Palo Alto Networks Cortex XDR - Investigation and Response

Overview


Cortex XDR is the world's first detection and response app that natively integrates network, endpoint and cloud data to stop sophisticated attacks. This integration was integrated and tested with version xx of Cortex XDR - IR

Playbooks


Cortex XDR Incident Handling

The playbook syncs and updates new XDR alerts that construct the incident. It enriches indicators using Threat Intelligence integrations and Palo Alto Networks AutoFocus. The incident's severity is then updated based on the indicators reputation and an analyst is assigned for manual investigation. If chosen, automated remediation with Palo Alto Networks FireWall is initiated. After a manual review by the SOC analyst, the XDR incident is closed automatically.

Use Cases


  • Fetch incidents from XDR
  • Enrich incident with alerts and incident from XDR
  • Update incident in XDR
  • Search for endpoints
  • Isolate/unisolate endpoints
  • Insert parsed alerts into XDR
  • Insert CEF alerts into XDR
  • Query for agent audit reports
  • Query for audit management logs
  • Create distribution
  • Get distribution download URL
  • Get distribution versions

Automation


To sync incidents between Demisto and Cortex XDR, you should use the XDRSyncScript script, which you can find in the automation page.

Configuration


You need to collect several pieces of information in order to configure the integration on Demisto.

Generate an API Key and API Key ID

  1. In your Cortex XDR platform, go to Settings.
  2. Click the +New Key button in the top right corner
  3. Generate a key of type Advanced.
  4. Copy and paste the key.
  5. From the ID column, copy the Key ID.

URL

  1. In your Cortex XDR platform, go to Settings.
  2. Click the Copy URL button in the top right corner.

Configure integration parameters

  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for Cortex XDR - IR.
  3. Click Add instance to create and configure a new integration instance.
    • Name: a textual name for the integration instance.
    • Fetch incidents
    • Incident type
    • Server URL (copy URL from XDR - click ? to see more info.)
    • API Key ID
    • API Key
    • Trust any certificate (not secure)
    • Use system proxy settings
    • First fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days)
  4. Click Test to validate the URLs, token, and connection.

Fetched Incidents Data


incident_id:31
creation_time:1564594008755
modification_time:1566339537617
detection_time:null
status:new
severity:low
description:6 'Microsoft Windows RPC Fragment Evasion Attempt' alerts detected by PAN NGFW on 6 hosts
assigned_user_mail:null
assigned_user_pretty_name:null
alert_count:6
low_severity_alert_count:0
med_severity_alert_count:6
high_severity_alert_count:0
user_count:1
host_count:6
notes:null
resolve_comment:null
manual_severity:low
manual_description:null
xdr_url:https://1111.paloaltonetworks.com/incident-view/31

Commands


You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

  1. xdr-get-incidents
  2. xdr-get-incident-extra-data
  3. xdr-update-incident
  4. xdr-insert-parsed-alert
  5. xdr-insert-cef-alerts
  6. xdr-isolate-endpoint
  7. xdr-unisolate-endpoint
  8. xdr-get-endpoints
  9. xdr-get-distribution-versions
  10. xdr-create-distribution
  11. xdr-get-distribution-url
  12. xdr-get-create-distribution-status
  13. xdr-get-audit-management-logs
  14. xdr-get-audit-agent-reports

1. xdr-get-incidents


Returns a list of incidents, which you can filter by a list of incident IDs (max. 100), the time the incident was last modified, and the time the incident was created. If you pass multiple filtering arguments, they will be concatenated using the AND condition. The OR condition is not supported.

Required Permissions

FILL IN REQUIRED PERMISSIONS HERE

Base Command

xdr-get-incidents

Input
Argument NameDescriptionRequired
lte_creation_timeTime format 2019-12-31T23:59:00.Optional
gte_creation_timeReturned incidents that were created on or after the specified date/time, in the format 2019-12-31T23:59:00.Optional
lte_modification_timeFilters returned incidents that were created on or before the specified date/time, in the format 2019-12-31T23:59:00.Optional
gte_modification_timeFilters returned incidents that were modified on or after the specified date/time, in the format 2019-12-31T23:59:00.Optional
incident_id_listAn array or CSV string of incident IDs.Optional
since_creation_timeFilters returned incidents that were created on or after the specified date/time range, for example, 1 month, 2 days, 1 hour, and so on.Optional
since_modification_timeFilters returned incidents that were modified on or after the specified date/time range, for example, 1 month, 2 days, 1 hour, and so on.Optional
sort_by_modification_timeSorts returned incidents by the date/time that the incident was last modified ("asc" - ascending, "desc" - descending).Optional
sort_by_creation_timeSorts returned incidents by the date/time that the incident was created ("asc" - ascending, "desc" - descending).Optional
pagePage number (for pagination). The default is 0 (the first page).Optional
limitMaximum number of incidents to return per page. The default and maximum is 100.Optional
Context Output
PathTypeDescription
PaloAltoNetworksXDR.Incident.incident_idStringUnique ID assigned to each returned incident.
PaloAltoNetworksXDR.Incident.manual_severityStringIncident severity assigned by the user. This does not affect the calculated severity. Can be "low","medium","high"
PaloAltoNetworksXDR.Incident.manual_descriptionStringIncident description provided by the user.
PaloAltoNetworksXDR.Incident.assigned_user_mailStringEmail address of the assigned user.
PaloAltoNetworksXDR.Incident.high_severity_alert_countStringNumber of alerts with the severity HIGH.
PaloAltoNetworksXDR.Incident.host_countnumberNumber of hosts involved in the incident.
PaloAltoNetworksXDR.Incident.xdr_urlStringA link to the incident view on XDR.
PaloAltoNetworksXDR.Incident.assigned_user_pretty_nameStringFull name of the user assigned to the incident.
PaloAltoNetworksXDR.Incident.alert_countnumberTotal number of alerts in the incident.
PaloAltoNetworksXDR.Incident.med_severity_alert_countnumberNumber of alerts with the severity MEDIUM.
PaloAltoNetworksXDR.Incident.user_countnumberNumber of users involved in the incident.
PaloAltoNetworksXDR.Incident.severityStringCalculated severity of the incident

"low","medium","high" | | PaloAltoNetworksXDR.Incident.low_severity_alert_count | String | Number of alerts with the severity LOW. | | PaloAltoNetworksXDR.Incident.status | String | Current status of the incident. Can be "new","under_investigation","resolved_threat_handled","resolved_known_issue","resolved_duplicate","resolved_false_positive" or "resolved_other" | | PaloAltoNetworksXDR.Incident.description | String | Dynamic calculated description of the incident. | | PaloAltoNetworksXDR.Incident.resolve_comment | String | Comments entered by the user when the incident was resolved. | | PaloAltoNetworksXDR.Incident.notes | String | Comments entered by the user regarding the incident. | | PaloAltoNetworksXDR.Incident.creation_time | date | Date and time the incident was created on XDR. | | PaloAltoNetworksXDR.Incident.detection_time | date | Date and time that the first alert occurred in the incident. | | PaloAltoNetworksXDR.Incident.modification_time | date | Date and time that the incident was last modified. |

Command Example

!xdr-get-incidents gte_creation_time=2010-10-10T00:00:00 limit=3 sort_by_creation_time=desc

Context Example
{
"PaloAltoNetworksXDR.Incident": [
{
"host_count": 1,
"incident_id": "4",
"manual_severity": "medium",
"description": "5 'This alert from content TestXDRPlaybook' alerts detected by Checkpoint - SandBlast ",
"severity": "medium",
"modification_time": 1579290004178,
"assigned_user_pretty_name": null,
"notes": null,
"creation_time": 1577276587937,
"alert_count": 5,
"med_severity_alert_count": 1,
"detection_time": null,
"assigned_user_mail": null,
"resolve_comment": "This issue was solved in Incident number 192304",
"status": "new",
"user_count": 1,
"xdr_url": "https://some.xdr.url.com/incident-view/4",
"starred": false,
"low_severity_alert_count": 0,
"high_severity_alert_count": 4,
"manual_description": null
},
{
"host_count": 1,
"incident_id": "3",
"manual_severity": "medium",
"description": "'test 1' generated by Virus Total - Firewall",
"severity": "medium",
"modification_time": 1579237974014,
"assigned_user_pretty_name": "woo@demisto.com",
"notes": null,
"creation_time": 1576100096594,
"alert_count": 1,
"med_severity_alert_count": 0,
"detection_time": null,
"assigned_user_mail": "woo@demisto.com",
"resolve_comment": null,
"status": "new",
"user_count": 1,
"xdr_url": "https://some.xdr.url.com/incident-view/3",
"starred": false,
"low_severity_alert_count": 0,
"high_severity_alert_count": 1,
"manual_description": null
},
{
"host_count": 1,
"incident_id": "2",
"manual_severity": "high",
"description": "'Alert Name Example 333' along with 1 other alert generated by Virus Total - VPN & Firewall-3 and Checkpoint - SandBlast",
"severity": "high",
"modification_time": 1579288790259,
"assigned_user_pretty_name": null,
"notes": null,
"creation_time": 1576062816474,
"alert_count": 2,
"med_severity_alert_count": 0,
"detection_time": null,
"assigned_user_mail": null,
"resolve_comment": null,
"status": "under_investigation",
"user_count": 1,
"xdr_url": "https://some.xdr.url.com/incident-view/2",
"starred": false,
"low_severity_alert_count": 0,
"high_severity_alert_count": 2,
"manual_description": null
}
]
}
Human Readable Output

Incidents

alert_countassigned_user_mailassigned_user_pretty_namecreation_timedescriptiondetection_timehigh_severity_alert_counthost_countincident_idlow_severity_alert_countmanual_descriptionmanual_severitymed_severity_alert_countmodification_timenotesresolve_commentseveritystarredstatususer_countxdr_url
515772765879375 'This alert from content TestXDRPlaybook' alerts detected by Checkpoint - SandBlast4140medium11579290004178This issue was solved in Incident number 192304mediumfalsenew1https://some.xdr.url.com/incident-view/4
1woo@demisto.comwoo@demisto.com1576100096594'test 1' generated by Virus Total - Firewall1130medium01579237974014mediumfalsenew1https://some.xdr.url.com/incident-view/3
21576062816474'Alert Name Example 333' along with 1 other alert generated by Virus Total - VPN & Firewall-3 and Checkpoint - SandBlast2120high01579288790259highfalseunder_investigation1https://some.xdr.url.com/incident-view/2

2. xdr-get-incident-extra-data


Returns additional data for the specified incident, for example, related alerts, file artifacts, network artifacts, and so on.

Required Permissions

FILL IN REQUIRED PERMISSIONS HERE

Base Command

xdr-get-incident-extra-data

Input
Argument NameDescriptionRequired
incident_idThe ID of the incident for which to get additional data.Required
alerts_limitMaximum number of alerts to return. Default is 1,000.Optional
Context Output
PathTypeDescription
PaloAltoNetworksXDR.Incident.incident_idStringUnique ID assigned to each returned incident.
PaloAltoNetworksXDR.Incident.creation_timeDateDate and time the incident was created on XDR.
PaloAltoNetworksXDR.Incident.modification_timeDateDate and time that the incident was last modified.
PaloAltoNetworksXDR.Incident.detection_timeDateDate and time that the first alert occurred in the incident.
PaloAltoNetworksXDR.Incident.statusStringCurrent status of the incident:
"new","under_investigation","resolved_threat_handled","resolved_known_issue","resolved_duplicate","resolved_false_positive","resolved_other"
PaloAltoNetworksXDR.Incident.severityStringCalculated severity of the incident "low","medium","high"
PaloAltoNetworksXDR.Incident.descriptionStringDynamic calculated description of the incident.
PaloAltoNetworksXDR.Incident.assigned_user_mailStringEmail address of the assigned user.
PaloAltoNetworksXDR.Incident.assigned_user_pretty_nameStringFull name of the user assigned to the incident.
PaloAltoNetworksXDR.Incident.alert_countNumberTotal number of alerts in the incident.
PaloAltoNetworksXDR.Incident.low_severity_alert_countNumberNumber of alerts with the severity LOW.
PaloAltoNetworksXDR.Incident.med_severity_alert_countNumberNumber of alerts with the severity MEDIUM.
PaloAltoNetworksXDR.Incident.high_severity_alert_countNumberNumber of alerts with the severity HIGH.
PaloAltoNetworksXDR.Incident.user_countNumberNumber of users involved in the incident.
PaloAltoNetworksXDR.Incident.host_countNumberNumber of hosts involved in the incident
PaloAltoNetworksXDR.Incident.notesUnknownComments entered by the user regarding the incident.
PaloAltoNetworksXDR.Incident.resolve_commentStringComments entered by the user when the incident was resolved.
PaloAltoNetworksXDR.Incident.manual_severityStringIncident severity assigned by the user. This does not affect the calculated severity low medium high
PaloAltoNetworksXDR.Incident.manual_descriptionStringIncident description provided by the user.
PaloAltoNetworksXDR.Incident.xdr_urlStringA link to the incident view on XDR.
PaloAltoNetworksXDR.Incident.starredBooleanIncident starred
PaloAltoNetworksXDR.Incident.alerts.alert_idStringUnique ID for each alert.
PaloAltoNetworksXDR.Incident.alerts.detection_timestampDateDate and time that the alert occurred.
PaloAltoNetworksXDR.Incident.alerts.sourceStringSource of the alert. The product/vendor this alert came from.
PaloAltoNetworksXDR.Incident.alerts.severityStringSeverity of the alert.,"low","medium","high"""
PaloAltoNetworksXDR.Incident.alerts.nameStringCalculated name of the alert.
PaloAltoNetworksXDR.Incident.alerts.categoryStringCategory of the alert, for example, Spyware Detected via Anti-Spyware profile.
PaloAltoNetworksXDR.Incident.alerts.descriptionStringTextual description of the alert.
PaloAltoNetworksXDR.Incident.alerts.host_ipStringHost IP involved in the alert.
PaloAltoNetworksXDR.Incident.alerts.host_nameStringHost name involved in the alert.
PaloAltoNetworksXDR.Incident.alerts.user_nameStringUser name involved with the alert.
PaloAltoNetworksXDR.Incident.alerts.event_typeStringEvent type "Process Execution","Network Event","File Event","Registry Event","Injection Event","Load Image Event","Windows Event Log"
PaloAltoNetworksXDR.Incident.alerts.actionStringThe action that triggered the alert. "REPORTED", "BLOCKED", "POST_DETECTED", "SCANNED", "DOWNLOAD", "PROMPT_ALLOW", "PROMPT_BLOCK", "DETECTED", "BLOCKED_1", "BLOCKED_2", "BLOCKED_3", "BLOCKED_5", "BLOCKED_6", "BLOCKED_7", "BLOCKED_8", "BLOCKED_9", "BLOCKED_10", "BLOCKED_11", "BLOCKED_13", "BLOCKED_14", "BLOCKED_15", "BLOCKED_16", "BLOCKED_17", "BLOCKED_24", "BLOCKED_25", "DETECTED_0", "DETECTED_4", "DETECTED_18", "DETECTED_19", "DETECTED_20", "DETECTED_21", "DETECTED_22", "DETECTED_23"
PaloAltoNetworksXDR.Incident.alerts.action_prettyStringThe action that triggered the alert "Detected (Reported)" "Prevented (Blocked)" "Detected (Post Detected)" "Detected (Scanned)" "Detected (Download)" "Detected (Prompt Allow)" "Prevented (Prompt Block)" "Detected" "Prevented (Denied The Session)" "Prevented (Dropped The Session)" "Prevented (Dropped The Session And Sent a TCP Reset)" "Prevented (Blocked The URL)" "Prevented (Blocked The IP)" "Prevented (Dropped The Packet)" "Prevented (Dropped All Packets)" "Prevented (Terminated The Session And Sent a TCP Reset To Both Sides Of The Connection)" "Prevented (Terminated The Session And Sent a TCP Reset To The Client)" "Prevented (Terminated The Session And Sent a TCP Reset To The Server)" "Prevented (Continue)" "Prevented (Block-Override)" "Prevented (Override-Lockout)" "Prevented (Override)" "Prevented (Random-Drop)" "Prevented (Silently Dropped The Session With An ICMP Unreachable Message To The Host Or Application)" "Prevented (Block)" "Detected (Allowed The Session)" "Detected (Raised An Alert)" "Detected (Syncookie Sent)" "Detected (Forward)" "Detected (Wildfire Upload Success)" "Detected (Wildfire Upload Failure)" "Detected (Wildfire Upload Skip)" "Detected (Sinkhole)"
PaloAltoNetworksXDR.Incident.alerts.actor_process_image_nameStringImage name
PaloAltoNetworksXDR.Incident.alerts.actor_process_command_lineStringCommand line
PaloAltoNetworksXDR.Incident.alerts.actor_process_signature_statusStringSignature status "Signed" "Invalid Signature" "Unsigned" "Revoked" "Signature Fail" "N/A" "Weak Hash"
PaloAltoNetworksXDR.Incident.alerts.actor_process_signature_vendorStringSingature vendor name
PaloAltoNetworksXDR.Incident.alerts.causality_actor_process_image_nameStringImage name
PaloAltoNetworksXDR.Incident.alerts.causality_actor_process_command_lineStringCommand line
PaloAltoNetworksXDR.Incident.alerts.causality_actor_process_signature_statusStringSignature status "Signed" "Invalid Signature" "Unsigned" "Revoked" "Signature Fail" "N/A" "Weak Hash"
PaloAltoNetworksXDR.Incident.alerts.causality_actor_process_signature_vendorStringSignature vendor
PaloAltoNetworksXDR.Incident.alerts.causality_actor_causality_idUnknownCausality id
PaloAltoNetworksXDR.Incident.alerts.action_process_image_nameStringImage name
PaloAltoNetworksXDR.Incident.alerts.action_process_image_command_lineStringCommand line
PaloAltoNetworksXDR.Incident.alerts.action_process_image_sha256StringImage SHA256
PaloAltoNetworksXDR.Incident.alerts.action_process_signature_statusStringSignature status "Signed" "Invalid Signature" "Unsigned" "Revoked" "Signature Fail" "N/A" "Weak Hash"
PaloAltoNetworksXDR.Incident.alerts.action_process_signature_vendorStringSignature vendor name
PaloAltoNetworksXDR.Incident.alerts.action_file_pathStringFile path
PaloAltoNetworksXDR.Incident.alerts.action_file_md5StringFile MD5
PaloAltoNetworksXDR.Incident.alerts.action_file_sha256StringFile SHA256
PaloAltoNetworksXDR.Incident.alerts.action_registry_dataStringRegistry data
PaloAltoNetworksXDR.Incident.alerts.action_registry_full_keyStringRegistry full key
PaloAltoNetworksXDR.Incident.alerts.action_local_ipStringLocal IP
PaloAltoNetworksXDR.Incident.alerts.action_local_portNumberLocal port
PaloAltoNetworksXDR.Incident.alerts.action_remote_ipStringRemote IP
PaloAltoNetworksXDR.Incident.alerts.action_remote_portNumberRemote port
PaloAltoNetworksXDR.Incident.alerts.action_external_hostnameStringExternal hostname
PaloAltoNetworksXDR.Incident.alerts.fw_app_idUnknownFirewall app id
PaloAltoNetworksXDR.Incident.alerts.is_whitelistedStringIs whitelisted "Yes" "No"
PaloAltoNetworksXDR.Incident.alerts.starredBooleanAlert starred
PaloAltoNetworksXDR.Incident.network_artifacts.typeStringNetwork artifact type "IP"
PaloAltoNetworksXDR.Incident.network_artifacts.network_remote_portnumberThe remote port related to the artifact.
PaloAltoNetworksXDR.Incident.network_artifacts.alert_countnumberNumber of alerts related to the artifact.
PaloAltoNetworksXDR.Incident.network_artifacts.network_remote_ipStringThe remote IP related to the artifact.
PaloAltoNetworksXDR.Incident.network_artifacts.is_manualbooleanWhether the artifact was created by the user (manually).
PaloAltoNetworksXDR.Incident.network_artifacts.network_domainStringThe domain related to the artifact.
PaloAltoNetworksXDR.Incident.network_artifacts.typeStringThe artifact type. "META", "GID", "CID", "HASH", "IP", "DOMAIN", "REGISTRY", "HOSTNAME"
PaloAltoNetworksXDR.Incident.network_artifacts.network_countryStringThe country related to the artifact
PaloAltoNetworksXDR.Incident.file_artifacts.file_signature_statusStringDigital signature status of the file. "SIGNATURE_UNAVAILABLE" "SIGNATURE_SIGNED" "SIGNATURE_INVALID" "SIGNATURE_UNSIGNED" "SIGNATURE_WEAK_HASH"
PaloAltoNetworksXDR.Incident.file_artifacts.is_processbooleanWhether the file artifact is related to a process execution.
PaloAltoNetworksXDR.Incident.file_artifacts.file_nameStringName of the file.
PaloAltoNetworksXDR.Incident.file_artifacts.file_wildfire_verdictStringThe file verdict, calculated by Wildfire. "BENIGN" "MALWARE" "GRAYWARE" "PHISING" "UNKNOWN"
PaloAltoNetworksXDR.Incident.file_artifacts.alert_countnumberNumber of alerts related to the artifact.
PaloAltoNetworksXDR.Incident.file_artifacts.is_maliciousbooleanWhether the artifact is malicious, decided by the Wildfire verdic
PaloAltoNetworksXDR.Incident.file_artifacts.is_manualbooleanWhether the artifact was created by the user (manually).
PaloAltoNetworksXDR.Incident.file_artifacts.typeStringThe artifact type "META" "GID" "CID" "HASH" "IP" "DOMAIN" "REGISTRY" "HOSTNAME"
PaloAltoNetworksXDR.Incident.file_artifacts.file_sha256StringSHA-256 hash of the file
PaloAltoNetworksXDR.Incident.file_artifacts.file_signature_vendor_nameStringFile signature vendor name
Account.UsernameStringThe username in the relevant system.
Endpoint.HostnameStringThe hostname that is mapped to this endpoint.
Command Example

!xdr-get-incident-extra-data incident_id=4 alerts_limit=10

Context Example
{
"Account": {
"Username": [
null
]
},
"Endpoint": {
"Hostname": [
null
]
},
"PaloAltoNetworksXDR.Incident": {
"host_count": 1,
"manual_severity": "medium",
"xdr_url": "https://some.xdr.url.com/incident-view/4",
"assigned_user_pretty_name": null,
"alert_count": 5,
"med_severity_alert_count": 1,
"detection_time": null,
"user_count": 1,
"severity": "medium",
"alerts": [
{
"action_process_signature_status": "N/A",
"action_pretty": [
"VALUE_NA",
"N/A"
],
"event_type": "Network Event",
"alert_id": "6",
"action_file_sha256": null,
"action_external_hostname": null,
"causality_actor_process_command_line": null,
"description": "Test - alert generated by Test XDR Playbook",
"category": null,
"severity": "medium",
"source": "Cisco - Sandblast",
"action_remote_port": 8000,
"causality_actor_process_signature_status": "N/A",
"fw_app_id": null,
"is_whitelisted": "No",
"action_local_ip": "196.168.0.1",
"action_registry_data": null,
"action_process_image_sha256": null,
"user_name": null,
"action_remote_ip": "2.2.2.2",
"action_process_signature_vendor": "N/A",
"actor_process_signature_status": "N/A",
"name": "Test - alert generated by Test XDR Playbook",
"causality_actor_causality_id": null,
"host_ip": null,
"action_process_image_name": null,
"detection_timestamp": 1577276586921,
"action_file_md5": null,
"causality_actor_process_image_name": null,
"action_file_path": null,
"action_process_image_command_line": null,
"action_local_port": 7000,
"actor_process_image_name": null,
"action_registry_full_key": null,
"actor_process_signature_vendor": "N/A",
"actor_process_command_line": null,
"host_name": null,
"action": [
"VALUE_NA",
"N/A"
],
"starred": false,
"causality_actor_process_signature_vendor": "N/A"
},
{
"action_process_signature_status": "N/A",
"action_pretty": [
"VALUE_NA",
"N/A"
],
"event_type": "Network Event",
"alert_id": "7",
"action_file_sha256": null,
"action_external_hostname": null,
"causality_actor_process_command_line": null,
"description": "This alert from content TestXDRPlaybook description",
"category": null,
"severity": "high",
"source": "Checkpoint - SandBlast",
"action_remote_port": 6000,
"causality_actor_process_signature_status": "N/A",
"fw_app_id": null,
"is_whitelisted": "No",
"action_local_ip": "196.168.0.111",
"action_registry_data": null,
"action_process_image_sha256": null,
"user_name": null,
"action_remote_ip": "2.2.2.2",
"action_process_signature_vendor": "N/A",
"actor_process_signature_status": "N/A",
"name": "This alert from content TestXDRPlaybook",
"causality_actor_causality_id": null,
"host_ip": null,
"action_process_image_name": null,
"detection_timestamp": 1577776701589,
"action_file_md5": null,
"causality_actor_process_image_name": null,
"action_file_path": null,
"action_process_image_command_line": null,
"action_local_port": 2000,
"actor_process_image_name": null,
"action_registry_full_key": null,
"actor_process_signature_vendor": "N/A",
"actor_process_command_line": null,
"host_name": null,
"action": [
"VALUE_NA",
"N/A"
],
"starred": false,
"causality_actor_process_signature_vendor": "N/A"
},
{
"action_process_signature_status": "N/A",
"action_pretty": [
"VALUE_NA",
"N/A"
],
"event_type": "Network Event",
"alert_id": "8",
"action_file_sha256": null,
"action_external_hostname": null,
"causality_actor_process_command_line": null,
"description": "This alert from content TestXDRPlaybook description",
"category": null,
"severity": "high",
"source": "Checkpoint - SandBlast",
"action_remote_port": 6000,
"causality_actor_process_signature_status": "N/A",
"fw_app_id": null,
"is_whitelisted": "No",
"action_local_ip": "196.168.0.111",
"action_registry_data": null,
"action_process_image_sha256": null,
"user_name": null,
"action_remote_ip": "2.2.2.2",
"action_process_signature_vendor": "N/A",
"actor_process_signature_status": "N/A",
"name": "This alert from content TestXDRPlaybook",
"causality_actor_causality_id": null,
"host_ip": null,
"action_process_image_name": null,
"detection_timestamp": 1577958479843,
"action_file_md5": null,
"causality_actor_process_image_name": null,
"action_file_path": null,
"action_process_image_command_line": null,
"action_local_port": 2000,
"actor_process_image_name": null,
"action_registry_full_key": null,
"actor_process_signature_vendor": "N/A",
"actor_process_command_line": null,
"host_name": null,
"action": [
"VALUE_NA",
"N/A"
],
"starred": false,
"causality_actor_process_signature_vendor": "N/A"
},
{
"action_process_signature_status": "N/A",
"action_pretty": [
"VALUE_NA",
"N/A"
],
"event_type": "Network Event",
"alert_id": "9",
"action_file_sha256": null,
"action_external_hostname": null,
"causality_actor_process_command_line": null,
"description": "This alert from content TestXDRPlaybook description",
"category": null,
"severity": "high",
"source": "Checkpoint - SandBlast",
"action_remote_port": 6000,
"causality_actor_process_signature_status": "N/A",
"fw_app_id": null,
"is_whitelisted": "No",
"action_local_ip": "196.168.0.111",
"action_registry_data": null,
"action_process_image_sha256": null,
"user_name": null,
"action_remote_ip": "2.2.2.2",
"action_process_signature_vendor": "N/A",
"actor_process_signature_status": "N/A",
"name": "This alert from content TestXDRPlaybook",
"causality_actor_causality_id": null,
"host_ip": null,
"action_process_image_name": null,
"detection_timestamp": 1578123895414,
"action_file_md5": null,
"causality_actor_process_image_name": null,
"action_file_path": null,
"action_process_image_command_line": null,
"action_local_port": 2000,
"actor_process_image_name": null,
"action_registry_full_key": null,
"actor_process_signature_vendor": "N/A",
"actor_process_command_line": null,
"host_name": null,
"action": [
"VALUE_NA",
"N/A"
],
"starred": false,
"causality_actor_process_signature_vendor": "N/A"
},
{
"action_process_signature_status": "N/A",
"action_pretty": [
"VALUE_NA",
"N/A"
],
"event_type": "Network Event",
"alert_id": "10",
"action_file_sha256": null,
"action_external_hostname": null,
"causality_actor_process_command_line": null,
"description": "This alert from content TestXDRPlaybook description",
"category": null,
"severity": "high",
"source": "Checkpoint - SandBlast",
"action_remote_port": 6000,
"causality_actor_process_signature_status": "N/A",
"fw_app_id": null,
"is_whitelisted": "No",
"action_local_ip": "196.168.0.111",
"action_registry_data": null,
"action_process_image_sha256": null,
"user_name": null,
"action_remote_ip": "2.2.2.2",
"action_process_signature_vendor": "N/A",
"actor_process_signature_status": "N/A",
"name": "This alert from content TestXDRPlaybook",
"causality_actor_causality_id": null,
"host_ip": null,
"action_process_image_name": null,
"detection_timestamp": 1578927443615,
"action_file_md5": null,
"causality_actor_process_image_name": null,
"action_file_path": null,
"action_process_image_command_line": null,
"action_local_port": 2000,
"actor_process_image_name": null,
"action_registry_full_key": null,
"actor_process_signature_vendor": "N/A",
"actor_process_command_line": null,
"host_name": null,
"action": [
"VALUE_NA",
"N/A"
],
"starred": false,
"causality_actor_process_signature_vendor": "N/A"
}
],
"low_severity_alert_count": 0,
"status": "new",
"description": "5 'This alert from content TestXDRPlaybook' alerts detected by Checkpoint - SandBlast ",
"resolve_comment": "This issue was solved in Incident number 192304",
"creation_time": 1577276587937,
"modification_time": 1579290004178,
"network_artifacts": [
{
"network_remote_port": 8000,
"alert_count": 5,
"network_remote_ip": "2.2.2.2",
"is_manual": false,
"network_domain": null,
"type": "IP",
"network_country": null
}
],
"file_artifacts": [],
"manual_description": null,
"incident_id": "4",
"notes": null,
"assigned_user_mail": null,
"starred": false,
"high_severity_alert_count": 4
}
}
Human Readable Output

Incident 4

alert_countassigned_user_mailassigned_user_pretty_namecreation_timedescriptiondetection_timehigh_severity_alert_counthost_countincident_idlow_severity_alert_countmanual_descriptionmanual_severitymed_severity_alert_countmodification_timenotesresolve_commentseveritystarredstatususer_countxdr_url
515772765879375 'This alert from content TestXDRPlaybook' alerts detected by Checkpoint - SandBlast4140medium11579290004178This issue was solved in Incident number 192304mediumfalsenew1https://some.xdr.url.com/incident-view/4

Alerts

actionaction_external_hostnameaction_file_md5action_file_pathaction_file_sha256action_local_ipaction_local_portaction_prettyaction_process_image_command_lineaction_process_image_nameaction_process_image_sha256action_process_signature_statusaction_process_signature_vendoraction_registry_dataaction_registry_full_keyaction_remote_ipaction_remote_portactor_process_command_lineactor_process_image_nameactor_process_signature_statusactor_process_signature_vendoralert_idcategorycausality_actor_causality_idcausality_actor_process_command_linecausality_actor_process_image_namecausality_actor_process_signature_statuscausality_actor_process_signature_vendordescriptiondetection_timestampevent_typefw_app_idhost_iphost_nameis_whitelistednameseveritysourcestarreduser_name
VALUE_NA,
N/A
196.168.0.17000VALUE_NA,
N/A
N/AN/A2.2.2.28000N/AN/A6N/AN/ATest - alert generated by Test XDR Playbook1577276586921Network EventNoTest - alert generated by Test XDR PlaybookmediumCisco - Sandblastfalse
VALUE_NA,
N/A
196.168.0.1112000VALUE_NA,
N/A
N/AN/A2.2.2.26000N/AN/A7N/AN/AThis alert from content TestXDRPlaybook description1577776701589Network EventNoThis alert from content TestXDRPlaybookhighCheckpoint - SandBlastfalse
VALUE_NA,
N/A
196.168.0.1112000VALUE_NA,
N/A
N/AN/A2.2.2.26000N/AN/A8N/AN/AThis alert from content TestXDRPlaybook description1577958479843Network EventNoThis alert from content TestXDRPlaybookhighCheckpoint - SandBlastfalse
VALUE_NA,
N/A
196.168.0.1112000VALUE_NA,
N/A
N/AN/A2.2.2.26000N/AN/A9N/AN/AThis alert from content TestXDRPlaybook description1578123895414Network EventNoThis alert from content TestXDRPlaybookhighCheckpoint - SandBlastfalse
VALUE_NA,
N/A
196.168.0.1112000VALUE_NA,
N/A
N/AN/A2.2.2.26000N/AN/A10N/AN/AThis alert from content TestXDRPlaybook description1578927443615Network EventNoThis alert from content TestXDRPlaybookhighCheckpoint - SandBlastfalse

Network Artifacts

alert_countis_manualnetwork_countrynetwork_domainnetwork_remote_ipnetwork_remote_porttype
5false2.2.2.28000IP

File Artifacts

No entries.

3. xdr-update-incident


Updates one or more fields of a specified incident. Missing fields will be ignored. To remove the assignment for an incident, pass a null value in assignee email argument.

Required Permissions

FILL IN REQUIRED PERMISSIONS HERE

Base Command

xdr-update-incident

Input
Argument NameDescriptionRequired
incident_idXDR incident ID. You can get the incident ID from the output of the 'xdr-get-incidents' command or the 'xdr-get-incident-extra-details' command.Required
manual_severitySeverity to assign to the incident (LOW, MEDIUM, or HIGH).Optional
assigned_user_mailEmail address of the user to assigned to the incident.Optional
assigned_user_pretty_nameFull name of the user assigned to the incident.Optional
statusStatus of the incident (NEW, UNDER_INVESTIGATION, RESOLVED_THREAT_HANDLED, RESOLVED_KNOWN_ISSUE, RESOLVED_DUPLICATE, RESOLVED_FALSE_POSITIVE, RESOLVED_OTHER).Optional
resolve_commentComment explaining why the incident was resolved. This should be set when the incident is resolved.Optional
unassign_userIf true, will remove all assigned users from the incident.Optional
Context Output

There is no context output for this command.

Command Example

!xdr-update-incident incident_id="4" status="RESOLVED_KNOWN_ISSUE" resolve_comment="This issue was solved in Incident number 192304"

Human Readable Output

Incident 4 has been updated

4. xdr-insert-parsed-alert


Upload alert from external alert sources in Cortex XDR format. Cortex XDR displays alerts that are parsed successfully in related incidents and views. You can send 600 alerts per minute. Each request can contain a maximum of 60 alerts.

Required Permissions

FILL IN REQUIRED PERMISSIONS HERE

Base Command

xdr-insert-parsed-alert

Input
Argument NameDescriptionRequired
productString value that defines the product.Required
vendorString value that defines the product.Required
local_ipString value for the source IP addressOptional
local_portInteger value for the source port.Required
remote_ipString value of the destination IP
address.
Required
remote_portInteger value for the destination
port.
Required
event_timestamptInteger value representing the epoch of the time the alert occurred in milliseconds or String value of date format 2019-10-23T10:00:00. If not set then the event time will be defined as now.Optional
severityString value of alert severity:
Informational, Low, Medium, High, or Unknown
Optional
alert_nameString defining the alert nameRequired
alert_descriptionString defining the alert descriptionOptional
Context Output

There is no context output for this command.

Command Example

!xdr-insert-parsed-alert product="SandBlast" vendor="Checkpoint" local_ip="196.168.0.1" local_port="600" remote_ip="5.5.5.5" remote_port="500" event_timestampt="2020-01-01T00:00:00" severity="High" alert_name="some alert" alert_description="this is test alert"

Human Readable Output

Alert inserted successfully

5. xdr-insert-cef-alerts


Upload alerts in CEF format from external alert sources. After you map CEF alert fields to Cortex XDR fields, Cortex XDR displays the alerts in related incidents and views. You can send 600 requests per minute. Each request can contain a maximum of 60 alerts.

Required Permissions

FILL IN REQUIRED PERMISSIONS HERE

Base Command

xdr-insert-cef-alerts

Input
Argument NameDescriptionRequired
cef_alertsList of alerts in CEF format.Required
Context Output

There is no context output for this command.

Command Example

!xdr-insert-cef-alerts cef_alerts="CEF:0|Check Point|VPN-1 & FireWall-1|Check Point|Log|microsoft-ds|Unknown|act=AcceptdeviceDirection=0 rt=1569477512000 spt=56957 dpt=445 cs2Label=Rule Name cs2=ADPrimery layer_name=FW_Device_blackened Securitylayer_uuid=07693fc7-1a5c-4f31-8afe-77ae96c71b8c match_id=1806 parent_rule=0rule_action=Accept rule_uid=8e45f36b-d106-4d81-a1f0-9d1ed9a6be5c ifname=bond2logid=0 loguid={0x5d8c5388,0x61,0x29321fac,0xc0000022} origin=1.1.1.1originsicname=CN=DWdeviceBlackend,O=Blackend sequencenum=363 version=5dst=1.1.1.1 inzone=External outzone=Internal product=VPN-1 & FireWall-1 proto=6service_id=microsoft-ds src=1.1.1.1"

Human Readable Output

Alerts inserted successfully

6. xdr-isolate-endpoint


Isolates the specified endpoint.

Required Permissions

FILL IN REQUIRED PERMISSIONS HERE

Base Command

xdr-isolate-endpoint

Input
Argument NameDescriptionRequired
endpoint_idThe endpoint ID (string) to isolate. You can retrieve the string from the xdr-get-endpointsRequired
Context Output

There is no context output for this command.

Command Example

!xdr-isolate-endpoint endpoint_id="f8a2f58846b542579c12090652e79f3d"

Human Readable Output

Endpoint f8a2f58846b542579c12090652e79f3d has isolated successfully

7. xdr-unisolate-endpoint


Reverses the isolation of an endpoint.

Required Permissions

FILL IN REQUIRED PERMISSIONS HERE

Base Command

xdr-unisolate-endpoint

Input
Argument NameDescriptionRequired
endpoint_idThe endpoint ID (string) for which to reverse the isolation. You can retrieve it from the xdr-get-endpointsRequired
Context Output

There is no context output for this command.

Command Example

!xdr-unisolate-endpoint endpoint_id="f8a2f58846b542579c12090652e79f3d"

Human Readable Output

Endpoint f8a2f58846b542579c12090652e79f3d already unisolated

8. xdr-get-endpoints


Gets a list of endpoints, according to the passed filters. Filtering by multiple fields will be concatenated using AND condition (OR is not supported). Maximum result set size is 100. Offset is the zero-based number of endpoint from the start of the result set (start by counting from 0).

Required Permissions

FILL IN REQUIRED PERMISSIONS HERE

Base Command

xdr-get-endpoints

Input
Argument NameDescriptionRequired
endpoint_id_listA comma-separated list of endpoint IDs.Optional
dist_nameA comma-separated list of distribution package names or installation package names.
Example: dist_name1,dist_name2
Optional
ip_listA comma-separated list of IP addresses.
Example: 8.8.8.8,1.1.1.1
Optional
group_nameThe group name to which the agent belongs.
Example: group_name1,group_name2
Optional
platformThe endpoint platform. Can be "windows", "linux", "macos", or "android".Optional
alias_nameA comma-separated list of alias names.
Examples: alias_name1,alias_name2
Optional
isolate"Specifies whether the endpoint was isolated or unisolated. Can be "isolated" or "unisolated".Optional
hostnameHostname
Example: hostname1,hostname2
Optional
first_seen_gteAll the agents that were first seen after {first_seen_gte}.
Supported values:
1579039377301 (time in milliseconds)
"3 days" (relative date)
"2019-10-21T23:45:00" (date)
Optional
first_seen_lteAll the agents that were first seen before {first_seen_lte}.
Supported values:
1579039377301 (time in milliseconds)
"3 days" (relative date)
"2019-10-21T23:45:00" (date)
Optional
last_seen_gteAll the agents that were last seen before {last_seen_gte}.
Supported values:
1579039377301 (time in milliseconds)
"3 days" (relative date)
"2019-10-21T23:45:00" (date)
Optional
last_seen_lteAll the agents that were last seen before {last_seen_lte}.
Supported values:
1579039377301 (time in milliseconds)
"3 days" (relative date)
"2019-10-21T23:45:00" (date)
Optional
pagePage number (for pagination). The default is 0 (the first page).Optional
limitMaximum number of endpoints to return per page. The default and maximum is 30.Optional
sort_bySpecifies whether to sort endpoints by the first time or last time they were seen. Can be "first_seen" or "last_seen".Optional
sort_orderThe order by which to sort results. Can be "asc" (ascending) or "desc" ( descending). Default set to asc.Optional
Context Output
PathTypeDescription
PaloAltoNetworksXDR.Endpoint.endpoint_idStringThe endpoint ID.
PaloAltoNetworksXDR.Endpoint.endpoint_nameStringThe endpoint name.
PaloAltoNetworksXDR.Endpoint.endpoint_typeStringThe endpoint type.
PaloAltoNetworksXDR.Endpoint.endpoint_statusStringThe status of the endpoint'
PaloAltoNetworksXDR.Endpoint.os_typeStringThe endpoint OS type.
PaloAltoNetworksXDR.Endpoint.ipUnknownA list of IP addresses.
PaloAltoNetworksXDR.Endpoint.usersUnknownA list of users.
PaloAltoNetworksXDR.Endpoint.domainStringThe endpoint domain.
PaloAltoNetworksXDR.Endpoint.aliasStringThe endpoint's aliases.
PaloAltoNetworksXDR.Endpoint.first_seenUnknownFirst seen date/time in Epoch (milliseconds).
PaloAltoNetworksXDR.Endpoint.last_seenDateLast seen date/time in Epoch (milliseconds).
PaloAltoNetworksXDR.Endpoint.content_versionStringContent version.
PaloAltoNetworksXDR.Endpoint.installation_packageStringInstallation package.
PaloAltoNetworksXDR.Endpoint.active_directoryStringActive directory.
PaloAltoNetworksXDR.Endpoint.install_dateDateInstall date in Epoch (milliseconds).
PaloAltoNetworksXDR.Endpoint.endpoint_versionStringEndpoint version.
PaloAltoNetworksXDR.Endpoint.is_isolatedStringWhether the endpoint is isolated.
PaloAltoNetworksXDR.Endpoint.group_nameStringThe name of the group to which the endpoint belongs.
Endpoint.HostnameStringThe hostname that is mapped to this endpoint.
Endpoint.IDStringThe unique ID within the tool retrieving the endpoint.
Endpoint.IPAddressStringThe IP address of the endpoint.
Endpoint.DomainStringThe domain of the endpoint.
Endpoint.OSStringEndpoint OS.
Command Example

!xdr-get-endpoints isolate="unisolated" first_seen_gte="3 month" page="0" limit="30" sort_order="asc"

Context Example
{
"Endpoint": [
{
"Domain": "WORKGROUP",
"Hostname": "aaaaa.compute.internal",
"ID": "ea303670c76e4ad09600c8b346f7c804",
"IPAddress": [
"172.31.11.11"
],
"OS": "AGENT_OS_WINDOWS"
},
{
"Domain": "WORKGROUP",
"Hostname": "EC2AMAZ-P7PPOI4",
"ID": "f8a2f58846b542579c12090652e79f3d",
"IPAddress": [
"2.2.2.2"
],
"OS": "AGENT_OS_WINDOWS"
}
],
"PaloAltoNetworksXDR.Endpoint": [
{
"domain": "",
"users": [
"ec2-user"
],
"endpoint_name": "aaaaa.compute.internal",
"ip": [
"172.31.11.11"
],
"install_date": 1575795969644,
"endpoint_version": "7.0.0.1915",
"group_name": null,
"installation_package": "linux",
"alias": "",
"active_directory": null,
"endpoint_status": "CONNECTED",
"os_type": "AGENT_OS_LINUX",
"endpoint_id": "ea303670c76e4ad09600c8b346f7c804",
"content_version": "111-17757",
"first_seen": 1575795969644,
"endpoint_type": "AGENT_TYPE_SERVER",
"is_isolated": "AGENT_UNISOLATED",
"last_seen": 1579290023629
},
{
"domain": "WORKGROUP",
"users": [
"Administrator"
],
"endpoint_name": "EC2AMAZ-P7PPOI4",
"ip": [
"2.2.2.2"
],
"install_date": 1575796381739,
"endpoint_version": "7.0.0.27797",
"group_name": null,
"installation_package": "Windows Server 2016",
"alias": "",
"active_directory": null,
"endpoint_status": "CONNECTED",
"os_type": "AGENT_OS_WINDOWS",
"endpoint_id": "f8a2f58846b542579c12090652e79f3d",
"content_version": "111-17757",
"first_seen": 1575796381739,
"endpoint_type": "AGENT_TYPE_SERVER",
"is_isolated": "AGENT_UNISOLATED",
"last_seen": 1579289957412
}
]
}
Human Readable Output

Endpoints

active_directoryaliascontent_versiondomainendpoint_idendpoint_nameendpoint_statusendpoint_typeendpoint_versionfirst_seengroup_nameinstall_dateinstallation_packageipis_isolatedlast_seenos_typeusers
111-17757ea303670c76e4ad09600c8b346f7c804aaaaa.compute.internalCONNECTEDAGENT_TYPE_SERVER7.0.0.191515757959696441575795969644linux172.31.11.11AGENT_UNISOLATED1579290023629AGENT_OS_LINUXec2-user
111-17757WORKGROUPf8a2f58846b542579c12090652e79f3dEC2AMAZ-P7PPOI4CONNECTEDAGENT_TYPE_SERVER7.0.0.2779715757963817391575796381739Windows Server 20162.2.2.2AGENT_UNISOLATED1579289957412AGENT_OS_WINDOWSAdministrator

9. xdr-get-distribution-versions


Gets a list of all the agent versions to use for creating a distribution list.

Required Permissions

FILL IN REQUIRED PERMISSIONS HERE

Base Command

xdr-get-distribution-versions

Input

There are no input arguments for this command.

Context Output
PathTypeDescription
PaloAltoNetworksXDR.DistributionVersions.windowsUnknownA list of Windows agent versions.
PaloAltoNetworksXDR.DistributionVersions.linuxUnknownA list of Linux agent versions.
PaloAltoNetworksXDR.DistributionVersions.macosUnknownA list of Mac agent versions.
Command Example

!xdr-get-distribution-versions

Context Example
{
"PaloAltoNetworksXDR.DistributionVersions": {
"windows": [
"5.0.8.29673",
"5.0.9.30963",
"6.1.4.28751",
"7.0.0.28644"
],
"macos": [
"6.1.4.1681",
"7.0.0.1914"
],
"linux": [
"6.1.4.1680",
"7.0.0.1916"
]
}
}
Human Readable Output

windows

versions
5.0.8.29673
5.0.9.30963
6.1.4.28751
7.0.0.28644

linux

versions
6.1.4.1680
7.0.0.1916

macos

versions
6.1.4.1681
7.0.0.1914

10. xdr-create-distribution


Creates an installation package. This is an asynchronous call that returns the distribution ID. This does not mean that the creation succeeded. To confirm that the package has been created, check the status of the distribution by running the Get Distribution Status API.

Required Permissions

FILL IN REQUIRED PERMISSIONS HERE

Base Command

xdr-create-distribution

Input
Argument NameDescriptionRequired
nameA string representing the name of the installation package.Required
platformString, valid values are:
• windows
• linux
• macos
• android
Required
package_typeA string representing the type of package to create.
standalone - An installation for a new agent
upgrade - An upgrade of an agent from ESM
Required
agent_versionagent_version returned from xdr-get-distribution-versions. Not required for Android platfomRequired
descriptionInformation about the package.Optional
Context Output
PathTypeDescription
PaloAltoNetworksXDR.Distribution.idStringThe installation package ID.
PaloAltoNetworksXDR.Distribution.nameStringThe name of the installation package.
PaloAltoNetworksXDR.Distribution.platformStringThe installation OS.
PaloAltoNetworksXDR.Distribution.agent_versionStringAgent version.
PaloAltoNetworksXDR.Distribution.descriptionStringInformation about the package.
Command Example

!xdr-create-distribution agent_version=6.1.4.1680 name="dist_1" package_type=standalone platform=linux description="some description"

Context Example
{
"PaloAltoNetworksXDR.Distribution": {
"description": "some description",
"package_type": "standalone",
"platform": "linux",
"agent_version": "6.1.4.1680",
"id": "43aede7f846846fa92b50149663fbb25",
"name": "dist_1"
}
}
Human Readable Output

Distribution 43aede7f846846fa92b50149663fbb25 created successfully

11. xdr-get-distribution-url


Gets the distribution URL for downloading the installation package.

Required Permissions

FILL IN REQUIRED PERMISSIONS HERE

Base Command

xdr-get-distribution-url

Input
Argument NameDescriptionRequired
distribution_idThe ID of the installation package.
Copy the distribution_id from the "id" field on Endpoints > Agent Installation page.
Required
package_typeThe installation package type. Valid
values are:
• upgrade
• sh - For Linux
• rpm - For Linux
• deb - For Linux
• pkg - For Mac
• x86 - For Windows
• x64 - For Windows
Required
Context Output
PathTypeDescription
PaloAltoNetworksXDR.Distribution.idStringDistribution ID.
PaloAltoNetworksXDR.Distribution.urlStringURL for downloading the installation package.
Command Example

!xdr-get-distribution-url distribution_id=2c74c11b63074653aa01d575a82bf52a package_type=sh

Human Readable Output

12. xdr-get-create-distribution-status


Gets the status of the installation package.

Required Permissions

FILL IN REQUIRED PERMISSIONS HERE

Base Command

xdr-get-create-distribution-status

Input
Argument NameDescriptionRequired
distribution_idsA comma-separated list of distribution IDs to get the status of.Required
Context Output
PathTypeDescription
PaloAltoNetworksXDR.Distribution.idStringDistribution ID.
PaloAltoNetworksXDR.Distribution.statusStringThe status of installation package.
Command Example

!xdr-get-create-distribution-status distribution_ids=2c74c11b63074653aa01d575a82bf52a

Context Example
{
"PaloAltoNetworksXDR.Distribution": [
{
"status": "Completed",
"id": "2c74c11b63074653aa01d575a82bf52a"
}
]
}
Human Readable Output

Distribution Status

idstatus
2c74c11b63074653aa01d575a82bf52aCompleted

13. xdr-get-audit-management-logs


Gets management logs. You can filter by multiple fields, which will be concatenated using AND condition (OR is not supported). Maximum result set size is 100. Offset is the zero-based number of management logs from the start of the result set (start by counting from 0).

Required Permissions

FILL IN REQUIRED PERMISSIONS HERE

Base Command

xdr-get-audit-management-logs

Input
Argument NameDescriptionRequired
emailUser’s email address.Optional
typeThe audit log type.Optional
sub_typeThe audit log subtype.Optional
resultResult typeOptional
timestamp_gteReturn logs for which the timestamp is after 'log_time_after'.
Supported values:
1579039377301 (time in milliseconds)
"3 days" (relative date)
"2019-10-21T23:45:00" (date)
Optional
timestamp_lteReturn logs for which the timestamp is before the 'log_time_after'.
Supported values:
1579039377301 (time in milliseconds)
"3 days" (relative date)
"2019-10-21T23:45:00" (date)
Optional
pagePage number (for pagination). The default is 0 (the first page).Optional
limitMaximum number of audit logs to return per page. The default and maximum is 30.Optional
sort_bySpecifies the field by which to sort the results. By default the sort is defined as creation-time and DESC. Can be "type", "sub_type", "result", or "timestamp".Optional
sort_orderThe sort order. Can be "asc" (ascending) or "desc" (descending). Default set to "desc".Optional
Context Output
PathTypeDescription
PaloAltoNetworksXDR.AuditManagementLogs.AUDIT_IDNumberAudit log ID.
PaloAltoNetworksXDR.AuditManagementLogs.AUDIT_OWNER_NAMEStringAudit owner name.
PaloAltoNetworksXDR.AuditManagementLogs.AUDIT_OWNER_EMAILStringAudit owner email address.
PaloAltoNetworksXDR.AuditManagementLogs.AUDIT_ASSET_JSONStringAsset JSON.
PaloAltoNetworksXDR.AuditManagementLogs.AUDIT_ASSET_NAMESStringAudit asset names.
PaloAltoNetworksXDR.AuditManagementLogs.AUDIT_HOSTNAMEStringHost name.
PaloAltoNetworksXDR.AuditManagementLogs.AUDIT_RESULTStringAudit result.
PaloAltoNetworksXDR.AuditManagementLogs.AUDIT_REASONStringAudit reason.
PaloAltoNetworksXDR.AuditManagementLogs.AUDIT_DESCRIPTIONStringDescription of the audit.
PaloAltoNetworksXDR.AuditManagementLogs.AUDIT_ENTITYStringAudit entity (e.g., AUTH, DISTRIBUTIONS).
PaloAltoNetworksXDR.AuditManagementLogs.AUDIT_ENTITY_SUBTYPEStringEntity subtype (e.g., Login, Create).
PaloAltoNetworksXDR.AuditManagementLogs.AUDIT_CASE_IDNumberAudit case ID.
PaloAltoNetworksXDR.AuditManagementLogs.AUDIT_INSERT_TIMEDateLog's insert time.
Command Example

!xdr-get-audit-management-logs result=SUCCESS type=DISTRIBUTIONS limit=2 timestamp_gte="3 month"

Context Example
{
"PaloAltoNetworksXDR.AuditManagementLogs": [
{
"AUDIT_OWNER_EMAIL": "",
"AUDIT_SESSION_ID": null,
"AUDIT_ID": 217,
"AUDIT_REASON": null,
"AUDIT_CASE_ID": null,
"AUDIT_DESCRIPTION": "Created a Linux Standalone installer installation package 'dist_1' with agent version 6.1.4.1680",
"AUDIT_INSERT_TIME": 1579287926547,
"AUDIT_ENTITY": "DISTRIBUTIONS",
"AUDIT_OWNER_NAME": "Public API - 1",
"AUDIT_ASSET_JSON": "{}",
"AUDIT_RESULT": "SUCCESS",
"AUDIT_ASSET_NAMES": "",
"AUDIT_HOSTNAME": null,
"AUDIT_ENTITY_SUBTYPE": "Create"
},
{
"AUDIT_OWNER_EMAIL": "",
"AUDIT_SESSION_ID": null,
"AUDIT_ID": 214,
"AUDIT_REASON": null,
"AUDIT_CASE_ID": null,
"AUDIT_DESCRIPTION": "Created a Linux Standalone installer installation package 'ddd' with agent version 6.1.4.1680",
"AUDIT_INSERT_TIME": 1579121478199,
"AUDIT_ENTITY": "DISTRIBUTIONS",
"AUDIT_OWNER_NAME": "Public API - 1",
"AUDIT_ASSET_JSON": "{}",
"AUDIT_RESULT": "SUCCESS",
"AUDIT_ASSET_NAMES": "",
"AUDIT_HOSTNAME": null,
"AUDIT_ENTITY_SUBTYPE": "Create"
}
]
}
Human Readable Output

Audit Management Logs

AUDIT_IDAUDIT_RESULTAUDIT_DESCRIPTIONAUDIT_OWNER_NAMEAUDIT_OWNER_EMAILAUDIT_ASSET_JSONAUDIT_ASSET_NAMESAUDIT_HOSTNAMEAUDIT_REASONAUDIT_ENTITYAUDIT_ENTITY_SUBTYPEAUDIT_SESSION_IDAUDIT_CASE_IDAUDIT_INSERT_TIME
217SUCCESSCreated a Linux Standalone installer installation package 'dist_1' with agent version 6.1.4.1680Public API - 1{}DISTRIBUTIONSCreate1579287926547
214SUCCESSCreated a Linux Standalone installer installation package 'ddd' with agent version 6.1.4.1680Public API - 1{}DISTRIBUTIONSCreate1579121478199

14. xdr-get-audit-agent-reports


Gets agent event reports. You can filter by multiple fields, which will be concatenated using AND condition (OR is not supported). Maximum result set size is 100. Offset is the zero-based number of reports from the start of the result set (start by counting from 0).

Required Permissions

FILL IN REQUIRED PERMISSIONS HERE

Base Command

xdr-get-audit-agent-reports

Input
Argument NameDescriptionRequired
endpoint_idsA comma-separated list of endpoint IDs.Optional
endpoint_namesA comma-separated list of endpoint names.Optional
typeThe report type. Can be "Installation", "Policy", "Action", "Agent Service", "Agent Modules", or "Agent Status".Optional
sub_typeThe report subtype.Optional
resultThe result type. Can be "Success" or "Fail". If not passed, returns all event reports.Optional
timestamp_gteReturn logs that their timestamp is greater than 'log_time_after'.
Supported values:
1579039377301 (time in milliseconds)
"3 days" (relative date)
"2019-10-21T23:45:00" (date)
Optional
timestamp_lteReturn logs for which the timestamp is before the 'timestamp_lte'.

Supported values:
1579039377301 (time in milliseconds)
"3 days" (relative date)
"2019-10-21T23:45:00" (date)
Optional
pagePage number (for pagination). The default is 0 (the first page).Optional
limitThe maximum number of reports to return. Default and maximum is 30.Optional
sort_byThe field by which to sort results. Can be "type", "category", "trapsversion", "timestamp", or "domain").Optional
sort_orderThe sort order. Can be "asc" (ascending) or "desc" (descending). Default is "asc".Optional
Context Output
PathTypeDescription
PaloAltoNetworksXDR.AuditAgentReports.ENDPOINTIDStringEndpoint ID.
PaloAltoNetworksXDR.AuditAgentReports.ENDPOINTNAMEStringEndpoint name.
PaloAltoNetworksXDR.AuditAgentReports.DOMAINStringAgent domain.
PaloAltoNetworksXDR.AuditAgentReports.TRAPSVERSIONStringTraps version.
PaloAltoNetworksXDR.AuditAgentReports.RECEIVEDTIMEDateReceived time in Epoch time.
PaloAltoNetworksXDR.AuditAgentReports.TIMESTAMPDateTimestamp in Epoch time.
PaloAltoNetworksXDR.AuditAgentReports.CATEGORYStringReport category (e.g., Audit).
PaloAltoNetworksXDR.AuditAgentReports.TYPEStringReport type (e.g., Action, Policy).
PaloAltoNetworksXDR.AuditAgentReports.SUBTYPEStringReport subtype (e.g., Fully Protected,Policy Update,Cancel Isolation).
PaloAltoNetworksXDR.AuditAgentReports.RESULTStringReport result.
PaloAltoNetworksXDR.AuditAgentReports.REASONStringReport reason.
PaloAltoNetworksXDR.AuditAgentReports.DESCRIPTIONStringAgent report description.
Command Example

!xdr-get-audit-agent-reports result=Success timestamp_gte="100 days" endpoint_ids=ea303670c76e4ad09600c8b346f7c804 type=Policy limit=2

Context Example
{
"PaloAltoNetworksXDR.AuditAgentReports": [
{
"CATEGORY": "Audit",
"DOMAIN": "",
"DESCRIPTION": "XDR Agent policy updated on aaaaa.compute.internal",
"TIMESTAMP": 1579284369143.7048,
"RECEIVEDTIME": 1579286565904.3281,
"REASON": null,
"SUBTYPE": "Policy Update",
"ENDPOINTNAME": "aaaaa.compute.internal",
"RESULT": "Success",
"ENDPOINTID": "ea303670c76e4ad09600c8b346f7c804",
"TRAPSVERSION": "7.0.0.1915",
"TYPE": "Policy"
},
{
"CATEGORY": "Audit",
"DOMAIN": "",
"DESCRIPTION": "XDR Agent policy updated on aaaaa.compute.internal",
"TIMESTAMP": 1579280769141.43,
"RECEIVEDTIME": 1579282965742.36,
"REASON": null,
"SUBTYPE": "Policy Update",
"ENDPOINTNAME": "aaaaa.compute.internal",
"RESULT": "Success",
"ENDPOINTID": "ea303670c76e4ad09600c8b346f7c804",
"TRAPSVERSION": "7.0.0.1915",
"TYPE": "Policy"
}
]
}
Human Readable Output

Audit Agent Reports

CATEGORYDESCRIPTIONDOMAINENDPOINTIDENDPOINTNAMEREASONRECEIVEDTIMERESULTSUBTYPETIMESTAMPTRAPSVERSIONTYPE
AuditXDR Agent policy updated on aaaaa.compute.internalea303670c76e4ad09600c8b346f7c804aaaaa.compute.internal1579286565904.3281SuccessPolicy Update1579284369143.70487.0.0.1915Policy
AuditXDR Agent policy updated on aaaaa.compute.internalea303670c76e4ad09600c8b346f7c804aaaaa.compute.internal1579282965742.36SuccessPolicy Update1579280769141.437.0.0.1915Policy