Palo Alto Cortex XDR

Integration version: 15.0

Configure Palo Alto Cortex XDR to work with Google Security Operations SOAR

Credentials

To obtain your Cortex XDR API Key:

  1. Navigate to > Settings.
  2. Select + New Key.
  3. Choose the type of API Key to generate (Advanced Only).
  4. Provide a comment that describes the purpose for the API key (Optional).
  5. Select the desired level of access for this key.
  6. Generate the API Key.
  7. Copy the API key, and then click Done.

To obtain your Cortex XDR API Key ID:

  1. Navigate to API Keys table > ID column.
  2. Note your corresponding ID number. This value represents the x-xdr-auth-id:{key_id} token.

Configure Palo Alto Cortex XDR integration in Google Security Operations SOAR

For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.

Integration parameters

Use the following parameters to configure the integration:

Parameter Display Name Type Default Value Is mandatory Description
API Root String https://api-{fqdn} Yes Palo Alto Networks Cortex XDR API Root. Note: The FQDN represents a unique host and domain name associated with each tenant. When you generate the API Key and Key ID, you are assigned an individual FQDN.
Api Key Password N/A Yes A unique identifier used as the "Authorization:{key}" header required for authenticating API calls. Depending on your security level, you can generate Advanced API key from your Cortex XDR app.
Api Key ID Integer 3 Yes A unique token used to authenticate the API Key. The header used when running an API call is "x-xdr-auth-id:{key_id}".
Verify SSL Checkbox Unchecked Yes Option to verify SSL/TLS connection.

Actions

Ping

Description

Test connectivity to Palo Alto Networks Cortex XDR.

Parameters

N/A

Use cases

N/A

Run On

This action runs on all entities.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result
Script Result Name Value Options Example
is_connected True/False is_connected:False
JSON Result
N/A

Query

Description

Retrieve the data of a specific incident including alerts, and key artifacts.

Parameters

Parameter Type Default Value Description
Incident ID String N/A The ID of the incident for which you want to retrieve data.

Use cases

N/A

Run On

This action runs on all entities.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result
Script Result Name Value Options Example
incident_alerts_count N/A N/A
JSON Result
{
    "file_artifacts":
    {
        "total_count": 2,
        "data": [
            {
                "file_signature_status": "SIGNATURE_SIGNED",
                "is_process": "true",
                "is_malicious": "false",
                "is_manual": "false",
                "file_name": "cmd.exe",
                "file_signature_vendor_name": "Microsoft Corporation",
                "file_sha256": "6f88fb88ffb0f1d5465c2826e5b4f523598b1b8378377c8378ffebc171bad18b",
                "type": "HASH",
                "file_wildfire_verdict": "BENIGN",
                "alert_count": 1
            }, {
                "file_signature_status": "SIGNATURE_SIGNED",
                "is_process": "true",
                "is_malicious": "false",
                "is_manual": "false",
                "file_name": "WmiPrvSE.exe",
                "file_signature_vendor_name": "Microsoft Corporation",
                "file_sha256": "25dfb8168246e5d04dd6f124c95e4c4c4e8273503569acd5452205558d099871",
                "type": "HASH",
                "file_wildfire_verdict": "BENIGN",
                "alert_count": 1
            }]},
    "incident": {
        "status": "new",
        "incident_id": "1645",
        "user_count": 1,
        "assigned_user_mail": " ",
        "severity": "high",
        "resolve_comment": " ",
        "assigned_user_pretty_name": " ",
        "notes": " ",
        "creation_time": 1564877575921,
        "alert_count": 1,
        "med_severity_alert_count": 0,
        "detection_time": " ",
        "modification_time": 1564877575921,
        "manual_severity": " ",
        "xdr_url": "https://ac997a94-5e93-40ea-82d9-6a615038620b.xdr.us.paloaltonetworks.com/incident-view/1645",
        "manual_description": " ",
        "low_severity_alert_count": 0,
        "high_severity_alert_count": 1,
        "host_count": 1,
        "description": "WMI Lateral Movement generated by BIOC detected on host ILCSYS31 involving user ILLICIUM\\\\ibojer"
    },
    "alerts": {
        "total_count": 1,
        "data": [
            {
                "action_pretty": "Detected",
                "description": "Process action type = execution AND name = cmd.exe Process name = wmiprvse.exe, cgo name = wmiprvse.exe",
                "host_ip": "10.0.50.31",
                "alert_id": "21631",
                "detection_timestamp": 1564877525123,
                "name": "WMI Lateral Movement",
                "category": "Lateral Movement",
                "severity": "high",
                "source": "BIOC",
                "host_name": "ILCSYS31",
                "action": "DETECTED",
                "user_name": "ILLICIUM\\\\ibojer"
            }]},
    "network_artifacts": {
        "total_count": 0,
        "data": []
    }
}

Resolve an Incident

Description

The ability to close XDR incidents with a close reason.

Parameters

Parameter Type Default Value Description
Incident ID String N/A The ID of the incident to be updated.
Status List UNDER_INVESTIGATION Updated incident status.
Resolve Comment String N/A Descriptive comment explaining the incident change.

Use cases

N/A

Run On

This action runs on all entities.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
N/A

Update an Incident

Description

The ability to set a specific XDR incident as under investigation, assign to named users, etc.

Parameters

Parameter Type Default Value Description
Incident ID String N/A The ID of the incident to be updated.
Assigned User Name String N/A The updated full name of the incident assignee.
Severity List Low Administrator-defined severity.
Status List UNDER_INVESTIGATION Updated incident status.

Use cases

N/A

Run On

This action runs on the URL entity.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
N/A

Enrich Entities

Description

Enrich Google Security Operations SOAR Host and IP entities based on the information from the Palo Alto Networks Cortex XDR.

Parameters

N/A

Use cases

N/A

Run On

This action runs on the following entities:

  • IP Address
  • Hostname

Action Results

Entity Enrichment
Enrichment Field Name Logic-When to apply
domain Returns if it exists in JSON result
endpoint_name Returns if it exists in JSON result
endpoint_type Returns if it exists in JSON result
ip Returns if it exists in JSON result
endpoint_version Returns if it exists in JSON result
install_date Returns if it exists in JSON result
installation_package Returns if it exists in JSON result
is_isolated Returns if it exists in JSON result
group_name Returns if it exists in JSON result
alias Returns if it exists in JSON result
active_directory Returns if it exists in JSON result
endpoint_status Returns if it exists in JSON result
endpoint_id Returns if it exists in JSON result
content_version Returns if it exists in JSON result
os_type Returns if it exists in JSON result
last_seen Returns if it exists in JSON result
first_seen Returns if it exists in JSON result
users Returns if it exists in JSON result
Insights

N/A

Script Result
Script Result Name Value options Example
is_success True/False is_success:False
JSON Result
[{
    "EntityResult":
       {
         "domain": "st2.local",
         "endpoint_name": "ST2-PC-1-14",
         "endpoint_type": "AGENT_TYPE_SERVER",
         "ip": null,
         "endpoint_version": "6.1.0.9915",
         "install_date": 1568103207592,
         "installation_package": "papi-test",
         "is_isolated": null,
         "group_name": null,
         "alias": "",
         "active_directory": null,
         "endpoint_status": "DISCONNECTED",
         "endpoint_id": "4ce98b4d8d2b45a9a1d82dc71f0d1304",
         "content_version": "",
         "os_type": "AGENT_OS_WINDOWS",
         "last_seen": 1568103207592,
         "first_seen": 1568103207591,
         "users": ["TEST USER"]
        },
    "Entity": "PC01"
 }]

Get Endpoint Agent Report

Description

Get the agent report for an endpoint.

Parameters

N/A

Use cases

N/A

Run On

This action runs on the following entities:

  • IP Address
  • Hostname

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result
Script Result Name Value options Example
is_success True/False is_success:False
JSON Result
N/A

Isolate Endpoint

Description

Isolate an endpoint.

Parameters

N/A

Use cases

N/A

Run On

This action runs on the following entities:

  • IP Address
  • Hostname

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result
Script Result Name Value options Example
is_success True/False is_success:False
JSON Result
N/A

Unisolate Endpoint

Description

Unisolate an endpoint.

Parameters

N/A

Use cases

N/A

Run On

This action runs on the following entities:

  • IP Address
  • Hostname

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result
Script Result Name Value options Example
is_success True/False is_success:False
JSON Result
N/A

Add Hashes to Block List

Description

The action will add files which do not exist in the allow or block lists to a block list.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Comment String N/A No Provide additional comment that represents additional information regarding the action
Incident ID String N/A No Specify the incident ID for which those added hashes are related to

Run On

This action runs on the Filehash entity

Action Results

Script Result
Script Result Name Value options Example
is_success True/False is_success:False
JSON Result
{

"success": ["hashes that were added"],

"already_existed": ["hashes that already existed"]

"failed": ["hashes that failed"]

"unsupported": ["unsupported hashes"]

}
Case Wall
Result type Value/Description Type
Output message*

The action should not fail nor stop a playbook execution:

For successfully added entities : "Successfully added the following entities to the Block List: " +successful_entities_list

For unsuccessful entities: "Could not add the following entities to the Block List: "+unsuccessful_entities_list.

If one hash of the unsupported type is provided (is_success=true):

The following hashes are unsupported: {unsupported hashes}

If all hashes of the unsupported type is provided (is_success=false): None of the provided hashes are supported.

The action should fail and stop a playbook execution:
"Failed to perform action "Add Hashes to Blacklist" {0}".format(exception.stacktrace)

General

Connectors

Palo Alto Cortex XDR Connector

Description

A connector for fetching incidents from Palo Alto Networks Cortex XDR, and creating alerts from the attached incidents.

Configure Palo Alto Cortex XDR Connector in Google Security Operations SOAR

For detailed instructions on how to configure a connector in Google Security Operations SOAR, see Configuring the connector.

Connector parameters

Use the following parameters to configure the connector:

Parameter Type Default Value Description
DeviceProductField 2 device_product The field name used to determine the device product.
EventClassId 2 event_name The field name used to determine the event name (sub-type).
PythonProcessTimeout 2 60 The timeout limit (in seconds) for the python process running current script.
Api Root 2 https://us-central1-xdr-cloudfunction-us.cloudfunctions.net/cf The Api root address. From this root ,we should be able to reach all other API endpoints.
Api Key 3 null From your Cortex XDR, generate the advanced key for future authentication.
Api Key ID 1 3 The corresponding ID of the API Key for future authentication.
Tenant ID 2 null "Directory (tenant) ID.
Verify SSL 0 true Indicate whether to verify SSL certificate or not.
Alerts Count Limit 1 10 Limit the number of alerts in every cycle. Example: 10
Max Days Backwards 1 1 This field is used in the connector first running cycle and determine the start time. Example: 3
Environment Field Name 2 N/A If defined - connector will extract the environment from the specified incident field.
Environment Regex Pattern 1 null If defined - the connector will implement the specific RegEx pattern on the data from \"envirnment field\" to extract specific string. For example - extract domain from sender's address: \"(?<=@)(\S+$)\".
Proxy Server Address 2 null The address of the proxy server to use.
Proxy Username 2 null The proxy username to authenticate with.
Proxy Password 3 null The proxy password to authenticate with.

Connector rules

Whitelist/Blacklist

The connector doesn't support Whitelist/Blacklist.

Proxy support

The connector supports proxy.