Document toolboxDocument toolbox

Cortex XDR

[ 1 Connect Cortex XDR with Devo SOAR ] [ 2 Actions for Cortex XDR ] [ 2.1 Isolate Endpoint ] [ 2.1.1 Input Field ] [ 2.1.2 Output ] [ 2.2 Isolate Endpoint Status ] [ 2.2.1 Input Field ] [ 2.2.2 Output ] [ 2.3 Unisolate Endpoint ] [ 2.3.1 Input Field ] [ 2.3.2 Output ] [ 2.4 Scan Endpoint ] [ 2.4.1 Input Field ] [ 2.4.2 Output ] [ 2.5 Scan Endpoint Status ] [ 2.5.1 Input Field ] [ 2.5.2 Output ] [ 2.6 Get Endpoint Details ] [ 2.6.1 Input Field ] [ 2.6.2 Output ] [ 3 Release Notes ]

Cortex XDR stitches together data from the endpoint, network, and cloud in a robust data lake. Applying advanced machine learning and analytics, it identifies threats and benign events with superior accuracy and gives analysts contextualized information, simplifying and accelerating investigations. This integration supports 'public_api/v1' endpoint.

Connect Cortex XDR with Devo SOAR

  1. Navigate to Automations > Integrations.

  2. Search for Cortex XDR.

  3. Click Details, then the + icon. Enter the required information in the following fields.

  4. Label: Enter a connection name.

  5. Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.

  6. Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).

  7. Remote Agent: Run this integration using the Devo SOAR Remote Agent.

  8. URL: URL to your Cortex XDR instance.

  9. API Key ID: API key ID for Cortex XDR.

  10. API Key: API key for Cortex XDR.

  11. After you've entered all the details, click Connect.

Actions for Cortex XDR

Isolate Endpoint

Isolates the specified endpoint.

Input Field

Input Name

Description

Required

Input Name

Description

Required

Endpoint Hostname or IP

Column name from parent table that contains endpoint Hostname or IP.

Required

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • result: {
    "action_id":"",
    "status": "1",
    "endpoints_count": "1"
    }

Isolate Endpoint Status

Returns the status of the isolate operation.

Input Field

Input Name

Description

Required

Input Name

Description

Required

Action Id

Column name from parent table that contains the ID of isolate operation submitted to Cortex XDR.

Required

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • \<ACTION ID>: "COMPLETED_SUCCESSFULLY"

Unisolate Endpoint

Un-Isolate the specified endpoint.

Input Field

Input Name

Description

Required

Input Name

Description

Required

Endpoint Hostname or IP

Column name from parent table that contains endpoint Hostname or IP.

Required

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • result: {
    "action_id":"",
    "status": "1",
    "endpoints_count": "1"
    }

Scan Endpoint

Performs a scan operation on the specified endpoint.

Input Field

Input Name

Description

Required

Input Name

Description

Required

Endpoint Hostname or IP

Column name from parent table that contains endpoint Hostname or IP.

Required

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • result: {
    "action_id":"",
    "status": "1",
    "endpoints_count": "1"
    }

Scan Endpoint Status

Returns the status of the scan operation.

Input Field

Input Name

Description

Required

Input Name

Description

Required

Action Id

Column name from parent table that contains the ID of isolate operation submitted to Cortex XDR.

Required

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • \<ACTION ID>: "COMPLETED_SUCCESSFULLY"

Get Endpoint Details

Returns details for the specified endpoint.

Input Field

Input Name

Description

Required

Input Name

Description

Required

Endpoint Hostname or IP

Column name from parent table that contains endpoint Hostname or IP.

Required

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • result: {
    "endpoint_id":"",
    "endpoint_name":"",
    "endpoint_type":"",
    "endpoint_status":"CONNECTED",
    "os_type":"AGENT_OS_WINDOWS",
    "ip":[
    ""
    ],
    "users":[
    "XDR"
    ],
    "domain":"WORKGROUP",
    "alias":"",
    "first_seen":1606218761377,
    "last_seen":1606218769163,
    "content_version":"",
    "installation_package":"XDR",
    "active_directory":null,
    "install_date":1606218762089,
    "endpoint_version":"",
    "is_isolated":"AGENT_UNISOLATED",
    "isolated_date":null,
    "group_name":[],
    "operational_status":"PARTIALLY_PROTECTED",
    "operational_status_description":"[{\"name\": \"generalStatus\", \"error_code\": 10004}]",
    "scan_status":"SCAN_STATUS_NONE"
    }

Release Notes

  • v3.0.0 - Updated architecture to support IO via filesystem