Palo Alto Cortex XDR
Integration version: 15.0
Configure Palo Alto Cortex XDR to work with Google Security Operations
Credentials
To obtain your Cortex XDR API Key:
- Navigate to > Settings.
- Select + New Key.
- Choose the type of API Key to generate ( Advanced Only).
- Provide a comment that describes the purpose for the API key (Optional).
- Select the desired level of access for this key.
- Generatethe API Key.
- Copy the API key, and then click Done.
To obtain your Cortex XDR API Key ID:
- Navigate to API Keystable > ID column.
- Note your corresponding IDnumber. This value represents the x-xdr-auth-id:{key_id}token.
Configure Palo Alto Cortex XDR integration in Google SecOps
For detailed instructions on how to configure an integration in Google SecOps, see Configure integrations .
Integration parameters
Use the following parameters to configure the integration:
| Parameter Display Name | Type | Default Value | Is mandatory | Description |
|---|---|---|---|---|
|
API Root
|
String | https://api-{fqdn} | Yes | Palo Alto Networks Cortex XDR API Root. Note:The FQDN represents a unique host and domain name associated with each tenant. When you generate the API Key and Key ID, you are assigned an individual FQDN. |
|
Api Key
|
Password | N/A | Yes | A unique identifier used as the "Authorization:{key}" header required for authenticating API calls. Depending on your security level, you can generate Advanced API key from your Cortex XDR app. |
|
Api Key ID
|
Integer | 3 | Yes | A unique token used to authenticate the API Key. The header used when running an API call is "x-xdr-auth-id:{key_id}". |
|
Verify SSL
|
Checkbox | Unchecked | Yes | Option to verify SSL/TLS connection. |
Actions
Ping
Test connectivity to Palo Alto Networks Cortex XDR.
Parameters
N/A
Use cases
N/A
Run On
This action runs on all entities.
Action Results
Entity Enrichment
N/A
Insights
N/A
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
|
is_connected
|
True/False | is_connected:False |
JSON Result
N/A
Query
Retrieve the data of a specific incident including alerts, and key artifacts.
Parameters
| Parameter | Type | Default Value | Description |
|---|---|---|---|
|
Incident ID
|
String | N/A | The ID of the incident for which you want to retrieve data. |
Use cases
N/A
Run On
This action runs on all entities.
Action Results
Entity Enrichment
N/A
Insights
N/A
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
|
incident_alerts_count
|
N/A | N/A |
JSON Result
{
"file_artifacts"
:
{
"total_count"
:
2
,
"data"
:
[
{
"file_signature_status"
:
"SIGNATURE_SIGNED"
,
"is_process"
:
"true"
,
"is_malicious"
:
"false"
,
"is_manual"
:
"false"
,
"file_name"
:
"cmd.exe"
,
"file_signature_vendor_name"
:
"Microsoft Corporation"
,
"file_sha256"
:
"6f88fb88ffb0f1d5465c2826e5b4f523598b1b8378377c8378ffebc171bad18b"
,
"type"
:
"HASH"
,
"file_wildfire_verdict"
:
"BENIGN"
,
"alert_count"
:
1
},
{
"file_signature_status"
:
"SIGNATURE_SIGNED"
,
"is_process"
:
"true"
,
"is_malicious"
:
"false"
,
"is_manual"
:
"false"
,
"file_name"
:
"WmiPrvSE.exe"
,
"file_signature_vendor_name"
:
"Microsoft Corporation"
,
"file_sha256"
:
"25dfb8168246e5d04dd6f124c95e4c4c4e8273503569acd5452205558d099871"
,
"type"
:
"HASH"
,
"file_wildfire_verdict"
:
"BENIGN"
,
"alert_count"
:
1
}]},
"incident"
:
{
"status"
:
"new"
,
"incident_id"
:
"1645"
,
"user_count"
:
1
,
"assigned_user_mail"
:
" "
,
"severity"
:
"high"
,
"resolve_comment"
:
" "
,
"assigned_user_pretty_name"
:
" "
,
"notes"
:
" "
,
"creation_time"
:
1564877575921
,
"alert_count"
:
1
,
"med_severity_alert_count"
:
0
,
"detection_time"
:
" "
,
"modification_time"
:
1564877575921
,
"manual_severity"
:
" "
,
"xdr_url"
:
"https://ac997a94-5e93-40ea-82d9-6a615038620b.xdr.us.paloaltonetworks.com/incident-view/1645"
,
"manual_description"
:
" "
,
"low_severity_alert_count"
:
0
,
"high_severity_alert_count"
:
1
,
"host_count"
:
1
,
"description"
:
"WMI Lateral Movement generated by BIOC detected on host ILCSYS31 involving user ILLICIUM\\\\ibojer"
},
"alerts"
:
{
"total_count"
:
1
,
"data"
:
[
{
"action_pretty"
:
"Detected"
,
"description"
:
"Process action type = execution AND name = cmd.exe Process name = wmiprvse.exe, cgo name = wmiprvse.exe"
,
"host_ip"
:
"10.0.50.31"
,
"alert_id"
:
"21631"
,
"detection_timestamp"
:
1564877525123
,
"name"
:
"WMI Lateral Movement"
,
"category"
:
"Lateral Movement"
,
"severity"
:
"high"
,
"source"
:
"BIOC"
,
"host_name"
:
"ILCSYS31"
,
"action"
:
"DETECTED"
,
"user_name"
:
"ILLICIUM\\\\ibojer"
}]},
"network_artifacts"
:
{
"total_count"
:
0
,
"data"
:
[]
}
}
Resolve an Incident
The ability to close XDR incidents with a close reason.
Parameters
| Parameter | Type | Default Value | Description |
|---|---|---|---|
|
Incident ID
|
String | N/A | The ID of the incident to be updated. |
|
Status
|
List | UNDER_INVESTIGATION | Updated incident status. |
|
Resolve Comment
|
String | N/A | Descriptive comment explaining the incident change. |
Use cases
N/A
Run On
This action runs on all entities.
Action Results
Entity Enrichment
N/A
Insights
N/A
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
|
is_success
|
True/False | is_success:False |
JSON Result
N/A
Update an Incident
The ability to set a specific XDR incident as under investigation, assign to named users, etc.
Parameters
| Parameter | Type | Default Value | Description |
|---|---|---|---|
|
Incident ID
|
String | N/A | The ID of the incident to be updated. |
|
Assigned User Name
|
String | N/A | The updated full name of the incident assignee. |
|
Severity
|
List | Low | Administrator-defined severity. |
|
Status
|
List | UNDER_INVESTIGATION | Updated incident status. |
Use cases
N/A
Run On
This action runs on the URL entity.
Action Results
Entity Enrichment
N/A
Insights
N/A
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
|
is_success
|
True/False | is_success:False |
JSON Result
N/A
Enrich Entities
Enrich Google SecOps Host and IP entities based on the information from the Palo Alto Networks Cortex XDR.
Parameters
N/A
Use cases
N/A
Run On
This action runs on the following entities:
- IP Address
- Hostname
Action Results
Entity Enrichment
| Enrichment Field Name | Logic-When to apply |
|---|---|
| domain | Returns if it exists in JSON result |
| endpoint_name | Returns if it exists in JSON result |
| endpoint_type | Returns if it exists in JSON result |
| ip | Returns if it exists in JSON result |
| endpoint_version | Returns if it exists in JSON result |
| install_date | Returns if it exists in JSON result |
| installation_package | Returns if it exists in JSON result |
| is_isolated | Returns if it exists in JSON result |
| group_name | Returns if it exists in JSON result |
| alias | Returns if it exists in JSON result |
| active_directory | Returns if it exists in JSON result |
| endpoint_status | Returns if it exists in JSON result |
| endpoint_id | Returns if it exists in JSON result |
| content_version | Returns if it exists in JSON result |
| os_type | Returns if it exists in JSON result |
| last_seen | Returns if it exists in JSON result |
| first_seen | Returns if it exists in JSON result |
| users | Returns if it exists in JSON result |
Insights
N/A
Script Result
| Script Result Name | Value options | Example |
|---|---|---|
|
is_success
|
True/False | is_success:False |
JSON Result
[{
"EntityResult"
:
{
"domain"
:
"st2.local"
,
"endpoint_name"
:
"ST2-PC-1-14"
,
"endpoint_type"
:
"AGENT_TYPE_SERVER"
,
"ip"
:
null
,
"endpoint_version"
:
"6.1.0.9915"
,
"install_date"
:
1568103207592
,
"installation_package"
:
"papi-test"
,
"is_isolated"
:
null
,
"group_name"
:
null
,
"alias"
:
""
,
"active_directory"
:
null
,
"endpoint_status"
:
"DISCONNECTED"
,
"endpoint_id"
:
"4ce98b4d8d2b45a9a1d82dc71f0d1304"
,
"content_version"
:
""
,
"os_type"
:
"AGENT_OS_WINDOWS"
,
"last_seen"
:
1568103207592
,
"first_seen"
:
1568103207591
,
"users"
:
[
"TEST USER"
]
},
"Entity"
:
"PC01"
}]
Get Endpoint Agent Report
Get the agent report for an endpoint.
Parameters
N/A
Use cases
N/A
Run On
This action runs on the following entities:
- IP Address
- Hostname
Action Results
Entity Enrichment
N/A
Insights
N/A
Script Result
| Script Result Name | Value options | Example |
|---|---|---|
|
is_success
|
True/False | is_success:False |
JSON Result
N/A
Isolate Endpoint
Isolate an endpoint.
Parameters
N/A
Use cases
N/A
Run On
This action runs on the following entities:
- IP Address
- Hostname
Action Results
Entity Enrichment
N/A
Insights
N/A
Script Result
| Script Result Name | Value options | Example |
|---|---|---|
|
is_success
|
True/False | is_success:False |
JSON Result
N/A
Unisolate Endpoint
Unisolate an endpoint.
Parameters
N/A
Use cases
N/A
Run On
This action runs on the following entities:
- IP Address
- Hostname
Action Results
Entity Enrichment
N/A
Insights
N/A
Script Result
| Script Result Name | Value options | Example |
|---|---|---|
|
is_success
|
True/False | is_success:False |
JSON Result
N/A
Add Hashes to Block List
Use this action to add files, which are unlisted, to a specified block list.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
|
Comment
|
String | N/A | No | Provide additional comment that represents additional information regarding the action |
|
Incident ID
|
String | N/A | No | Specify the incident ID for which those added hashes are related to |
Run On
This action runs on the Filehash entity
Action Results
Script Result
| Script Result Name | Value options | Example |
|---|---|---|
|
is_success
|
True/False | is_success:False |
JSON Result
{
"success"
:
[
"hashes that were added"
],
"already_existed"
:
[
"hashes that already existed"
]
"failed"
:
[
"hashes that failed"
]
"unsupported"
:
[
"unsupported hashes"
]
}
Case Wall
| Result type | Value/Description | Type |
|---|---|---|
|
Output message*
|
The action should not fail nor stop a playbook execution: For successfully added entities :"Successfully added the following entities to the Block List: " +successful_entities_list
For unsuccessful entities: "Could not add the following entities to the Block List: "+unsuccessful_entities_list. If one hash of the unsupported type is provided (is_success=true): The following hashes are unsupported: {unsupported hashes} If all hashes of the unsupported type is provided (is_success=false):None of the provided hashes are supported.
The action should fail and stop a playbook execution: |
General |
Add Comment To Incident
Use the Add Comment To Incidentaction to add a comment to an incident in in Palo Alto Cortex XDR.
This action doesn't run on Google SecOps entities.
Action inputs
The Add Comment To Incidentaction requires the following parameters:
| Parameter | Description |
|---|---|
Incident ID
|
Required. The ID of the incident to update. |
Comment
|
Required. The comment to add to the incident. |
Action outputs
The Add Comment To Incidentaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
The Add Comment To Incidentaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Add Comment To Incident". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Add Comment To Incidentaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Get Incident Details
Use the Get Incident Detailsaction to retrieve information about an incident in Palo Alto Cortex XDR.
This action doesn't run on Google SecOps entities.
Action inputs
The Get Incident Detailsaction requires the following parameters:
Incident ID
Required.
The ID of the incident to return.
Lowest Alert Severity
Optional.
The lowest alert severity required for an alert to be included.
The possible values are as follows:
-
Critical -
High -
Medium -
Low
The default value is High
.
Max Alerts To Return
Optional.
The maximum amount of alerts to return.
The maximum value is 1000
.
The default value is 50
.
Action outputs
The Get Incident Detailsaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example shows the JSON result outputs received when using the Get Incident Detailsaction:
{
"incident_id"
:
"146408"
,
"is_blocked"
:
false
,
"incident_name"
:
null
,
"creation_time"
:
1756265930000
,
"modification_time"
:
1756265938000
,
"detection_time"
:
null
,
"status"
:
"new"
,
"severity"
:
"medium"
,
"description"
:
"'PHP XDebug Session Detection' generated by PAN NGFW"
,
"assigned_user_mail"
:
null
,
"assigned_user_pretty_name"
:
null
,
"alert_count"
:
1
,
"low_severity_alert_count"
:
0
,
"med_severity_alert_count"
:
1
,
"high_severity_alert_count"
:
0
,
"critical_severity_alert_count"
:
0
,
"user_count"
:
0
,
"host_count"
:
0
,
"notes"
:
null
,
"resolve_comment"
:
null
,
"resolved_timestamp"
:
null
,
"manual_severity"
:
null
,
"manual_description"
:
null
,
"xdr_url"
:
"https://xyz.com/incident-view?caseId=146408"
,
"starred"
:
true
,
"starred_manually"
:
false
,
"hosts"
:
null
,
"users"
:
[],
"incident_sources"
:
[
"PAN NGFW"
],
"rule_based_score"
:
null
,
"predicted_score"
:
40
,
"manual_score"
:
null
,
"aggregated_score"
:
40
,
"wildfire_hits"
:
0
,
"alerts_grouping_status"
:
"Enabled"
,
"mitre_tactics_ids_and_names"
:
null
,
"mitre_techniques_ids_and_names"
:
null
,
"alert_categories"
:
[
"Vulnerability"
],
"original_tags"
:
[
"DS:PANW/NGFW"
],
"tags"
:
[
"DS:PANW/NGFW"
],
"network_artifacts"
:
{
"total_count"
:
1
,
"data"
:
[
{
"type"
:
"IP"
,
"alert_count"
:
1
,
"is_manual"
:
false
,
"network_domain"
:
null
,
"network_remote_ip"
:
"0.0.0.0"
,
"network_remote_port"
:
500
,
"network_country"
:
"JP"
}
]
},
"file_artifacts"
:
{
"total_count"
:
0
,
"data"
:
[]
},
"alerts"
:
[
{
"external_id"
:
"7540915192461269271"
,
"severity"
:
"medium"
,
"matching_status"
:
"UNMATCHABLE"
,
"end_match_attempt_ts"
:
null
,
"local_insert_ts"
:
1756265929231
,
"last_modified_ts"
:
null
,
"bioc_indicator"
:
null
,
"matching_service_rule_id"
:
null
,
"attempt_counter"
:
0
,
"bioc_category_enum_key"
:
null
,
"case_id"
:
146408
,
"is_whitelisted"
:
false
,
"starred"
:
true
,
"deduplicate_tokens"
:
"00421ab2ab1a43d089b1f690f8b4e54a"
,
"filter_rule_id"
:
null
,
}
]
}
Output messages
The Get Incident Detailsaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Get Incident Details". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Get Incident Detailsaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Execute XQL Search
Use the Execute XQL Searchaction fetch information using XQL in Palo Alto Cortex XDR.
This action doesn't run on Google SecOps entities.
Action inputs
The Execute XQL Searchaction requires the following parameters:
Query
Required.
The query to execute in Palo Alto Cortex XDR.
Don't provide limit
as part of the query. The action
retrieves this value from Max Results To Return
.
Time Frame
Optional.
The query to execute in Palo Alto Cortex XDR.
Don't provide limit
as part of the query. The action
retrieves this value from Max Results To Return
.
The possible values are as follows:
-
Last Hour -
Last 6 Hours -
Last 24 Hours -
Last Week -
Last Month -
Custom
The default value is Last Hour
.
Start Time
Optional.
The start time for the results in format ISO 8601.
If Custom
is selected for Time Frame
, this
parameter is required.
End Time
Optional.
The end time for the results in format ISO 8601.
If Custom
is selected for Time Frame
and no
value is provided, the action will use the current time.
Max Results To Return
Optional.
The action will append limit
to the provided query.
The maximum value is 1000
.
The default value is 50
.
Action outputs
The Execute XQL Searchaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example shows the JSON result outputs received when using the Execute XQL Searchaction:
{
"events"
:
[
{
"event_id"
:
"AAABmRQvChTmouboArIcKg=="
,
"_product"
:
"XDR agent"
,
"_time"
:
1756980296509
,
"_vendor"
:
"PANW"
,
"insert_timestamp"
:
1756980477113
,
"event_type"
:
"NETWORK"
,
"event_sub_type"
:
"NETWORK_STREAM_CONNECT_FAILED"
},
{
"event_id"
:
"AAABmRQtb2XmouboArIb1g=="
,
"_product"
:
"XDR agent"
,
"_time"
:
1756980191374
,
"_vendor"
:
"PANW"
,
"insert_timestamp"
:
1756980477113
,
"event_type"
:
"NETWORK"
,
"event_sub_type"
:
"NETWORK_STREAM_CONNECT_FAILED"
}
]
}
Output messages
The Execute XQL Searchaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Execute XQL Search". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Execute XQL Searchaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Connectors
For more detail about how to configure connectors in Google SecOps, see Ingest your data (connectors) .
Palo Alto Cortex XDR Connector
Use this connector to pull incidents from Palo Alto Cortex XDR.
Connector inputs
The Palo Alto Cortex XDR Connectorrequires the following parameters:
Product Field Name
Required.
The name of the field where the product name is stored.
The product name primarily impacts mapping. To streamline and improve the mapping process for the connector, the default value resolves to a fallback value that is referenced from the code. Any invalid input for this parameter resolves to a fallback value by default.
The default value is Product Name
.
Event Field Name
Required.
The name of the field that determines the event name (subtype).
The default value is event_type
.
Script Timeout (Seconds)
Required.
The timeout limit (in seconds) for the Python process to run the current script.
The default value is 60
.
API Root
Required.
The API root of the Palo Alto Cortex XDR instance.
The default value is https://api-{fqdn}
.
API Key
Required.
The Palo Alto Cortex XDR API key.
Api Key ID
Required.
The corresponding ID of the API key for future authentication.
The
default value is 3
.
Verify SSL
Optional.
If selected, the integration validates the SSL certificate when connecting to the Palo Alto Cortex XDR server.
Enabled by default.
Alerts Count Limit
Optional.
The maximum number of alerts in each cycle.
The
default value is 10
.
Max Days Backwards
Optional.
The maximum number of days before the current date for the connector to retrieve data from. This parameter is used for the initial run of the connector.
The
default value is 1
.
Environment Field Name
Optional.
The name of the field where the environment name is stored.
If the environment field is missing, the connector uses the default value.
The default value is ""
.
Environment Regex Pattern
Optional.
A regular expression pattern to run on the value found in the Environment Field Name
field. This parameter lets you manipulate
the environment field using the regular expression logic.
Use the default value .*
to retrieve the required raw Environment Field Name
value.
If the regular expression pattern is null or empty, or the environment value is null, the final environment result is the default environment.
Proxy Server Address
Optional.
The address of the proxy server to use.
Proxy Username
Optional.
The proxy username to authenticate with.
Proxy Password
Optional.
The proxy password to authenticate with.
Status Filter
Optional.
A comma-separated list of alert statuses for the connector to ingest.
If no value is provided, the connector defaults to fetching alerts with
the New
and Under Investigation
statuses.
The possible values are as follows:
-
New -
Under Investigation -
Resolved
Split Incident Alerts
Optional.
If selected, the connector separates the individual alerts within a single source incident, creating a distinct SOAR Alert for each one.
Not enabled by default.
Lowest Alert Severity To Fetch
Optional.
The lowest severity of the alerts to retrieve.
If no value is provided, the connector ingests alerts with all severity levels.
The Lowest Incident SmartScore To Fetch
acts as a main
filter. If an incident's score meets this threshold, all associated alerts
will be processed, regardless of their individual severity filter settings.
The possible values are as follows:
-
Low -
Medium -
High -
Critical
Lowest Incident Severity To Fetch
Optional.
The lowest SmartScore (0 to 100) of the incidents to fetch.
This filter operates independently of the severity filter. If no value is provided, the SmartScore filter is ignored.
Lowest Incident SmartScore To Fetch
Optional.
The lowest severity of the incidents to retrieve.
If no value is provided, the connector ingests incidents with all severity levels.
The possible values are as follows:
-
Low -
Medium -
High -
Critical
Use dynamic list as a blocklist
Required.
If selected, the connector uses the dynamic list as a blocklist.
Not enabled by default.
Disable Overflow
Optional.
If selected, the connector ignores the Google SecOps overflow mechanism.
Enabled by default.
Connector rules
The connector doesn't support Whitelist/Blacklist.
The connector supports proxy.
Need more help? Get answers from Community members and Google SecOps professionals.
