Which malware protection module is effective in the post-execution cycle?
This Integration is part of the Cortex XDR by Palo Alto Networks Pack.#Cortex XDR is the world's first detection and response app that natively integrates network, endpoint, and cloud data to stop sophisticated attacks. This integration was integrated and tested with version 2.6.5 of Cortex XDR - IR Show
Configure Palo Alto Networks Cortex XDR - Investigation and Response on Cortex XSOAR#
Configuration#You need to collect several pieces of information in order to configure the integration on Cortex XSOAR. Generate an API Key and API Key ID#
URL#
Playbooks#Cortex XDR Incident Handling#The playbook syncs and updates new XDR alerts that construct the incident. It enriches indicators using Threat Intelligence integrations and Palo Alto Networks AutoFocus. The incident's severity is then updated based on the indicators reputation and an analyst is assigned for manual investigation. If chosen, automated remediation with Palo Alto Networks FireWall is initiated. After a manual review by the SOC analyst, the XDR incident is closed automatically. Use Cases#
Automation#To sync incidents between Cortex XSOAR and Cortex XDR, you should use the XDRSyncScript script, which you can find in the automation page. Fetched Incidents Data#
XDR Incident Mirroring#Note this feature is available from Cortex XSOAR version 6.0.0 You can enable incident mirroring between Cortex XSOAR incidents and Cortex XDR incidents. To setup the mirroring follow these instructions:
XDR Mirroring Notes, limitations and Troubleshooting#
Commands#You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details. xdr-get-incidents#Returns a list of incidents, which you can filter by a list of incident IDs (max. 100), the time the incident was last modified, and the time the incident was created. If you pass multiple filtering arguments, they will be concatenated using the AND condition. The OR condition is not supported. Base Command#
Input#
Context Output#
"low","medium","high" | | PaloAltoNetworksXDR.Incident.low_severity_alert_count | String | Number of alerts with the severity LOW. | | PaloAltoNetworksXDR.Incident.status | String | Current status of the incident. Valid values are: "new","under_investigation","resolved_known_issue","resolved_duplicate","resolved_false_positive","resolved_true_positive","resolved_security_testing" or "resolved_other". | | PaloAltoNetworksXDR.Incident.starred | Boolean | Incident starred. | | PaloAltoNetworksXDR.Incident.description | String | Dynamic calculated description of the incident. | | PaloAltoNetworksXDR.Incident.resolve_comment | String | Comments entered by the user when the incident was resolved. | | PaloAltoNetworksXDR.Incident.notes | String | Comments entered by the user regarding the incident. | | PaloAltoNetworksXDR.Incident.creation_time | date | Date and time the incident was created on XDR. | | PaloAltoNetworksXDR.Incident.detection_time | date | Date and time that the first alert occurred in the incident. | | PaloAltoNetworksXDR.Incident.modification_time | date | Date and time that the incident was last modified. | Command Example#
Context Example#Human Readable Output#
xdr-get-incident-extra-data#Returns additional data for the specified incident, for example, related alerts, file artifacts, network artifacts, and so on. Base Command#
Input#
Context Output#
Command Example#
Context Example#Human Readable Output#
Base Command#
Input#
Context Output#There is no context output for this command. xdr-insert-parsed-alert#Upload alert from external alert sources in Cortex XDR format. Cortex XDR displays alerts that are parsed successfully in related incidents and views. You can send 600 alerts per minute. Each request can contain a maximum of 60 alerts. Base Command#
Input#
Context Output#There is no context output for this command. xdr-insert-cef-alerts#Upload alerts in CEF format from external alert sources. After you map CEF alert fields to Cortex XDR fields, Cortex XDR displays the alerts in related incidents and views. You can send 600 requests per minute. Each request can contain a maximum of 60 alerts. Base Command#
Input#
Context Output#There is no context output for this command. xdr-endpoint-isolate#Isolates the specified endpoint. Base Command#
Input#
Context Output#
xdr-endpoint-unisolate#Reverses the isolation of an endpoint. Base Command#
Input#
Context Output#
xdr-get-endpoints#Gets a list of endpoints, according to the passed filters. If there are no filters, all endpoints are returned. Filtering by multiple fields will be concatenated using AND condition (OR is not supported). Maximum result set size is 100. Offset is the zero-based number of endpoint from the start of the result set (start by counting from 0). Base Command#
Input#
Context Output#
Command Example#
Context Example#Human Readable Output#
xdr-get-distribution-versions#Gets a list of all the agent versions to use for creating a distribution list. Base Command#
Input#There are no input arguments for this command. Context Output#
Command Example#
Context Example#Human Readable Output#
xdr-create-distribution#Creates an installation package. This is an asynchronous call that returns the distribution ID. This does not mean that the creation succeeded. To confirm that the package has been created, check the status of the distribution by running the Get Distribution Status API. Base Command#
Input#
Context Output#
Command Example#
Context Example#Human Readable Output#Distribution 43aede7f846846fa92b50149663fbb25 created successfully xdr-get-distribution-url#Gets the distribution URL for downloading the installation package. Base Command#
Input#
Context Output#
Command Example#
xdr-get-create-distribution-status#Gets the status of the installation package. Base Command#
Input#
Context Output#
Command Example#
xdr-get-audit-management-logs#Gets management logs. You can filter by multiple fields, which will be concatenated using the AND condition (OR is not supported). Maximum result set size is 100. Offset is the zero-based number of management logs from the start of the result set (start by counting from 0). Context Example#Human Readable Output#
Base Command#
Input#
Context Output#
xdr-get-audit-agent-reports#Gets agent event reports. You can filter by multiple fields, which will be concatenated using the AND condition (OR is not supported). Maximum result set size is 100. Offset is the zero-based number of reports from the start of the result set (start by counting from 0). Base Command#
Input#
Context Output#
xdr-blocklist-files#Block lists requested files which have not already been block listed or added to allow lists. Base Command#
Input#
Context Output#
xdr-allowlist-files#Adds requested files to allow list if they are not already on block list or allow list. Base Command#
Input#
Context Output#
xdr-file-quarantine#Quarantines a file on selected endpoints. You can select up to 1000 endpoints. Base Command#
Input#
Context Output#There is no context output for this command. xdr-get-quarantine-status#Retrieves the quarantine status for a selected file. Base Command#
Input#
Context Output#There is no context output for this command. xdr-file-restore#Restores a quarantined file on requested endpoints. Base Command#
Input#
Context Output#There is no context output for this command. xdr-endpoint-scan-execute#Runs a scan on a selected endpoint. To scan all endpoints, run this command with argument all=true. Do note that scanning all the endpoints may cause performance issues and latency. Base Command#
Input#
Context Output#
xdr-endpoint-scan-abort#Cancel the scan of selected endpoints. A scan can only be aborted if the selected endpoints are Pending or In Progress. To scan all endpoints, run the command with the argument all=true. Note that scanning all of the endpoints may cause performance issues and latency. Base Command#
Input#
Context Output#
get-mapping-fields#Get mapping fields from remote incident. Please note that this method will not update the current incident, it's here for debugging purposes. Base Command#
Input#There are no input arguments for this command. Context Output#There is no context output for this command. get-remote-data#Get remote data from a remote incident. Please note that this method will not update the current incident, it's here for debugging purposes. Base Command#
Input#
Context Output#There is no context output for this command. get-modified-remote-data#Get the list of incidents that were modified since the last update. Please note that this method is here for debugging purposes. get-modified-remote-data is used as part of a Mirroring feature, which is available since version 6.1. Base Command#
Input#
Context Output#There is no context output for this command. xdr-get-policy#Gets the policy name for a specific endpoint. Base Command#
Input#
Context Output#
xdr-get-scripts#Gets a list of scripts available in the scripts library. Base Command#
Input#
Context Output#
xdr-delete-endpoints#Deletes selected endpoints in the Cortex XDR app. You can delete up to 1000 endpoints. Base Command#
Input#
Context Output#There is no context output for this command. xdr-get-endpoint-device-control-violations#Gets a list of device control violations filtered by selected fields. You can retrieve up to 100 violations. Base Command#
Input#
Context Output#
xdr-file-retrieve#Retrieves files from selected endpoints. You can retrieve up to 20 files, from no more than 10 endpoints. At least one endpoint ID and one file path are necessary in order to run the command. After running this command, you can use the xdr-action-status-get command with returned action_id, to check the action status. Base Command#
Input#
Context Output#
xdr-retrieve-file-details#View the file retrieved by the xdr-retrieve-files command according to the action ID. Before running this command, you can use the xdr-action-status-get command to check if this action completed successfully. Base Command#
Input#
Context Output#
xdr-get-script-metadata#Gets the full definition of a specific script in the scripts library. Base Command#
Input#
Context Output#
xdr-get-script-code#Gets the code of a specific script in the script library. Base Command#
Input#
Context Output#
xdr-action-status-get#Retrieves the status of the requested actions according to the action ID. Base Command#
Input#
Context Output#
xdr-run-script#Initiates a new endpoint script execution action using a script from the script library. Base Command#
Input#
Context Output#
xdr-snippet-code-script-execute#Initiates a new endpoint script execution action using the provided snippet code. Base Command#
Input#
Context Output#
xdr-get-script-execution-status#Retrieves the status of a script execution action. Base Command#
Input#
Context Output#
xdr-get-script-execution-results#Retrieve the results of a script execution action. Base Command#
Input#
Context Output#
xdr-get-script-execution-result-files#Gets the files retrieved from a specific endpoint during a script execution. Base Command#
Input#
Context Output#
xdr-script-commands-execute#Initiate a new endpoint script execution of shell commands. Base Command#
Input#
Context Output#
xdr-file-delete-script-execute#Initiates a new endpoint script execution to delete the specified file. Base Command#
Input#
Context Output#
xdr-file-exist-script-execute#Initiates a new endpoint script execution to check if file exists. Base Command#
Input#
Context Output#
xdr-kill-process-script-execute#Initiates a new endpoint script execution kill process. Base Command#
Input#
Context Output#
endpoint#Returns information about an endpoint. Base Command#
Input#
Context Output#
xdr-get-endpoints-by-status#Returns the number of the connected\disconnected endpoints. Base Command#
Input#
Context Output#
xdr-get-cloud-original-alerts#Returns information about each alert ID. Base Command#
Input#
Context Output#
xdr-remove-allowlist-files#Removes requested files from allow list. Base Command#
Input#
Context Output#
xdr-remove-blocklist-files#Removes requested files from block list. Base Command#
Input#
Context Output#
There is no context output for this command. xdr-get-alerts#Returns a list of alerts and their meta-data, which you can filter by built-in arguments or use the custom_filter to input a JSON filter object. Multiple filter arguments will be concatenated using AND operator, while arguments that support a comma-separated list of values will use an OR operator between each value. Base Command#
Input#
Context Output#
xdr-get-contributing-event#Retrieves contributing events for a specific alert. Base Command#
Input#
Context Output#
Command example#`` Context Example#Human Readable Output#
xdr-replace-featured-field#Replace the featured hosts\users\ip addresses\active directory groups listed in your environment. Base Command#
Input#
Context Output#
Command example#`` Context Example#Human Readable Output#
xdr-script-run#This command will soon be deprecated; prefer xdr-script-run instead. Initiates a new endpoint script execution action using a script from the script library. Base Command#
Input#
Context Output#
Command example#
Human Readable Output#
Context Example#Which malware protection module uses a machine learning technique to detect malware?Local Analysis via Machine Learning If a file remains unknown after the initial hash lookup, the Cortex XDR agent uses local analysis via machine learning on the endpoint—trained by the rich threat intelligence from global sources including WildFire—to determine whether the file can run.
What is difference between XDR and EDR?What Is Extended Detection and Response? While traditional EDR tools focus only on endpoint data, XDR solutions seek to unify siloed security tools to deliver protection, detection and response across all data sources.
Which endpoint protection technique is commonly used to prevent end users from running Unauthorised applications including malware on their endpoints?EPPs secure endpoints through application control—which blocks the use of applications that are unsafe or unauthorized—and through encryption, which helps prevent data loss. When the EPP is set up, it can quickly detect malware and other threats.
What does cortex XDR prevent do for endpoints?Cortex XDR Prevent—provides protection for endpoints and includes device control, disk encryption, and host firewall features. It also includes an incident engine, integrated response capabilities, and an optional threat intelligence feed.
|