Cortex XDR
Cortex XDR stitches together data from the endpoint, network, and cloud in a robust data lake. Applying advanced machine learning and analytics, it identifies threats and benign events with superior accuracy and gives analysts contextualized information, simplifying and accelerating investigations. This integration supports 'public_api/v1' endpoint.
Connect Cortex XDR with Devo SOAR
Navigate to Automations > Integrations.
Search for Cortex XDR.
Click Details, then the + icon. Enter the required information in the following fields.
Label: Enter a connection name.
Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.
Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).
Remote Agent: Run this integration using the Devo SOAR Remote Agent.
URL: URL to your Cortex XDR instance.
API Key ID: API key ID for Cortex XDR.
API Key: API key for Cortex XDR.
After you've entered all the details, click Connect.
Actions for Cortex XDR
Isolate Endpoint
Isolates the specified endpoint.
Input Field
Input Name | Description | Required |
---|---|---|
Endpoint Hostname or IP | Column name from parent table that contains endpoint Hostname or IP. | Required |
Output
A JSON object containing multiple rows of result:
has_error: True/False
error: message/null
result: {
"action_id":"",
"status": "1",
"endpoints_count": "1"
}
Isolate Endpoint Status
Returns the status of the isolate operation.
Input Field
Input Name | Description | Required |
---|---|---|
Action Id | Column name from parent table that contains the ID of isolate operation submitted to Cortex XDR. | Required |
Output
A JSON object containing multiple rows of result:
has_error: True/False
error: message/null
\<ACTION ID>: "COMPLETED_SUCCESSFULLY"
Unisolate Endpoint
Un-Isolate the specified endpoint.
Input Field
Input Name | Description | Required |
---|---|---|
Endpoint Hostname or IP | Column name from parent table that contains endpoint Hostname or IP. | Required |
Output
A JSON object containing multiple rows of result:
has_error: True/False
error: message/null
result: {
"action_id":"",
"status": "1",
"endpoints_count": "1"
}
Scan Endpoint
Performs a scan operation on the specified endpoint.
Input Field
Input Name | Description | Required |
---|---|---|
Endpoint Hostname or IP | Column name from parent table that contains endpoint Hostname or IP. | Required |
Output
A JSON object containing multiple rows of result:
has_error: True/False
error: message/null
result: {
"action_id":"",
"status": "1",
"endpoints_count": "1"
}
Scan Endpoint Status
Returns the status of the scan operation.
Input Field
Input Name | Description | Required |
---|---|---|
Action Id | Column name from parent table that contains the ID of isolate operation submitted to Cortex XDR. | Required |
Output
A JSON object containing multiple rows of result:
has_error: True/False
error: message/null
\<ACTION ID>: "COMPLETED_SUCCESSFULLY"
Get Endpoint Details
Returns details for the specified endpoint.
Input Field
Input Name | Description | Required |
---|---|---|
Endpoint Hostname or IP | Column name from parent table that contains endpoint Hostname or IP. | Required |
Output
A JSON object containing multiple rows of result:
has_error: True/False
error: message/null
result: {
"endpoint_id":"",
"endpoint_name":"",
"endpoint_type":"",
"endpoint_status":"CONNECTED",
"os_type":"AGENT_OS_WINDOWS",
"ip":[
""
],
"users":[
"XDR"
],
"domain":"WORKGROUP",
"alias":"",
"first_seen":1606218761377,
"last_seen":1606218769163,
"content_version":"",
"installation_package":"XDR",
"active_directory":null,
"install_date":1606218762089,
"endpoint_version":"",
"is_isolated":"AGENT_UNISOLATED",
"isolated_date":null,
"group_name":[],
"operational_status":"PARTIALLY_PROTECTED",
"operational_status_description":"[{\"name\": \"generalStatus\", \"error_code\": 10004}]",
"scan_status":"SCAN_STATUS_NONE"
}
Release Notes
v3.0.0
- Updated architecture to support IO via filesystem