Palo Alto Cortex XDR
Integration version: 15.0
Configure Palo Alto Cortex XDR to work with Google Security Operations
Credentials
To obtain your Cortex XDR API Key:
- Navigate to > Settings.
- Select + New Key.
- Choose the type of API Key to generate (Advanced Only).
- Provide a comment that describes the purpose for the API key (Optional).
- Select the desired level of access for this key.
- Generate the API Key.
- Copy the API key, and then click Done.
To obtain your Cortex XDR API Key ID:
- Navigate to API Keys table > ID column.
- Note your corresponding ID number. This value represents the x-xdr-auth-id:{key_id} token.
Configure Palo Alto Cortex XDR integration in Google SecOps
For detailed instructions on how to configure an integration in Google SecOps, see Configure integrations.
Integration parameters
Use the following parameters to configure the integration:
| Parameter Display Name | Type | Default Value | Is mandatory | Description |
|---|---|---|---|---|
| API Root | String | https://api-{fqdn} | Yes | Palo Alto Networks Cortex XDR API Root. Note: The FQDN represents a unique host and domain name associated with each tenant. When you generate the API Key and Key ID, you are assigned an individual FQDN. |
| Api Key | Password | N/A | Yes | A unique identifier used as the "Authorization:{key}" header required for authenticating API calls. Depending on your security level, you can generate Advanced API key from your Cortex XDR app. |
| Api Key ID | Integer | 3 | Yes | A unique token used to authenticate the API Key. The header used when running an API call is "x-xdr-auth-id:{key_id}". |
| Verify SSL | Checkbox | Unchecked | Yes | Option to verify SSL/TLS connection. |
Actions
Ping
Test connectivity to Palo Alto Networks Cortex XDR.
Parameters
N/A
Use cases
N/A
Run On
This action runs on all entities.
Action Results
Entity Enrichment
N/A
Insights
N/A
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_connected | True/False | is_connected:False |
JSON Result
N/A
Query
Retrieve the data of a specific incident including alerts, and key artifacts.
Parameters
| Parameter | Type | Default Value | Description |
|---|---|---|---|
| Incident ID | String | N/A | The ID of the incident for which you want to retrieve data. |
Use cases
N/A
Run On
This action runs on all entities.
Action Results
Entity Enrichment
N/A
Insights
N/A
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| incident_alerts_count | N/A | N/A |
JSON Result
{
"file_artifacts":
{
"total_count": 2,
"data": [
{
"file_signature_status": "SIGNATURE_SIGNED",
"is_process": "true",
"is_malicious": "false",
"is_manual": "false",
"file_name": "cmd.exe",
"file_signature_vendor_name": "Microsoft Corporation",
"file_sha256": "6f88fb88ffb0f1d5465c2826e5b4f523598b1b8378377c8378ffebc171bad18b",
"type": "HASH",
"file_wildfire_verdict": "BENIGN",
"alert_count": 1
}, {
"file_signature_status": "SIGNATURE_SIGNED",
"is_process": "true",
"is_malicious": "false",
"is_manual": "false",
"file_name": "WmiPrvSE.exe",
"file_signature_vendor_name": "Microsoft Corporation",
"file_sha256": "25dfb8168246e5d04dd6f124c95e4c4c4e8273503569acd5452205558d099871",
"type": "HASH",
"file_wildfire_verdict": "BENIGN",
"alert_count": 1
}]},
"incident": {
"status": "new",
"incident_id": "1645",
"user_count": 1,
"assigned_user_mail": " ",
"severity": "high",
"resolve_comment": " ",
"assigned_user_pretty_name": " ",
"notes": " ",
"creation_time": 1564877575921,
"alert_count": 1,
"med_severity_alert_count": 0,
"detection_time": " ",
"modification_time": 1564877575921,
"manual_severity": " ",
"xdr_url": "https://ac997a94-5e93-40ea-82d9-6a615038620b.xdr.us.paloaltonetworks.com/incident-view/1645",
"manual_description": " ",
"low_severity_alert_count": 0,
"high_severity_alert_count": 1,
"host_count": 1,
"description": "WMI Lateral Movement generated by BIOC detected on host ILCSYS31 involving user ILLICIUM\\\\ibojer"
},
"alerts": {
"total_count": 1,
"data": [
{
"action_pretty": "Detected",
"description": "Process action type = execution AND name = cmd.exe Process name = wmiprvse.exe, cgo name = wmiprvse.exe",
"host_ip": "10.0.50.31",
"alert_id": "21631",
"detection_timestamp": 1564877525123,
"name": "WMI Lateral Movement",
"category": "Lateral Movement",
"severity": "high",
"source": "BIOC",
"host_name": "ILCSYS31",
"action": "DETECTED",
"user_name": "ILLICIUM\\\\ibojer"
}]},
"network_artifacts": {
"total_count": 0,
"data": []
}
}
Resolve an Incident
The ability to close XDR incidents with a close reason.
Parameters
| Parameter | Type | Default Value | Description |
|---|---|---|---|
| Incident ID | String | N/A | The ID of the incident to be updated. |
| Status | List | UNDER_INVESTIGATION | Updated incident status. |
| Resolve Comment | String | N/A | Descriptive comment explaining the incident change. |
Use cases
N/A
Run On
This action runs on all entities.
Action Results
Entity Enrichment
N/A
Insights
N/A
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
N/A
Update an Incident
The ability to set a specific XDR incident as under investigation, assign to named users, etc.
Parameters
| Parameter | Type | Default Value | Description |
|---|---|---|---|
| Incident ID | String | N/A | The ID of the incident to be updated. |
| Assigned User Name | String | N/A | The updated full name of the incident assignee. |
| Severity | List | Low | Administrator-defined severity. |
| Status | List | UNDER_INVESTIGATION | Updated incident status. |
Use cases
N/A
Run On
This action runs on the URL entity.
Action Results
Entity Enrichment
N/A
Insights
N/A
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
N/A
Enrich Entities
Enrich Google SecOps Host and IP entities based on the information from the Palo Alto Networks Cortex XDR.
Parameters
N/A
Use cases
N/A
Run On
This action runs on the following entities:
- IP Address
- Hostname
Action Results
Entity Enrichment
| Enrichment Field Name | Logic-When to apply |
|---|---|
| domain | Returns if it exists in JSON result |
| endpoint_name | Returns if it exists in JSON result |
| endpoint_type | Returns if it exists in JSON result |
| ip | Returns if it exists in JSON result |
| endpoint_version | Returns if it exists in JSON result |
| install_date | Returns if it exists in JSON result |
| installation_package | Returns if it exists in JSON result |
| is_isolated | Returns if it exists in JSON result |
| group_name | Returns if it exists in JSON result |
| alias | Returns if it exists in JSON result |
| active_directory | Returns if it exists in JSON result |
| endpoint_status | Returns if it exists in JSON result |
| endpoint_id | Returns if it exists in JSON result |
| content_version | Returns if it exists in JSON result |
| os_type | Returns if it exists in JSON result |
| last_seen | Returns if it exists in JSON result |
| first_seen | Returns if it exists in JSON result |
| users | Returns if it exists in JSON result |
Insights
N/A
Script Result
| Script Result Name | Value options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
[{
"EntityResult":
{
"domain": "st2.local",
"endpoint_name": "ST2-PC-1-14",
"endpoint_type": "AGENT_TYPE_SERVER",
"ip": null,
"endpoint_version": "6.1.0.9915",
"install_date": 1568103207592,
"installation_package": "papi-test",
"is_isolated": null,
"group_name": null,
"alias": "",
"active_directory": null,
"endpoint_status": "DISCONNECTED",
"endpoint_id": "4ce98b4d8d2b45a9a1d82dc71f0d1304",
"content_version": "",
"os_type": "AGENT_OS_WINDOWS",
"last_seen": 1568103207592,
"first_seen": 1568103207591,
"users": ["TEST USER"]
},
"Entity": "PC01"
}]
Get Endpoint Agent Report
Get the agent report for an endpoint.
Parameters
N/A
Use cases
N/A
Run On
This action runs on the following entities:
- IP Address
- Hostname
Action Results
Entity Enrichment
N/A
Insights
N/A
Script Result
| Script Result Name | Value options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
N/A
Isolate Endpoint
Isolate an endpoint.
Parameters
N/A
Use cases
N/A
Run On
This action runs on the following entities:
- IP Address
- Hostname
Action Results
Entity Enrichment
N/A
Insights
N/A
Script Result
| Script Result Name | Value options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
N/A
Unisolate Endpoint
Unisolate an endpoint.
Parameters
N/A
Use cases
N/A
Run On
This action runs on the following entities:
- IP Address
- Hostname
Action Results
Entity Enrichment
N/A
Insights
N/A
Script Result
| Script Result Name | Value options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
N/A
Add Hashes to Block List
Use this action to add files, which are unlisted, to a specified block list.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Comment | String | N/A | No | Provide additional comment that represents additional information regarding the action |
| Incident ID | String | N/A | No | Specify the incident ID for which those added hashes are related to |
Run On
This action runs on the Filehash entity
Action Results
Script Result
| Script Result Name | Value options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
{
"success": ["hashes that were added"],
"already_existed": ["hashes that already existed"]
"failed": ["hashes that failed"]
"unsupported": ["unsupported hashes"]
}
Case Wall
| Result type | Value/Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: For successfully added entities : "Successfully added the following entities to the Block List: " +successful_entities_list For unsuccessful entities: "Could not add the following entities to the Block List: "+unsuccessful_entities_list. If one hash of the unsupported type is provided (is_success=true): The following hashes are unsupported: {unsupported hashes} If all hashes of the unsupported type is provided (is_success=false): None of the provided hashes are supported. The action should fail and stop a playbook execution: |
General |
Add Comment To Incident
Use the Add Comment To Incident action to add a comment to an incident in in Palo Alto Cortex XDR.
This action doesn't run on Google SecOps entities.
Action inputs
The Add Comment To Incident action requires the following parameters:
| Parameter | Description |
|---|---|
Incident ID |
Required. The ID of the incident to update. |
Comment |
Required. The comment to add to the incident. |
Action outputs
The Add Comment To Incident action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
The Add Comment To Incident action can return the following output messages:
| Output message | Message description |
|---|---|
|
The action succeeded. |
Error executing action "Add Comment To Incident". Reason:
ERROR_REASON |
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Add Comment To Incident action:
| Script result name | Value |
|---|---|
is_success |
True or False |
Get Incident Details
Use the Get Incident Details action to retrieve information about an incident in Palo Alto Cortex XDR.
This action doesn't run on Google SecOps entities.
Action inputs
The Get Incident Details action requires the following parameters:
| Parameter | Description |
|---|---|
Incident ID |
Required. The ID of the incident to return. |
Lowest Alert Severity |
Optional. The lowest alert severity required for an alert to be included. The possible values are as follows:
The default value is |
Max Alerts To Return |
Optional. The maximum amount of alerts to return. The maximum value is The default value is |
Action outputs
The Get Incident Details action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example shows the JSON result outputs received when using the Get Incident Details action:
{
"incident_id": "146408",
"is_blocked": false,
"incident_name": null,
"creation_time": 1756265930000,
"modification_time": 1756265938000,
"detection_time": null,
"status": "new",
"severity": "medium",
"description": "'PHP XDebug Session Detection' generated by PAN NGFW",
"assigned_user_mail": null,
"assigned_user_pretty_name": null,
"alert_count": 1,
"low_severity_alert_count": 0,
"med_severity_alert_count": 1,
"high_severity_alert_count": 0,
"critical_severity_alert_count": 0,
"user_count": 0,
"host_count": 0,
"notes": null,
"resolve_comment": null,
"resolved_timestamp": null,
"manual_severity": null,
"manual_description": null,
"xdr_url": "https://xyz.com/incident-view?caseId=146408",
"starred": true,
"starred_manually": false,
"hosts": null,
"users": [],
"incident_sources": [
"PAN NGFW"
],
"rule_based_score": null,
"predicted_score": 40,
"manual_score": null,
"aggregated_score": 40,
"wildfire_hits": 0,
"alerts_grouping_status": "Enabled",
"mitre_tactics_ids_and_names": null,
"mitre_techniques_ids_and_names": null,
"alert_categories": [
"Vulnerability"
],
"original_tags": [
"DS:PANW/NGFW"
],
"tags": [
"DS:PANW/NGFW"
],
"network_artifacts": {
"total_count": 1,
"data": [
{
"type": "IP",
"alert_count": 1,
"is_manual": false,
"network_domain": null,
"network_remote_ip": "0.0.0.0",
"network_remote_port": 500,
"network_country": "JP"
}
]
},
"file_artifacts": {
"total_count": 0,
"data": []
},
"alerts": [
{
"external_id": "7540915192461269271",
"severity": "medium",
"matching_status": "UNMATCHABLE",
"end_match_attempt_ts": null,
"local_insert_ts": 1756265929231,
"last_modified_ts": null,
"bioc_indicator": null,
"matching_service_rule_id": null,
"attempt_counter": 0,
"bioc_category_enum_key": null,
"case_id": 146408,
"is_whitelisted": false,
"starred": true,
"deduplicate_tokens": "00421ab2ab1a43d089b1f690f8b4e54a",
"filter_rule_id": null,
}
]
}
Output messages
The Get Incident Details action can return the following output messages:
| Output message | Message description |
|---|---|
|
The action succeeded. |
Error executing action "Get Incident Details". Reason:
ERROR_REASON |
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Get Incident Details action:
| Script result name | Value |
|---|---|
is_success |
True or False |
Execute XQL Search
Use the Execute XQL Search action fetch information using XQL in Palo Alto Cortex XDR.
This action doesn't run on Google SecOps entities.
Action inputs
The Execute XQL Search action requires the following parameters:
| Parameter | Description |
|---|---|
Query |
Required. The query to execute in Palo Alto Cortex XDR. Don't provide |
Time Frame |
Optional. The query to execute in Palo Alto Cortex XDR. Don't provide The possible values are as follows:
The default value is |
Start Time |
Optional. The start time for the results in format ISO 8601. If |
End Time |
Optional. The end time for the results in format ISO 8601. If |
Max Results To Return |
Optional. The action will append The maximum value is The default value is |
Action outputs
The Execute XQL Search action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example shows the JSON result outputs received when using the Execute XQL Search action:
{
"events": [
{
"event_id": "AAABmRQvChTmouboArIcKg==",
"_product": "XDR agent",
"_time": 1756980296509,
"_vendor": "PANW",
"insert_timestamp": 1756980477113,
"event_type": "NETWORK",
"event_sub_type": "NETWORK_STREAM_CONNECT_FAILED"
},
{
"event_id": "AAABmRQtb2XmouboArIb1g==",
"_product": "XDR agent",
"_time": 1756980191374,
"_vendor": "PANW",
"insert_timestamp": 1756980477113,
"event_type": "NETWORK",
"event_sub_type": "NETWORK_STREAM_CONNECT_FAILED"
}
]
}
Output messages
The Execute XQL Search action can return the following output messages:
| Output message | Message description |
|---|---|
|
The action succeeded. |
Error executing action "Execute XQL Search". Reason:
ERROR_REASON |
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Execute XQL Search action:
| Script result name | Value |
|---|---|
is_success |
True or False |
Connectors
For more detail about how to configure connectors in Google SecOps, see Ingest your data (connectors).
Palo Alto Cortex XDR Connector
A connector for fetching incidents from Palo Alto Networks Cortex XDR, and creating alerts from the attached incidents.
Connector inputs
The Palo Alto Cortex XDR Connector requires the following parameters:
| Parameter | Description |
|---|---|
Product Field Name |
Required. The name of the field where the product name is stored. The product name primarily impacts mapping. To streamline and improve the mapping process for the connector, the default value resolves to a fallback value that is referenced from the code. Any invalid input for this parameter resolves to a fallback value by default. The default value is |
Event Field Name |
Required. The name of the field that determines the event name (subtype). The default value is
|
PythonProcessTimeout |
Required. The timeout limit (in seconds) for the Python process to run the current script. The default value is |
API Root |
Required. The API root of the Palo Alto Cortex XDR instance. The default value is
|
API Key |
Required. The Palo Alto Cortex XDR API key. |
Api Key ID |
Required. The corresponding ID of the API key for future authentication. The
default value is |
Verify SSL |
Optional. If selected, the integration validates the SSL certificate when connecting to the Palo Alto Cortex XDR server. Enabled by default. |
Alerts Count Limit |
Optional. The maximum number of alerts in each cycle. The
default value is |
Max Days Backwards |
Optional. The maximum number of days before the current date for the connector to retrieve data from. This parameter is used for the initial run of the connector. The
default value is |
Environment Field Name |
Optional. The name of the field where the environment name is stored. If the environment field is missing, the connector uses the default value. The default value is
|
Environment Regex Pattern |
Optional. A regular expression pattern to run on the value found in the
Use the default value If the regular expression pattern is null or empty, or the environment value is null, the final environment result is the default environment. |
Proxy Server Address |
Optional. The address of the proxy server to use. |
Proxy Username |
Optional. The proxy username to authenticate with. |
Proxy Password |
Optional. The proxy password to authenticate with. |
Connector rules
The connector doesn't support Whitelist/Blacklist.
The connector supports proxy.
Need more help? Get answers from Community members and Google SecOps professionals.