#
!xdr-run-script-delete-file endpoint_ids=23a86310665d413a958926fce5b794b3 file_path=test.txt
Context Example#
Human Readable Output#
Run Script Execute Commands#
action_id endpoints_count 3656 1
31. xdr-run-script-file-exists#
Initiates a new endpoint script execution to check if the file exists.
Base Command#
xdr-run-script-file-exists
Required Permissions#
Run Standard Script
Input#
| Argument Name | Description | Required |
|---|---|---|
| endpoint_ids | Comma-separated list of endpoint IDs. Can be retrieved by running the xdr-get-endpoints command. | Required |
| file_path | Paths of the files to check for existence, in a comma-separated list. All of the given file paths will run on all of the endpoints. | Required |
| timeout | The timeout in seconds for this execution. Default is 600. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| PaloAltoNetworksXDR.ScriptRun.action_id | Number | ID of the action initiated. |
| PaloAltoNetworksXDR.ScriptRun.endpoints_count | Number | Number of endpoints the action was initiated on. |
Command Example#
!xdr-run-script-file-exists endpoint_ids=23a86310665d413a958926fce5b794b3 file_path=test.txt
Context Example#
Human Readable Output#
Run Script Execute Commands#
action_id endpoints_count 3657 1
32. xdr-run-script-kill-process#
Initiates a new endpoint script execution kill process.
Base Command#
xdr-run-script-kill-process
Required Permissions#
Run High-Risk Script
Input#
| Argument Name | Description | Required |
|---|---|---|
| endpoint_ids | Comma-separated list of endpoint IDs. Can be retrieved by running the xdr-get-endpoints command. | Required |
| process_name | Names of processes to kill. Will run all processes on all endpoints. | Required |
| timeout | The timeout in seconds for this execution. Default is 600. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| PaloAltoNetworksXDR.ScriptRun.action_id | Number | ID of the action initiated. |
| PaloAltoNetworksXDR.ScriptRun.endpoints_count | Number | Number of endpoints the action was initiated on. |
Command Example#
!xdr-run-script-kill-process endpoint_ids=23a86310665d413a958926fce5b794b3 process_name=calculator.exe
Context Example#
Human Readable Output#
Run Script Execute Commands#
action_id endpoints_count 3658 1
33. xdr-endpoint-scan#
Runs a scan on a selected endpoint. To scan all endpoints, run this command with argument all=true. Do note that scanning all the endpoints may cause performance issues and latency.
Base Command#
xdr-endpoint-scan
Input#
| Argument Name | Description | Required |
|---|---|---|
| endpoint_id_list | List of endpoint IDs. | Optional |
| dist_name | Name of the distribution list. | Optional |
| gte_first_seen | Epoch timestamp in milliseconds. | Optional |
| gte_last_seen | Epoch timestamp in milliseconds. | Optional |
| lte_first_seen | Epoch timestamp in milliseconds. | Optional |
| lte_last_seen | Epoch timestamp in milliseconds. | Optional |
| ip_list | List of IP addresses. | Optional |
| group_name | Name of the endpoint group. | Optional |
| platform | Type of operating system. Possible values are: windows, linux, macos, android. | Optional |
| alias | Endpoint alias name. | Optional |
| isolate | Whether an endpoint has been isolated. Can be "isolated" or "unisolated". Possible values are: isolated, unisolated. | Optional |
| hostname | Name of the host. | Optional |
| all | Whether to scan all of the endpoints or not. Default is false. Do note that scanning all the endpoints may cause performance issues and latency. Possible values are: true, false. Default is false. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| PaloAltoNetworksXDR.endpointScan.actionId | Number | The action ID of the scan request. |
| PaloAltoNetworksXDR.endpointScan.aborted | Boolean | Check if the scan aborted or not. |
Command Example#
!xdr-endpoint-scan endpoint_id_list=12386310665d413a958926fce5b794b3
Context Example#
Human Readable Output#
Endpoint scan#
Action Id 4205
34. xdr-endpoint-scan-abort#
Cancel the scan of selected endpoints. A scan can only be aborted if the selected endpoints are Pending or In Progress. To scan all endpoints, run the command with the argument all=true. Note that scanning all of the endpoints may cause performance issues and latency.
Base Command#
xdr-endpoint-scan-abort
Input#
| Argument Name | Description | Required |
|---|---|---|
| endpoint_id_list | List of endpoint IDs. | Optional |
| dist_name | Name of the distribution list. | Optional |
| gte_first_seen | Epoch timestamp in milliseconds. | Optional |
| gte_last_seen | Epoch timestamp in milliseconds. | Optional |
| lte_first_seen | Epoch timestamp in milliseconds. | Optional |
| lte_last_seen | Epoch timestamp in milliseconds. | Optional |
| ip_list | List of IP addresses. | Optional |
| group_name | Name of the endpoint group. | Optional |
| platform | Type of operating system. Possible values are: windows, linux, macos, android. | Optional |
| alias | Endpoint alias name. | Optional |
| isolate | Whether an endpoint has been isolated. Can be "isolated" or "unisolated". Possible values are: isolated, unisolated. | Optional |
| hostname | Name of the host. | Optional |
| all | Whether to scan all of the endpoints or not. Default is false. Note that scanning all of the endpoints may cause performance issues and latency. Possible values are: true, false. Default is false. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| PaloAltoNetworksXDR.endpointScan.actionId | Unknown | The action id of the abort scan request. |
| PaloAltoNetworksXDR.endpointScan.aborted | Boolean | Check if the scan aborted or not. |
Command Example#
!xdr-endpoint-scan-abort endpoint_id_list=12386310665d413a958926fce5b794b3
Context Example#
Human Readable Output#
Endpoint abort scan#
Action Id 4227
35. endpoint#
Returns information about an endpoint.
Base Command#
endpoint
Input#
| Argument Name | Description | Required |
|---|---|---|
| id | Endpoint ID. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Endpoint.Hostname | String | The endpoint's hostname. |
| Endpoint.OS | String | The endpoint's operation system. |
| Endpoint.IPAddress | String | The endpoint's IP address. |
| Endpoint.ID | String | The endpoint's ID. |
| Endpoint.Status | String | The endpoint's status. |
| Endpoint.IsIsolated | String | The endpoint's isolation status. |
| Endpoint.MACAddress | String | The endpoint's MAC address. |
| Endpoint.Vendor | String | The integration name of the endpoint vendor. |
Command Example#
!endpoint id=15dbb9d5fe9f61eb46e829d986
Context Example#
Human Readable Output#
Endpoints#
ID IP OS Hostname Status Domain IsIsolated Vendor 15dbb9d8f06b45fe9f61eb46e829d986 1.1.1.1 Windows Hostname Online WORK No Cortex XDR - IR
36. xdr-get-script-metadata#
Gets the full definition of a specific script in the scripts library.
Base Command#
xdr-get-script-metadata
Input#
| Argument Name | Description | Required |
|---|---|---|
| script_uid | Unique identifier of the script, returned by the xdr-get-scripts command. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| PaloAltoNetworksXDR.ScriptMetadata | Unknown | The script metadata command results. |
| PaloAltoNetworksXDR.ScriptMetadata.script_id | number | Script ID. |
| PaloAltoNetworksXDR.ScriptMetadata.name | string | Script name. |
| PaloAltoNetworksXDR.ScriptMetadata.description | string | Script description. |
| PaloAltoNetworksXDR.ScriptMetadata.modification_date | unknown | Timestamp of when the script was last modified. |
| PaloAltoNetworksXDR.ScriptMetadata.created_by | string | Name of the user who created the script. |
| PaloAltoNetworksXDR.ScriptMetadata.is_high_risk | boolean | Whether the script has a high-risk outcome. |
| PaloAltoNetworksXDR.ScriptMetadata.windows_supported | boolean | Whether the script can be executed on a Windows operating system. |
| PaloAltoNetworksXDR.ScriptMetadata.linux_supported | boolean | Whether the script can be executed on a Linux operating system. |
| PaloAltoNetworksXDR.ScriptMetadata.macos_supported | boolean | Whether the script can be executed on a Mac operating system. |
| PaloAltoNetworksXDR.ScriptMetadata.entry_point | string | Name of the entry point selected for the script. An empty string indicates the script defined as just run. |
| PaloAltoNetworksXDR.ScriptMetadata.script_input | string | Name and type for the specified entry point. |
| PaloAltoNetworksXDR.ScriptMetadata.script_output_type | string | Type of the output. |
| PaloAltoNetworksXDR.ScriptMetadata.script_output_dictionary_definitions | Unknown | If the script_output_type is a dictionary, an array with friendly name, name, and type for each output. |
Command Example#
Human Readable Output#
Script Metadata#
Created By Description Entry Point Is High Risk Linux Supported Macos Supported Modification Date Modification Date Timestamp Name Script Id Script Input Script Output Type Script Uid Windows Supported Palo Alto Networks Kill all processes with a CPU usage higher than specified run true true true 2020-04-21T11:01:32 1587466892247 process_kill_cpu 6 {'name': 'CPU_treshold', 'type': 'number'} number 3d928a24f61cd3c1116544900c424098 true
36. xdr-blacklist-files#
Blacklists requested files which have not already been blacklisted or whitelisted.
Base Command#
xdr-blacklist-files
Input#
| Argument Name | Description | Required |
|---|---|---|
| hash_list | String that represents a list of hashed files you want to blacklist. Must be a valid SHA256 hash. | Required |
| comment | String that represents additional information regarding the action. | Optional |
Context Output#
There is no context output for this command.
Command Example#
!xdr-blacklist-files hash_list=3d928a24f61cd3c1116544900c424098
37. xdr-whitelist-files#
Whitelists requested files which have not already been blacklisted or whitelisted.
Base Command#
xdr-whitelist-files
Input#
| Argument Name | Description | Required |
|---|---|---|
| hash_list | String that represents a list of hashed files you want to whitelist. Must be a valid SHA256 hash. | Required |
| comment | String that represents additional information regarding the action. | Optional |
Context Output#
There is no context output for this command.
Command Example#
!xdr-whitelist-files hash_list=3d928a24f61cd3c1116544900c424098
38. xdr-quarantine-files#
Quarantines a file on selected endpoints. You can select up to 1000 endpoints.
Base Command#
xdr-quarantine-files
Input#
| Argument Name | Description | Required |
|---|---|---|
| endpoint_id_list | List of endpoint IDs. | Required |
| file_path | String that represents the path of the file you want to quarantine. | Required |
| file_hash | String that represents the file’s hash. Must be a valid SHA256 hash. | Required |
Context Output#
There is no context output for this command.
Command Example#
!xdr-quarantine-files endpoint_id_list=f8a2f58846b542579c12090652e79f3d file_hash=55f8718109829bf506b09d8af615b9f107a266e19f7a311039d1035f180b22d4 file_path=/home/ec2-user/test_file.t
Human Readable#
Quarantine files#
Endpoint Id List File Path File Hash Action Id f8a2f58846b542579c12090652e79f3d /home/ec2-user/test_file.txt 55f8718109829bf506b09d8af615b9f107a266e19f7a311039d1035f180b22d4 4788
39. xdr-get-quarantine-status#
Retrieves the quarantine status for a selected file.
Base Command#
xdr-get-quarantine-status
Input#
| Argument Name | Description | Required |
|---|---|---|
| endpoint_id | String the represents the endpoint ID. | Required |
| file_hash | String that represents the file hash. Must be a valid SHA256 hash. | Required |
| file_path | String that represents the file path. | Required |
Context Output#
There is no context output for this command.
Command Example#
!xdr-get-quarantine-status endpoint_id=f8a2f58846b542579c12090652e79f3d file_hash=55f8718109829bf506b09d8af615b9f107a266e19f7a311039d1035f180b22d4 file_path=/home/ec2-user/test_file.txt
Human Readable Output#
Quarantine files#
Status Endpoint Id File Path File Hash false f8a2f58846b542579c12090652e79f3d /home/ec2-user/test_file.txt 55f8718109829bf506b09d8af615b9f107a266e19f7a311039d1035f180b22d4
40. xdr-restore-file#
Restores a quarantined file on requested endpoints.
Base Command#
xdr-restore-file
Input#
| Argument Name | Description | Required |
|---|---|---|
| file_hash | String that represents the file in hash. Must be a valid SHA256 hash. | Required |
| endpoint_id | String that represents the endpoint ID. If you do not enter a specific endpoint ID, the request will run restore on all endpoints which relate to the quarantined file you defined. | Optional |
Context Output#
There is no context output for this command.
Command Example#
!xdr-restore-file file_hash=55f8718109829bf506b09d8af615b9f107a266e19f7a311039d1035f180b22d4