Palo Alto Cortex XDR

Integration version: 12.0

Configure Palo Alto Cortex XDR to work with Google Security Operations SOAR

Credentials

To obtain your Cortex XDR API Key:

Navigate to > Settings.
Select + New Key.
Choose the type of API Key to generate (Advanced Only).
Provide a comment that describes the purpose for the API key (Optional).
Select the desired level of access for this key.
Generate the API Key.
Copy the API key, and then click Done.

To obtain your Cortex XDR API Key ID:

Navigate to API Keys table > ID column.
Note your corresponding ID number. This value represents the x-xdr-auth-id:{key_id} token.

Configure Palo Alto Cortex XDR integration in Google Security Operations SOAR

For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.

Integration parameters

Use the following parameters to configure the integration:

Parameter Display Name	Type	Default Value	Is mandatory	Description
API Root	String	https://api-{fqdn}	Yes	Palo Alto Networks Cortex XDR API Root. Note: The FQDN represents a unique host and domain name associated with each tenant. When you generate the API Key and Key ID, you are assigned an individual FQDN.
Api Key	Password	N/A	Yes	A unique identifier used as the "Authorization:{key}" header required for authenticating API calls. Depending on your security level, you can generate Advanced API key from your Cortex XDR app.
Api Key ID	Integer	3	Yes	A unique token used to authenticate the API Key. The header used when running an API call is "x-xdr-auth-id:{key_id}".
Verify SSL	Checkbox	Unchecked	Yes	Option to verify SSL/TLS connection.

Actions

Ping

Description

Test connectivity to Palo Alto Networks Cortex XDR.

Parameters

N/A

Use cases

N/A

Run On

This action runs on all entities.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result

Script Result Name	Value Options	Example
is_connected	True/False	is_connected:False

JSON Result

N/A

Query

Description

Retrieve the data of a specific incident including alerts, and key artifacts.

Parameters

Parameter	Type	Default Value	Description
Incident ID	String	N/A	The ID of the incident for which you want to retrieve data.

Use cases

N/A

Run On

This action runs on all entities.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result

Script Result Name	Value Options	Example
incident_alerts_count	N/A	N/A

JSON Result

{
    "file_artifacts":
    {
        "total_count": 2,
        "data": [
            {
                "file_signature_status": "SIGNATURE_SIGNED",
                "is_process": "true",
                "is_malicious": "false",
                "is_manual": "false",
                "file_name": "cmd.exe",
                "file_signature_vendor_name": "Microsoft Corporation",
                "file_sha256": "6f88fb88ffb0f1d5465c2826e5b4f523598b1b8378377c8378ffebc171bad18b",
                "type": "HASH",
                "file_wildfire_verdict": "BENIGN",
                "alert_count": 1
            }, {
                "file_signature_status": "SIGNATURE_SIGNED",
                "is_process": "true",
                "is_malicious": "false",
                "is_manual": "false",
                "file_name": "WmiPrvSE.exe",
                "file_signature_vendor_name": "Microsoft Corporation",
                "file_sha256": "25dfb8168246e5d04dd6f124c95e4c4c4e8273503569acd5452205558d099871",
                "type": "HASH",
                "file_wildfire_verdict": "BENIGN",
                "alert_count": 1
            }]},
    "incident": {
        "status": "new",
        "incident_id": "1645",
        "user_count": 1,
        "assigned_user_mail": " ",
        "severity": "high",
        "resolve_comment": " ",
        "assigned_user_pretty_name": " ",
        "notes": " ",
        "creation_time": 1564877575921,
        "alert_count": 1,
        "med_severity_alert_count": 0,
        "detection_time": " ",
        "modification_time": 1564877575921,
        "manual_severity": " ",
        "xdr_url": "https://ac997a94-5e93-40ea-82d9-6a615038620b.xdr.us.paloaltonetworks.com/incident-view/1645",
        "manual_description": " ",
        "low_severity_alert_count": 0,
        "high_severity_alert_count": 1,
        "host_count": 1,
        "description": "WMI Lateral Movement generated by BIOC detected on host ILCSYS31 involving user ILLICIUM\\\\ibojer"
    },
    "alerts": {
        "total_count": 1,
        "data": [
            {
                "action_pretty": "Detected",
                "description": "Process action type = execution AND name = cmd.exe Process name = wmiprvse.exe, cgo name = wmiprvse.exe",
                "host_ip": "10.0.50.31",
                "alert_id": "21631",
                "detection_timestamp": 1564877525123,
                "name": "WMI Lateral Movement",
                "category": "Lateral Movement",
                "severity": "high",
                "source": "BIOC",
                "host_name": "ILCSYS31",
                "action": "DETECTED",
                "user_name": "ILLICIUM\\\\ibojer"
            }]},
    "network_artifacts": {
        "total_count": 0,
        "data": []
    }
}

Resolve an Incident

Description

The ability to close XDR incidents with a close reason.

Parameters

Parameter	Type	Default Value	Description
Incident ID	String	N/A	The ID of the incident to be updated.
Status	List	UNDER_INVESTIGATION	Updated incident status.
Resolve Comment	String	N/A	Descriptive comment explaining the incident change.

Use cases

N/A

Run On

This action runs on all entities.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result

Script Result Name	Value Options	Example
is_success	True/False	is_success:False

JSON Result

N/A

Update an Incident

Description

The ability to set a specific XDR incident as under investigation, assign to named users, etc.

Parameters

Parameter	Type	Default Value	Description
Incident ID	String	N/A	The ID of the incident to be updated.
Assigned User Name	String	N/A	The updated full name of the incident assignee.
Severity	List	Low	Administrator-defined severity.
Status	List	UNDER_INVESTIGATION	Updated incident status.

Use cases

N/A

Run On

This action runs on the URL entity.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result

Script Result Name	Value Options	Example
is_success	True/False	is_success:False

JSON Result

N/A

Enrich Entities

Description

Enrich Google Security Operations SOAR Host and IP entities based on the information from the Palo Alto Networks Cortex XDR.

Parameters

N/A

Use cases

N/A

Run On

This action runs on the following entities:

IP Address
Hostname

Action Results

Entity Enrichment

Enrichment Field Name	Logic-When to apply
domain	Returns if it exists in JSON result
endpoint_name	Returns if it exists in JSON result
endpoint_type	Returns if it exists in JSON result
ip	Returns if it exists in JSON result
endpoint_version	Returns if it exists in JSON result
install_date	Returns if it exists in JSON result
installation_package	Returns if it exists in JSON result
is_isolated	Returns if it exists in JSON result
group_name	Returns if it exists in JSON result
alias	Returns if it exists in JSON result
active_directory	Returns if it exists in JSON result
endpoint_status	Returns if it exists in JSON result
endpoint_id	Returns if it exists in JSON result
content_version	Returns if it exists in JSON result
os_type	Returns if it exists in JSON result
last_seen	Returns if it exists in JSON result
first_seen	Returns if it exists in JSON result
users	Returns if it exists in JSON result

Insights

N/A

Script Result

Script Result Name	Value options	Example
is_success	True/False	is_success:False

JSON Result

[{
    "EntityResult":
       {
         "domain": "st2.local",
         "endpoint_name": "ST2-PC-1-14",
         "endpoint_type": "AGENT_TYPE_SERVER",
         "ip": null,
         "endpoint_version": "6.1.0.9915",
         "install_date": 1568103207592,
         "installation_package": "papi-test",
         "is_isolated": null,
         "group_name": null,
         "alias": "",
         "active_directory": null,
         "endpoint_status": "DISCONNECTED",
         "endpoint_id": "4ce98b4d8d2b45a9a1d82dc71f0d1304",
         "content_version": "",
         "os_type": "AGENT_OS_WINDOWS",
         "last_seen": 1568103207592,
         "first_seen": 1568103207591,
         "users": ["TEST USER"]
        },
    "Entity": "PC01"
 }]

Get Endpoint Agent Report

Description

Get the agent report for an endpoint.

Parameters

N/A

Use cases

N/A

Run On

This action runs on the following entities:

IP Address
Hostname

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result

Script Result Name	Value options	Example
is_success	True/False	is_success:False

JSON Result

N/A

Isolate Endpoint

Description

Isolate an endpoint.

Parameters

N/A

Use cases

N/A

Run On

This action runs on the following entities:

IP Address
Hostname

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result

Script Result Name	Value options	Example
is_success	True/False	is_success:False

JSON Result

N/A

Unisolate Endpoint

Description

Unisolate an endpoint.

Parameters

N/A

Use cases

N/A

Run On

This action runs on the following entities:

IP Address
Hostname

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result

Script Result Name	Value options	Example
is_success	True/False	is_success:False

JSON Result

N/A

Add Hashes to Block List

Description

The action will add files which do not exist in the allow or block lists to a block list.

Parameters

Parameter Display Name	Type	Default Value	Is Mandatory	Description
Comment	String	N/A	No	Provide additional comment that represents additional information regarding the action
Incident ID	String	N/A	No	Specify the incident ID for which those added hashes are related to

Run On

This action runs on the Filehash entity

Action Results

Script Result

Script Result Name	Value options	Example
is_success	True/False	is_success:False

JSON Result

{

"success": ["hashes that were added"],

"already_existed": ["hashes that already existed"]

"failed": ["hashes that failed"]

"unsupported": ["unsupported hashes"]

}

Case Wall

Result type	Value/Description	Type
Output message*	The action should not fail nor stop a playbook execution: For successfully added entities : "Successfully added the following entities to the Block List: " +successful_entities_list For unsuccessful entities: "Could not add the following entities to the Block List: "+unsuccessful_entities_list. If one hash of the unsupported type is provided (is_success=true): The following hashes are unsupported: {unsupported hashes} If all hashes of the unsupported type is provided (is_success=false): None of the provided hashes are supported. The action should fail and stop a playbook execution: "Failed to perform action "Add Hashes to Blacklist" {0}".format(exception.stacktrace)	General

Result type

Value/Description

Type

Output message*

The action should not fail nor stop a playbook execution:

For successfully added entities : "Successfully added the following entities to the Block List: " +successful_entities_list

For unsuccessful entities: "Could not add the following entities to the Block List: "+unsuccessful_entities_list.

If one hash of the unsupported type is provided (is_success=true):

The following hashes are unsupported: {unsupported hashes}

If all hashes of the unsupported type is provided (is_success=false): None of the provided hashes are supported.

The action should fail and stop a playbook execution:
"Failed to perform action "Add Hashes to Blacklist" {0}".format(exception.stacktrace)

General

Connectors

Palo Alto Cortex XDR Connector

Description

A connector for fetching incidents from Palo Alto Networks Cortex XDR, and creating alerts from the attached incidents.

Configure Palo Alto Cortex XDR Connector in Google Security Operations SOAR

For detailed instructions on how to configure a connector in Google Security Operations SOAR, see Configuring the connector.

Connector parameters

Use the following parameters to configure the connector:

Parameter	Type	Default Value	Description
DeviceProductField	2	device_product	The field name used to determine the device product.
EventClassId	2	event_name	The field name used to determine the event name (sub-type).
PythonProcessTimeout	2	60	The timeout limit (in seconds) for the python process running current script.
Api Root	2	https://us-central1-xdr-cloudfunction-us.cloudfunctions.net/cf	The Api root address. From this root ,we should be able to reach all other API endpoints.
Api Key	3	null	From your Cortex XDR, generate the advanced key for future authentication.
Api Key ID	1	3	The corresponding ID of the API Key for future authentication.
Tenant ID	2	null	"Directory (tenant) ID.
Verify SSL	0	true	Indicate whether to verify SSL certificate or not.
Alerts Count Limit	1	10	Limit the number of alerts in every cycle. Example: 10
Max Days Backwards	1	1	This field is used in the connector first running cycle and determine the start time. Example: 3
Environment Field Name	2	N/A	If defined - connector will extract the environment from the specified incident field.
Environment Regex Pattern	1	null	If defined - the connector will implement the specific RegEx pattern on the data from \"envirnment field\" to extract specific string. For example - extract domain from sender's address: \"(?<=@)(\S+$)\".
Proxy Server Address	2	null	The address of the proxy server to use.
Proxy Username	2	null	The proxy username to authenticate with.
Proxy Password	3	null	The proxy password to authenticate with.