Cortex XDR
LAST UPDATE: 04/01/2024
Overview
Palo Alto Networks Cortex XDR Platform allows users to ingest alerts and to leverage alert stitching and investigation capabilities. The APIs allow the user to manage incidents in a ticketing or automation system of your choice by reviewing and editing the incident's details, status, and assignee.
D3's integration with the Palo Alto Networks Cortex XDR's latest REST API provides the ability to ingest incidents, update incidents, and data enhancement operation for incidents.
D3 SOAR is providing REST operations to function with Cortex XDR.
Cortex XDR is available for use in:
Connection
To connect to Cortex XDR from D3 SOAR, please follow this part to collect the required information below:
Parameter | Description | Example |
Server URL | The server URL of the Cortex XDR API instance. | https://api-{fqdn} |
API Key | The API key to authenticate the API connection. | ******** |
API Key ID | The API key ID to authenticate the API connection. | 1 |
Version | The version of the API to use for the connection. | v1 |
READER NOTE
Fully Qualified Domain Name (FQDN)
Each Cortex tenant is assigned a unique host and domain name combination known as the Fully Qualified Domain Name (FQDN). When generating the API Key and Key ID, a FQDN is assigned. For more information, refer to Get Started with Cortex XDR APIs from Palo Alto's documentation.
Permission Requirements
Each endpoint in the Cortex XDR API requires a certain permission scope.
READER NOTE
As Cortex XDR is using role-based access control (RBAC), the API access keys are generated based on a specific user account and the application. Therefore, the command permissions are inherited from the user account’s role. Users need to configure their user profile from the Cortex XDR console for each command in this integration.
Some features are license-dependent. Accordingly, users may not see a specific feature if the feature is not supported by the license type of their user account or if they do not have access based on their assigned role.
When creating custom roles, refer to Access Management for required permissions
For Cortex XDR predefined User roles and permissions, please refer to Predefined User Roles for Cortex XDR.
Required License:
To execute commands, Cortex XDR Prevent, Cortex XDR Pro per Endpoint, or Cortex XDR Pro per TB is required.
Configuring Cortex XDR to Work with D3 SOAR
Log in to Cortex XDR with your credentials.
Once logged in, click the icon and navigate to Configurations > Integrations > API Keys.
Click + New Key to create a new API key.
In the API key creation window, select the "Advanced" security level. It is recommended to uncheck the "Enable Expiration Date" option to create an unlimited API key. Choose the appropriate level of access for this API key based on the desired roles. Click Generate to generate the API key.
Copy the generated API key and store it in a secure location. Click Done to complete the process. Note that the API key will not be visible again after this step. This unique API key will be used as the API Key in the integration's connector.
In the API Keys table, locate the ID field and take note of the ID number. This ID will be used as the API Key ID in the integration's connector.
Right-click your API key and select View Examples.
Copy the domain part of the CURL example, which will serve as the Server URL in the integration's connector. The format should be: https://api-{fqdn}.
Configuring D3 SOAR to Work with Cortex XDR
Log in to D3 SOAR.
Find the Cortex XDR integration.
a. Navigate to Configuration on the top header menu.
b. Click on the Integration icon on the left sidebar.
c. Type Cortex XDR in the search box to find the integration, then click it to select it.
d. Click + Connection, on the right side of the Connections section. A new connection window will appear.
Configure the following fields to create a connection to Cortex XDR.
a. Connection Name: The desired name for the connection.
b. Site: Specifies the site to use the integration connection. Use the drop-down menu to select the site. The Share to Internal Sites option enables all sites defined as internal sites to use the connection. Selecting a specific site will only enable that site to use the connection.
c. Recipient site for events from connections Shared to Internal Sites: This field appears if you selected Share to Internal Sites for Site to let you select the internal site to deploy the integration connection.
d. Agent Name (Optional): Specifies the proxy agent required to build the connection. Use the dropdown menu to select the proxy agent from a list of previously configured proxy agents.
e. Description (Optional): Add your desired description for the connection.
f. Configure User Permissions: Defines which users have access to the connection.
g. Active: Check the tick box to ensure the connection is available for use.
h. System: This section contains the parameters defined specifically for the integration. These parameters must be configured to create the integration connection.
1. Input your Server URL.
2. Input your API Key. See step 4 of Configuring Cortex XDR to work with D3 SOAR.
3. Input your API Key ID. See step 6 of Configuring Cortex XDR to work with D3 SOAR.
4. Input your API Version. Default version is v1.
i. Connection Health Check: Updates the connection status you have created. A connection health check is done by scheduling the Test Connection command of this integration. This can only be done when the connection is active.
To set up a connection health check, check the Connection Health Check tick box. You can customize the interval (minutes) for scheduling the health check. An email notification can be set up after a specified number of failed connection attempts.
j. Enable Password Vault: An optional feature that allows users to take the stored credentials from their own password vault. Please refer to the password vault connection guide if needed.
Test the connection.
a. Click Test Connection to verify the account credentials and network connection. If the Test Connection Passed alert window appears, the Test Connection is successful. You will see Passed with a green checkmark appear beside the Test Connection button. If the Test Connection fails, please check your connection parameters and try again.
b. Click OK to close the alert window.
c. Click Add to create and add the configured connection.
Commands
Cortex XDR includes the following executable commands for users to set up schedules or create playbook workflows. With the Test Command, you can execute these commands independently for playbook troubleshooting.
Integration API Note
For more information about the Cortex XDR API, please refer to the Cortex XDR API reference.
READER NOTE
Certain permissions are required for each command. Please refer to the Permission Requirements and Configuring Cortex XDR to Work with D3 SOAR for details.
Note for Time-related parameters
The input format of time-related parameters may vary based on your account settings. As a result, the sample data provided in our commands is different from what you see. To set your preferred time format, follow these steps:
Navigate to Configuration > Application Settings. Select Date/Time Format.
Choose your desired date and time format.
After that, you will be able to view your preferred time format when configuring the DateTime input parameters for commands.
Fetch Incident
Retrieves incidents from Cortex XDR based on the specified criteria.
Input
Input Parameter | Required/Optional | Description | Example |
Start Time | Required | The start time of the time range to filter the retrieved incidents in UTC time. The input start time corresponds to the selected time field (i.e., creation time or modification time). | 2019-12-22 00:00 |
End Time | Optional | The end time of the time range to filter the retrieved incidents in UTC time. The input end time corresponds to the selected time field (i.e., creation time or modification time). | 2019-12-23 00:00 |
Time Field | Required | The time field for the Start Time and End Time parameters. The available time fields are Creation Time and Modification Time. | Creation Time |
Number of Incident(s) Fetched | Optional | The maximum number of incidents to return. When the input has no value or is not a positive number, the default value of 20 will be used. The maximum value is 100. | 1 |
Offset | Optional | The number of items to skip before starting to collect the result set. When the input has no value or is not a positive number, the default value of 0 will be used. | 0 |
Order By | Optional | The time field (i.e. Creation Time or Modification Time) to order the returned results. The default setting is Creation Time. | Creation Time |
Direction | Optional | The sorting order (i.e., Ascending or Descending) of the returned results. The default setting is Descending. | Descending |
Other Filters | Optional | The array of conditions to filter the returned incidents. Each condition is defined as object within the array, consisting of the keys "field", "operator" and "value". The available filter fields are incident_id_list, description, alert_sources, status and starred. Please note that time-related fields are not supported for the "field" key. Instead, use the Start Time, End Time and Time Field parameters to define the desired time range. For more details about the input syntax for each key, refer to Get Incidents "filters" field from Palo Alto's documentation. When this parameter is defined, all other input parameters will be ignored. | [ { "field": "status", "operator": "<eq or neq>", "value": "resolved_true_positive" }, { "field": "description", "operator": "in", "value": ["descKeyword1", "descKeyword2"] }, { "field": "alert_sources", "operator": "in", "value": ["source1", "source2"] } ] |
Output
Incident Field Mapping
For this integration, the default incident fields in D3 SOAR are fixed with no built-in source fields. Users can specify the source fields as needed.
Event and Incident Intake Field Mapping
Please note that incident and event intake commands require both Event Field and Incident Field Mapping. These field mappings are the default event/incident field mappings for D3 system integrations. You can edit the provided mappings or create custom mappings as needed. Please refer to Event and Incident Intake Field Mapping for more details.
Incident Main JSON Path: $.reply.incidents
The pre-configured field mappings are detailed below:
Field Name | Source Field |
Title | User to define |
Description | User to define |
Severity | User to define, default is “Low” |
Incident Type * | User to define, default is the first Incident form in D3 SOAR system |
Incident Creator | User to define |
Incident Owner | User to define |
Incident Playbook | User to define |
Due In Date | User to define |
Unique Key | User to define |
Tactics | User to define |
Techniques | User to define |
Event Field Mapping
Main Event JSON Path
$
The Main Event JSON Path determines the root path where the system starts parsing raw response data into D3 event data. The JSON path begins with $, representing the root element. The path is formed by appending a sequence of child elements to $, each separated by a dot (.). Square brackets with nested quotation marks ([‘...’]) should be used to separate child elements in JSON arrays.
The pre-configured event field mappings are detailed below:
Field Name | Source Field |
Unique Event Key | .incident_id |
Event Name | .incident_name |
Event Type | .alarmRuleName |
Description | .description |
Severity | .severity |
Start Time | .creation_time |
Status | .status |
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Fetch Incident failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Cortex XDR portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Invalid Filter. |
Error Sample Data Fetch Incident failed. Status Code: 400. Message: Invalid Filter. |
Get Incident Details
Retrieves additional information on the specified incidents, including alerts and key artifacts.
READER NOTE
The parameter Incident IDs is required to run this command.
You should already have your desired Incident IDs on hand to run this command. If you don’t, you can use the Fetch Incident command with defined filters to retrieve the desired Incident IDs. The Incident IDs can be found in the raw data at the path $.reply.incidents[*].incident_id.
Input
Input Parameter | Required/Optional | Description | Example |
Incident IDs | Required | The IDs of the incidents to retrieve details. | ["*****"] |
Alerts Limit | Optional | The maximum number of related alerts from each incident to retrieve. The default value is 1000. | 3 |
Output
Error Handling
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Get Incident Details failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Cortex XDR portal. Refer to the HTTP Status Code Registry for details. | Status Code: 404. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Incident IDs Not Found. |
Error Sample Data Get Incident Details failed. Status Code: 404. Message: Incident IDs Not Found. |
Isolate Hosts
Isolates specified endpoint(s).
READER NOTE
The parameter Endpoint IDs is required to run this command.
Run the Search Hosts command to obtain Endpoint IDs. Endpoint IDs can be found in the returned raw data at the path $.reply.endpoints[*].endpoint_id.
Input
Input Parameter | Required/Optional | Description | Example |
Endpoint IDs | Required | The ID(s) of the endpoint(s) to be isolated. Endpoint IDs can be obtained using the Search Hosts command. | [ "endpint_ID" ] |
Output
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Isolate Hosts failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Cortex XDR portal. Refer to the HTTP Status Code Registry for details. | Status Code: 404. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Endpoint IDs Not Found. |
Error Sample Data Isolate Hosts failed. Status Code: 404. Message: Endpoint IDs Not Found. |
Search Hosts
Retrieves a list of filtered endpoints. The returned endpoints are sorted by last seen time in descending order. The maximum result set size is 100.
Input
Input Parameter | Required/Optional | Description | Example |
Host Names | Optional | The name(s) of the endpoint(s) to be returned. | [ "host_*****" ] |
User Names | Optional | The name(s) of the user(s) of the endpoint(s) to be returned. | [ "XDR" ] |
Group Names | Optional | The name(s) of the group(s) of the endpoint(s) to be returned. | No sample data |
Host IPs | Optional | The IP Address(es) of the endpoint(s) to be returned. | 192.168.5.12 |
Host Status | Optional | The status of the endpoint(s) to be returned. | Connected |
Platform | Optional | The platform of the endpoint(s) to be returned. | Windows |
Isolated | Optional | The isolation status of the endpoints to be returned. | Isolated |
Last Seen After | Optional | The endpoints which were last seen at or after this time will be returned. | 2023-06-01 00:00 |
Last Seen Before | Optional | The endpoints which were last seen at or before this time will be returned. | 2023-06-10 00:00 |
Output
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Search Hosts failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Cortex XDR portal. Refer to the HTTP Status Code Registry for details. | Status Code: 404. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Host Names Not Found. |
Error Sample Data Search Hosts failed. Status Code: 404. Message: Host Names Not Found. |
Unisolate Hosts
Unisolates specified endpoint(s).
READER NOTE
The parameter Endpoint IDs is required to run this command.
Run the Search Hosts command to obtain Endpoint IDs. Endpoint IDs can be found in the returned raw data at the path $.reply.endpoints[*].endpoint_id.
Input
Input Parameter | Required/Optional | Description | Example |
Endpoint IDs | Required | The ID(s) of the endpoint(s) to be unisolated. Endpoint IDs can be obtained using the Search Hosts command. | [ "endpint_ID" ] |
Output
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Unisolate Hosts failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Cortex XDR portal. Refer to the HTTP Status Code Registry for details. | Status Code: 404. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Endpoint IDs Not Found. |
Error Sample Data Unisolate Hosts failed. Status Code: 404. Message: Endpoint IDs Not Found. |
Update Incidents
Updates incidents in Cortex XDR.
READER NOTE
The parameter Incident IDs is required to run this command.
You should already have your desired Incident IDs on hand to run this command. If you don’t, you can use the Fetch Incident command with defined filters to retrieve the desired Incident IDs. The Incident IDs can be found in the raw data at the path $.reply.incidents[*].incident_id.
Input
Input Parameter | Required/Optional | Description | Example |
Incident IDs | Required | The IDs of the incidents to update. | ["*****"] |
Assigned User Mail | Optional | The updated email address of the incident's assignee. | ***@*****.*** |
Assigned User Name | Optional | The updated user name of the incident's assignee. This parameter is ignored when the Assigned User Mail parameter is not defined. | Sample Name |
Status | Optional | The updated status of the specified incidents. | Resolved Known Issue |
Severity | Optional | The updated severity level of the specified incidents. | High |
Comment | Optional | The updated comment for the specified incidents. | Comment on the incident |
Update Data | Optional | The array of fields and data to update to the specified incidents. When this parameter is defined, all other input parameters will be ignored. For more details about the input syntax, refer to the "update_data" field's description in Update an Incident from Palo Alto's documentation. | { |
Output
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Update Incidents failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Cortex XDR portal. Refer to the HTTP Status Code Registry for details. | Status Code: 404. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Incident IDs Not Found. |
Error Sample Data Update Incidents failed. Status Code: 404. Message: Incident IDs Not Found. |
Test Connection
Allows you to perform a health check on an integration connection. You can schedule a periodic health check by selecting Connection Health Check when editing an integration connection.
Input
N/A
Output
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Test Connection failed. Failed to check the connector. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Cortex XDR portal. Refer to the HTTP Status Code Registry for details. | Status Code: 403. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Max retries exceeded with url: /public_api/v1/incidents/get_incidents. |
Error Sample Data Test Connection failed. Failed to check the connector. Status Code: 403. Message: Max retries exceeded with url: /public_api/v1/incidents/get_incidents. |