search

Which malware protection module is effective in the post-execution cycle?

Ngày đăng: 31/10/2022
Trả lời: 0
Lượt xem: 49

This Integration is part of the Cortex XDR by Palo Alto Networks Pack.#

Cortex XDR is the world's first detection and response app that natively integrates network, endpoint, and cloud data to stop sophisticated attacks. This integration was integrated and tested with version 2.6.5 of Cortex XDR - IR

Show

Configure Palo Alto Networks Cortex XDR - Investigation and Response on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for Palo Alto Networks Cortex XDR - Investigation and Response.

  3. Click Add instance to create and configure a new integration instance.

    ParameterDescriptionRequired
    Fetch incidents False
    Incident type False
    Incident Mirroring Direction False
    Server URL (copy URL from XDR - click ? to see more info.) True
    API Key ID True
    API Key True
    Only fetch starred incidents False
    Starred incidents fetch window ( False
    HTTP Timeout The timeout of the HTTP requests sent to Cortex XDR API (in seconds). False
    Maximum number of incidents per fetch The maximum number of incidents per fetch. Cannot exceed 100. False
    First fetch timestamp ( False
    Sync Incident Owners For Cortex XSOAR version 6.0.0 and above. If selected, for every incident fetched from Cortex XDR to Cortex XSOAR, the incident owners will be synced. Note that once this value is changed and synchronized between the systems, additional changes will not be reflected. For example, if you change the owner in Cortex XSOAR, the new owner will also be changed in Cortex XDR. However, if you now change the owner back in Cortex XDR, this additional change will not be reflected in Cortex XSOAR. In addition, for this change to be reflected, the owners must exist in both Cortex XSOAR and Cortex XDR. False
    Trust any certificate (not secure) False
    Use system proxy settings False
    Incident Statuses to Fetch The statuses of the incidents that will be fetched. If no status is provided then incidents of all the statuses will be fetched. Note: An incident whose status was changed to a filtered status after its creation time will not be fetched. False

  4. Click Test to validate the URLs, token, and connection.

Configuration#

You need to collect several pieces of information in order to configure the integration on Cortex XSOAR.

Generate an API Key and API Key ID#

  1. In your Cortex XDR platform, go to Settings.
  2. Click the +New Key button in the top right corner.
  3. Generate a key of type Advanced.
  4. Copy and paste the key.
  5. From the ID column, copy the Key ID.

URL#

  1. In your Cortex XDR platform, go to Settings.
  2. Click the Copy URL button in the top right corner.

Playbooks#

Cortex XDR Incident Handling#

The playbook syncs and updates new XDR alerts that construct the incident. It enriches indicators using Threat Intelligence integrations and Palo Alto Networks AutoFocus. The incident's severity is then updated based on the indicators reputation and an analyst is assigned for manual investigation. If chosen, automated remediation with Palo Alto Networks FireWall is initiated. After a manual review by the SOC analyst, the XDR incident is closed automatically.

Use Cases#

  • Fetch incidents from XDR
  • Enrich incident with alerts and incident from XDR
  • Update incident in XDR
  • Search for endpoints
  • Isolate/unisolate endpoints
  • Insert parsed alerts into XDR
  • Insert CEF alerts into XDR
  • Query for agent audit reports
  • Query for audit management logs
  • Create distribution
  • Get distribution download URL
  • Get distribution versions

Automation#

To sync incidents between Cortex XSOAR and Cortex XDR, you should use the XDRSyncScript script, which you can find in the automation page.

Fetched Incidents Data#

  • Note: By checking the Fetch incident alerts and artifacts integration configuration parameter, fetched incidents will include additional data.

XDR Incident Mirroring#

Note this feature is available from Cortex XSOAR version 6.0.0

You can enable incident mirroring between Cortex XSOAR incidents and Cortex XDR incidents. To setup the mirroring follow these instructions:

  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for Cortex XDR - IR and select your integration instance.
  3. Enable Fetches incidents.
  4. Under Mapper (incoming), select XDR - Incoming Mapper.
  5. Under Mapper (outgoing), select Cortex XDR - Outgoing Mapper.
  6. In the Incident Mirroring Direction integration parameter, select in which direction the incidents should be mirrored:
  • Incoming - Any changes in XDR incidents will be reflected in XSOAR incidents.
  • Outgoing - Any changes in XSOAR incidents will be reflected in XDR incidents.
  • Both - Changes in XSOAR and XDR incidents will be reflected in both directions.
  • None - Choose this to turn off incident mirroring.
  1. Optional: Check the Sync Incident Owners integration parameter to sync the incident owners in both XDR and XSOAR.
  • Note: This feature will only work if the same users are registered in both Cortex XSOAR and Cortex XDR.
  1. Newly fetched incidents will be mirrored in the chosen direction.
  • Note: This will not effect existing incidents.

XDR Mirroring Notes, limitations and Troubleshooting#

  • While you can mirror changes in incident fields both in and out in each incident, you can only mirror in a single direction at a time. For example: If we have an incident with two fields (A and B) in XDR and XSOAR while Incoming And Outgoing mirroring is selected:

    • I can mirror field A from XDR to XSOAR and field B from XSOAR to XDR.
    • I cannot mirror changes from field A in both directions.

    Initially all fields are mirrored in from XDR to XSOAR. Once they are changed in XSOAR, they can only be mirrored out.

  • Do not use the XDRSyncScript automation nor any playbook that uses this automation (e.g Cortex XDR Incident Sync or Cortex XDR incident handling v2), as it impairs the mirroring functionality.

  • When migrating an existing instance to the mirroring feature, or in case the mirroring does not work as expected, make sure that:

    • The default playbook of the Cortex XDR Incident incident type is not Cortex XDR Incident Sync, change it to a different playbook that does not use XDRSyncScript.
    • The XDR integration instance incoming mapper is set to Cortex XDR - Incoming Mapper and the outgoing mapper is set to Cortex XDR - Outgoing Mapper.

  • The API includes a limit rate of 10 API requests per minute. Therefore, in a case of a limit rate exception, the sync loop will stop and will resume from the last incident.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

xdr-get-incidents#

Returns a list of incidents, which you can filter by a list of incident IDs (max. 100), the time the incident was last modified, and the time the incident was created. If you pass multiple filtering arguments, they will be concatenated using the AND condition. The OR condition is not supported.

Base Command#

xdr-get-incidents

Input#

Argument NameDescriptionRequired
lte_creation_time A date in the format 2019-12-31T23:59:00. Only incidents that were created on or before the specified date/time will be retrieved. Optional
gte_creation_time A date in the format 2019-12-31T23:59:00. Only incidents that were created on or after the specified date/time will be retrieved. Optional
lte_modification_time Filters returned incidents that were created on or before the specified date/time, in the format 2019-12-31T23:59:00. Optional
gte_modification_time Filters returned incidents that were modified on or after the specified date/time, in the format 2019-12-31T23:59:00. Optional
incident_id_list An array or CSV string of incident IDs. Optional
since_creation_time Filters returned incidents that were created on or after the specified date/time range, for example, 1 month, 2 days, 1 hour, and so on. Optional
since_modification_time Filters returned incidents that were modified on or after the specified date/time range, for example, 1 month, 2 days, 1 hour, and so on. Optional
sort_by_modification_time Sorts returned incidents by the date/time that the incident was last modified ("asc" - ascending, "desc" - descending). Possible values are: asc, desc. Optional
sort_by_creation_time Sorts returned incidents by the date/time that the incident was created ("asc" - ascending, "desc" - descending). Possible values are: asc, desc. Optional
page Page number (for pagination). The default is 0 (the first page). Default is 0. Optional
limit Maximum number of incidents to return per page. The default and maximum is 100. Default is 100. Optional
status Filters only incidents in the specified status. The options are: new, under_investigation, resolved_known_issue, resolved_false_positive, resolved_true_positive resolved_security_testing, resolved_other, resolved_auto. Optional
starred Whether the incident is starred or not (Boolean value: true or false). Optional

Context Output#

PathTypeDescription
PaloAltoNetworksXDR.Incident.incident_id String Unique ID assigned to each returned incident.
PaloAltoNetworksXDR.Incident.manual_severity String Incident severity assigned by the user. This does not affect the calculated severity. Can be "low", "medium", "high"
PaloAltoNetworksXDR.Incident.manual_description String Incident description provided by the user.
PaloAltoNetworksXDR.Incident.assigned_user_mail String Email address of the assigned user.
PaloAltoNetworksXDR.Incident.high_severity_alert_count String Number of alerts with the severity HIGH.
PaloAltoNetworksXDR.Incident.host_count number Number of hosts involved in the incident.
PaloAltoNetworksXDR.Incident.xdr_url String A link to the incident view on XDR.
PaloAltoNetworksXDR.Incident.assigned_user_pretty_name String Full name of the user assigned to the incident.
PaloAltoNetworksXDR.Incident.alert_count number Total number of alerts in the incident.
PaloAltoNetworksXDR.Incident.med_severity_alert_count number Number of alerts with the severity MEDIUM.
PaloAltoNetworksXDR.Incident.user_count number Number of users involved in the incident.
PaloAltoNetworksXDR.Incident.severity String Calculated severity of the incident. Valid values are:

"low","medium","high" | | PaloAltoNetworksXDR.Incident.low_severity_alert_count | String | Number of alerts with the severity LOW. | | PaloAltoNetworksXDR.Incident.status | String | Current status of the incident. Valid values are: "new","under_investigation","resolved_known_issue","resolved_duplicate","resolved_false_positive","resolved_true_positive","resolved_security_testing" or "resolved_other". | | PaloAltoNetworksXDR.Incident.starred | Boolean | Incident starred. | | PaloAltoNetworksXDR.Incident.description | String | Dynamic calculated description of the incident. | | PaloAltoNetworksXDR.Incident.resolve_comment | String | Comments entered by the user when the incident was resolved. | | PaloAltoNetworksXDR.Incident.notes | String | Comments entered by the user regarding the incident. | | PaloAltoNetworksXDR.Incident.creation_time | date | Date and time the incident was created on XDR. | | PaloAltoNetworksXDR.Incident.detection_time | date | Date and time that the first alert occurred in the incident. | | PaloAltoNetworksXDR.Incident.modification_time | date | Date and time that the incident was last modified. |

Command Example#

!xdr-get-incidents gte_creation_time=2010-10-10T00:00:00 limit=3 sort_by_creation_time=desc

Context Example#
Human Readable Output#

Incidents#

alert_countassigned_user_mailassigned_user_pretty_namecreation_timedescriptiondetection_timehigh_severity_alert_counthost_countincident_idlow_severity_alert_countmanual_descriptionmanual_severitymed_severity_alert_countmodification_timenotesresolve_commentseveritystarredstatususer_countxdr_url
5 1577276587937 5 'This alert from content TestXDRPlaybook' alerts detected by Checkpoint - SandBlast 4 1 4 0 medium 1 1579290004178 This issue was solved in Incident number 192304 medium false new 1 https://some.xdr.url.com/incident-view/4
1 1576100096594 'test 1' generated by Virus Total - Firewall 1 1 3 0 medium 0 1579237974014 medium false new 1 https://some.xdr.url.com/incident-view/3
2 1576062816474 'Alert Name Example 333' along with 1 other alert generated by Virus Total - VPN & Firewall-3 and Checkpoint - SandBlast 2 1 2 0 high 0 1579288790259 high false under_investigation 1 https://some.xdr.url.com/incident-view/2

xdr-get-incident-extra-data#

Returns additional data for the specified incident, for example, related alerts, file artifacts, network artifacts, and so on.

Base Command#

xdr-get-incident-extra-data

Input#

Argument NameDescriptionRequired
incident_id The ID of the incident for which to get additional data. Required
alerts_limit Maximum number of alerts to return. Default is 1,000. Default is 1000. Optional
return_only_updated_incident Return data only if the incident was changed since the last time it was mirrored in to XSOAR. This flag should be used only from within a XDR incident. Default is False. Optional

Context Output#

PathTypeDescription
PaloAltoNetworksXDR.Incident.incident_id String Unique ID assigned to each returned incident.
PaloAltoNetworksXDR.Incident.creation_time Date Date and time the incident was created on XDR.
PaloAltoNetworksXDR.Incident.modification_time Date Date and time that the incident was last modified.
PaloAltoNetworksXDR.Incident.detection_time Date Date and time that the first alert occurred in the incident.
PaloAltoNetworksXDR.Incident.status String Current status of the incident. Valid values are:
"new","under_investigation","resolved_known_issue","resolved_duplicate","resolved_false_positive","resolved_true_positive","resolved_security_testing","resolved_other"
PaloAltoNetworksXDR.Incident.severity String Calculated severity of the incident. Valid values are: "low","medium","high"
PaloAltoNetworksXDR.Incident.description String Dynamic calculated description of the incident.
PaloAltoNetworksXDR.Incident.assigned_user_mail String Email address of the assigned user.
PaloAltoNetworksXDR.Incident.assigned_user_pretty_name String Full name of the user assigned to the incident.
PaloAltoNetworksXDR.Incident.alert_count Number Total number of alerts in the incident.
PaloAltoNetworksXDR.Incident.low_severity_alert_count Number Number of alerts with the severity LOW.
PaloAltoNetworksXDR.Incident.med_severity_alert_count Number Number of alerts with the severity MEDIUM.
PaloAltoNetworksXDR.Incident.high_severity_alert_count Number Number of alerts with the severity HIGH.
PaloAltoNetworksXDR.Incident.user_count Number Number of users involved in the incident.
PaloAltoNetworksXDR.Incident.host_count Number Number of hosts involved in the incident
PaloAltoNetworksXDR.Incident.notes Unknown Comments entered by the user regarding the incident.
PaloAltoNetworksXDR.Incident.resolve_comment String Comments entered by the user when the incident was resolved.
PaloAltoNetworksXDR.Incident.manual_severity String Incident severity assigned by the user. This does not affect the calculated severity of low, medium, or high.
PaloAltoNetworksXDR.Incident.manual_description String Incident description provided by the user.
PaloAltoNetworksXDR.Incident.xdr_url String A link to the incident view on XDR.
PaloAltoNetworksXDR.Incident.starred Boolean Incident starred.
PaloAltoNetworksXDR.Incident.wildfire_hits.mitre_techniques_ids_and_names String Incident Mitre techniques ids and names.
PaloAltoNetworksXDR.Incident.wildfire_hits.mitre_tactics_ids_and_names String Incident Mitre tactics ids and names.
PaloAltoNetworksXDR.Incident.alerts.alert_id String Unique ID for each alert.
PaloAltoNetworksXDR.Incident.alerts.detection_timestamp Date Date and time that the alert occurred.
PaloAltoNetworksXDR.Incident.alerts.source String Source of the alert. The product/vendor this alert came from.
PaloAltoNetworksXDR.Incident.alerts.severity String Severity of the alert.Valid values are: "low","medium","high"""
PaloAltoNetworksXDR.Incident.alerts.name String Calculated name of the alert.
PaloAltoNetworksXDR.Incident.alerts.category String Category of the alert, for example, Spyware Detected via Anti-Spyware profile.
PaloAltoNetworksXDR.Incident.alerts.description String Textual description of the alert.
PaloAltoNetworksXDR.Incident.alerts.host_ip_list Unknown Host IP involved in the alert.
PaloAltoNetworksXDR.Incident.alerts.host_name String Host name involved in the alert.
PaloAltoNetworksXDR.Incident.alerts.user_name String User name involved with the alert.
PaloAltoNetworksXDR.Incident.alerts.event_type String Event type. Valid values are: "Process Execution","Network Event","File Event","Registry Event","Injection Event","Load Image Event","Windows Event Log"
PaloAltoNetworksXDR.Incident.alerts.action String The action that triggered the alert. Valid values are: "REPORTED", "BLOCKED", "POST_DETECTED", "SCANNED", "DOWNLOAD", "PROMPT_ALLOW", "PROMPT_BLOCK", "DETECTED", "BLOCKED_1", "BLOCKED_2", "BLOCKED_3", "BLOCKED_5", "BLOCKED_6", "BLOCKED_7", "BLOCKED_8", "BLOCKED_9", "BLOCKED_10", "BLOCKED_11", "BLOCKED_13", "BLOCKED_14", "BLOCKED_15", "BLOCKED_16", "BLOCKED_17", "BLOCKED_24", "BLOCKED_25", "DETECTED_0", "DETECTED_4", "DETECTED_18", "DETECTED_19", "DETECTED_20", "DETECTED_21", "DETECTED_22", "DETECTED_23"
PaloAltoNetworksXDR.Incident.alerts.action_pretty String The action that triggered the alert. Valid values are: "Detected (Reported)" "Prevented (Blocked)" "Detected (Post Detected)" "Detected (Scanned)" "Detected (Download)" "Detected (Prompt Allow)" "Prevented (Prompt Block)" "Detected" "Prevented (Denied The Session)" "Prevented (Dropped The Session)" "Prevented (Dropped The Session And Sent a TCP Reset)" "Prevented (Blocked The URL)" "Prevented (Blocked The IP)" "Prevented (Dropped The Packet)" "Prevented (Dropped All Packets)" "Prevented (Terminated The Session And Sent a TCP Reset To Both Sides Of The Connection)" "Prevented (Terminated The Session And Sent a TCP Reset To The Client)" "Prevented (Terminated The Session And Sent a TCP Reset To The Server)" "Prevented (Continue)" "Prevented (Block-Override)" "Prevented (Override-Lockout)" "Prevented (Override)" "Prevented (Random-Drop)" "Prevented (Silently Dropped The Session With An ICMP Unreachable Message To The Host Or Application)" "Prevented (Block)" "Detected (Allowed The Session)" "Detected (Raised An Alert)" "Detected (Syncookie Sent)" "Detected (Forward)" "Detected (Wildfire Upload Success)" "Detected (Wildfire Upload Failure)" "Detected (Wildfire Upload Skip)" "Detected (Sinkhole)"
PaloAltoNetworksXDR.Incident.alerts.actor_process_image_name String Image name.
PaloAltoNetworksXDR.Incident.alerts.actor_process_command_line String Command line.
PaloAltoNetworksXDR.Incident.alerts.actor_process_signature_status String Signature status. Valid values are: "Signed" "Invalid Signature" "Unsigned" "Revoked" "Signature Fail" "N/A" "Weak Hash".
PaloAltoNetworksXDR.Incident.alerts.actor_process_signature_vendor String Singature vendor name.
PaloAltoNetworksXDR.Incident.alerts.causality_actor_process_image_name String Image name.
PaloAltoNetworksXDR.Incident.alerts.causality_actor_process_command_line String Command line.
PaloAltoNetworksXDR.Incident.alerts.causality_actor_process_signature_status String Signature status. Valid values are: "Signed" "Invalid Signature" "Unsigned" "Revoked" "Signature Fail" "N/A" "Weak Hash"
PaloAltoNetworksXDR.Incident.alerts.causality_actor_process_signature_vendor String Signature vendor.
PaloAltoNetworksXDR.Incident.alerts.causality_actor_causality_id Unknown Causality id.
PaloAltoNetworksXDR.Incident.alerts.action_process_image_name String Image name.
PaloAltoNetworksXDR.Incident.alerts.action_process_image_command_line String Command line.
PaloAltoNetworksXDR.Incident.alerts.action_process_image_sha256 String Image SHA256.
PaloAltoNetworksXDR.Incident.alerts.action_process_signature_status String Signature status. Valid values are: "Signed" "Invalid Signature" "Unsigned" "Revoked" "Signature Fail" "N/A" "Weak Hash"
PaloAltoNetworksXDR.Incident.alerts.action_process_signature_vendor String Signature vendor name.
PaloAltoNetworksXDR.Incident.alerts.action_file_path String File path.
PaloAltoNetworksXDR.Incident.alerts.action_file_md5 String File MD5.
PaloAltoNetworksXDR.Incident.alerts.action_file_sha256 String File SHA256.
PaloAltoNetworksXDR.Incident.alerts.action_registry_data String Registry data.
PaloAltoNetworksXDR.Incident.alerts.action_registry_full_key String Registry full key.
PaloAltoNetworksXDR.Incident.alerts.action_local_ip String Local IP.
PaloAltoNetworksXDR.Incident.alerts.action_local_port Number Local port.
PaloAltoNetworksXDR.Incident.alerts.action_remote_ip String Remote IP.
PaloAltoNetworksXDR.Incident.alerts.action_remote_port Number Remote port.
PaloAltoNetworksXDR.Incident.alerts.action_external_hostname String External hostname.
PaloAltoNetworksXDR.Incident.alerts.fw_app_id Unknown Firewall app id.
PaloAltoNetworksXDR.Incident.alerts.is_whitelisted String Is the alert on allow list. Valid values are: "Yes" "No"
PaloAltoNetworksXDR.Incident.alerts.starred Boolean Alert starred.
PaloAltoNetworksXDR.Incident.network_artifacts.type String Network artifact type.
PaloAltoNetworksXDR.Incident.network_artifacts.network_remote_port number The remote port related to the artifact.
PaloAltoNetworksXDR.Incident.network_artifacts.alert_count number Number of alerts related to the artifact.
PaloAltoNetworksXDR.Incident.network_artifacts.network_remote_ip String The remote IP related to the artifact.
PaloAltoNetworksXDR.Incident.network_artifacts.is_manual boolean Whether the artifact was created by the user (manually).
PaloAltoNetworksXDR.Incident.network_artifacts.network_domain String The domain related to the artifact.
PaloAltoNetworksXDR.Incident.network_artifacts.type String The artifact type. Valid values are: "META", "GID", "CID", "HASH", "IP", "DOMAIN", "REGISTRY", "HOSTNAME"
PaloAltoNetworksXDR.Incident.network_artifacts.network_country String The country related to the artifact.
PaloAltoNetworksXDR.Incident.file_artifacts.file_signature_status String Digital signature status of the file. Valid values are: "SIGNATURE_UNAVAILABLE" "SIGNATURE_SIGNED" "SIGNATURE_INVALID" "SIGNATURE_UNSIGNED" "SIGNATURE_WEAK_HASH"
PaloAltoNetworksXDR.Incident.file_artifacts.is_process boolean Whether the file artifact is related to a process execution.
PaloAltoNetworksXDR.Incident.file_artifacts.file_name String Name of the file.
PaloAltoNetworksXDR.Incident.file_artifacts.file_wildfire_verdict String The file verdict, calculated by Wildfire. Valid values are: "BENIGN" "MALWARE" "GRAYWARE" "PHISHING" "UNKNOWN".
PaloAltoNetworksXDR.Incident.file_artifacts.alert_count number Number of alerts related to the artifact.
PaloAltoNetworksXDR.Incident.file_artifacts.is_malicious boolean Whether the artifact is malicious, as decided by the Wildfire verdict.
PaloAltoNetworksXDR.Incident.file_artifacts.is_manual boolean Whether the artifact was created by the user (manually).
PaloAltoNetworksXDR.Incident.file_artifacts.type String The artifact type. Valid values are: "META" "GID" "CID" "HASH" "IP" "DOMAIN" "REGISTRY" "HOSTNAME"
PaloAltoNetworksXDR.Incident.file_artifacts.file_sha256 String SHA-256 hash of the file.
PaloAltoNetworksXDR.Incident.file_artifacts.file_signature_vendor_name String File signature vendor name.
Account.Username String The username in the relevant system.
Endpoint.Hostname String The hostname that is mapped to this endpoint.
File.Path String The path where the file is located.
File.MD5 String The MD5 hash of the file.
File.SHA256 String The SHA256 hash of the file.
File.Name String The full file name (including file extension).
Process.Name String The name of the process.
Process.MD5 String The MD5 hash of the process.
Process.SHA256 String The SHA256 hash of the process.
Process.PID String The PID of the process.
Process.Path String The file system path to the binary file.
Process.Start Time String The timestamp of the process start time.
Process.CommandLine String The full command line (including arguments).
IP.Address String IP address.
IP.Geo.Country String The country in which the IP address is located.
Domain.Name String The domain name, for example: "google.com".
Command Example#

!xdr-get-incident-extra-data incident_id=4 alerts_limit=10

Context Example#
Human Readable Output#

Incident 4#

alert_countassigned_user_mailassigned_user_pretty_namecreation_timedescriptiondetection_timehigh_severity_alert_counthost_countincident_idlow_severity_alert_countmanual_descriptionmanual_severitymed_severity_alert_countmodification_timenotesresolve_commentseveritystarredstatususer_countxdr_url
5 1577276587937 5 'This alert from content TestXDRPlaybook' alerts detected by Checkpoint - SandBlast 4 1 4 0 medium 1 1579290004178 This issue was solved in Incident number 192304 medium false new 1 https://some.xdr.url.com/incident-view/4

Alerts#

actionaction_external_hostnameaction_file_md5action_file_pathaction_file_sha256action_local_ipaction_local_portaction_prettyaction_process_image_command_lineaction_process_image_nameaction_process_image_sha256action_process_signature_statusaction_process_signature_vendoraction_registry_dataaction_registry_full_keyaction_remote_ipaction_remote_port actor_process_command_lineactor_process_image_nameactor_process_signature_statusactor_process_signature_vendoralert_idcategorycausality_actor_causality_idcausality_actor_process_command_linecausality_actor_process_image_namecausality_actor_process_signature_statuscausality_actor_process_signature_vendordescriptiondetection_timestampevent_typefw_app_idhost_ip_list host_nameis_whitelistednameseveritysourcestarreduser_name
VALUE_NA,
N/A 		196.168.0.1 7000 VALUE_NA,
N/A 		N/A N/A 2.2.2.2 8000 N/A N/A 6 N/A N/A Test - alert generated by Test XDR Playbook 1577276586921 Network Event No Test - alert generated by Test XDR Playbook medium Cisco - Sandblast false
VALUE_NA,
N/A 		196.168.0.111 2000 VALUE_NA,
N/A 		N/A N/A 2.2.2.2 6000 N/A N/A 7 N/A N/A This alert from content TestXDRPlaybook description 1577776701589 Network Event No This alert from content TestXDRPlaybook high Checkpoint - SandBlast false
VALUE_NA,
N/A 		196.168.0.111 2000 VALUE_NA,
N/A 		N/A N/A 2.2.2.2 6000 N/A N/A 8 N/A N/A This alert from content TestXDRPlaybook description 1577958479843 Network Event No This alert from content TestXDRPlaybook high Checkpoint - SandBlast false
VALUE_NA,
N/A 		196.168.0.111 2000 VALUE_NA,
N/A 		N/A N/A 2.2.2.2 6000 N/A N/A 9 N/A N/A This alert from content TestXDRPlaybook description 1578123895414 Network Event No This alert from content TestXDRPlaybook high Checkpoint - SandBlast false
VALUE_NA,
N/A 		196.168.0.111 2000 VALUE_NA,
N/A 		N/A N/A 2.2.2.2 6000 N/A N/A 10 N/A N/A This alert from content TestXDRPlaybook description 1578927443615 Network Event No This alert from content TestXDRPlaybook high Checkpoint - SandBlast false

Network Artifacts#

alert_countis_manualnetwork_countrynetwork_domainnetwork_remote_ipnetwork_remote_porttype
5 false 2.2.2.2 8000 IP

File Artifacts#

No entries.

Base Command#

xdr-update-incident

Input#

Argument NameDescriptionRequired
incident_id XDR incident ID. You can get the incident ID from the output of the 'xdr-get-incidents' command or the 'xdr-get-incident-extra-details' command. Required
manual_severity Severity to assign to the incident (LOW, MEDIUM, or HIGH). Possible values are: HIGH, MEDIUM, LOW. Optional
assigned_user_mail Email address of the user to assign to the incident. Optional
assigned_user_pretty_name Full name of the user assigned to the incident. Optional
status Status of the incident. Valid values are: NEW, UNDER_INVESTIGATION, RESOLVED_KNOWN_ISSUE, RESOLVED_DUPLICATE, RESOLVED_FALSE_POSITIVE, RESOLVED_TRUE_POSITIVE, RESOLVED_SECURITY_TESTING, RESOLVED_OTHER. Possible values are: NEW, UNDER_INVESTIGATION, RESOLVED_KNOWN_ISSUE, RESOLVED_DUPLICATE, RESOLVED_FALSE_POSITIVE, RESOLVED_TRUE_POSITIVE, RESOLVED_SECURITY_TESTING, RESOLVED_OTHER. Optional
resolve_comment Comment explaining why the incident was resolved. This should be set when the incident is resolved. Optional
unassign_user If true, will remove all assigned users from the incident. Possible values are: true. Optional

Context Output#

There is no context output for this command.

xdr-insert-parsed-alert#

Upload alert from external alert sources in Cortex XDR format. Cortex XDR displays alerts that are parsed successfully in related incidents and views. You can send 600 alerts per minute. Each request can contain a maximum of 60 alerts.

Base Command#

xdr-insert-parsed-alert

Input#

Argument NameDescriptionRequired
product String value that defines the product. Required
vendor String value that defines the product. Required
local_ip String value for the source IP address. Optional
local_port Integer value for the source port. Required
remote_ip String value of the destination IP
address. 		Required
remote_port Integer value for the destination
port. 		Required
event_timestamp Integer value representing the epoch of the time the alert occurred in milliseconds, or a string value in date format 2019-10-23T10:00:00. If not set, the event time will be defined as now. Optional
severity String value of alert severity. Valid values are:
Informational, Low, Medium or High. Possible values are: Informational, Low, Medium, High. Default is Medium. 		Optional
alert_name String defining the alert name. Required
alert_description String defining the alert description. Optional

Context Output#

There is no context output for this command.

xdr-insert-cef-alerts#

Upload alerts in CEF format from external alert sources. After you map CEF alert fields to Cortex XDR fields, Cortex XDR displays the alerts in related incidents and views. You can send 600 requests per minute. Each request can contain a maximum of 60 alerts.

Base Command#

xdr-insert-cef-alerts

Input#

Argument NameDescriptionRequired
cef_alerts List of alerts in CEF format. Required

Context Output#

There is no context output for this command.

xdr-endpoint-isolate#

Isolates the specified endpoint.

Base Command#

xdr-endpoint-isolate

Input#

Argument NameDescriptionRequired
incident_id Allows to link the response action to the incident that triggered it. Optional
endpoint_id The endpoint ID (string) to isolate. You can retrieve the string from the xdr-get-endpoints command. Required
suppress_disconnected_endpoint_error Whether to suppress an error when trying to isolate a disconnected endpoint. When sets to false, an error will be returned. Possible values are: true, false. Default is false. Optional
interval_in_seconds Interval in seconds between each poll. Optional
timeout_in_seconds Polling timeout in seconds. Optional
action_id For polling use. Optional

Context Output#

PathTypeDescription
PaloAltoNetworksXDR.Isolation.endpoint_id String The endpoint ID.

xdr-endpoint-unisolate#

Reverses the isolation of an endpoint.

Base Command#

xdr-endpoint-unisolate

Input#

Argument NameDescriptionRequired
incident_id Allows to link the response action to the incident that triggered it. Optional
endpoint_id The endpoint ID (string) for which to reverse the isolation. You can retrieve it from the xdr-get-endpoints command. Required
suppress_disconnected_endpoint_error Whether to suppress an error when trying to unisolate a disconnected endpoint. When sets to false, an error will be returned. Possible values are: true, false. Default is false. Optional
interval_in_seconds Interval in seconds between each poll. Optional
timeout_in_seconds Polling timeout in seconds. Optional
action_id For polling use. Optional

Context Output#

PathTypeDescription
PaloAltoNetworksXDR.UnIsolation.endpoint_id String Isolates the specified endpoint.

xdr-get-endpoints#

Gets a list of endpoints, according to the passed filters. If there are no filters, all endpoints are returned. Filtering by multiple fields will be concatenated using AND condition (OR is not supported). Maximum result set size is 100. Offset is the zero-based number of endpoint from the start of the result set (start by counting from 0).

Base Command#

xdr-get-endpoints

Input#

Argument NameDescriptionRequired
status The status of the endpoint to filter. Possible values are: connected, disconnected, lost, uninstalled. Optional
endpoint_id_list A comma-separated list of endpoint IDs. Optional
dist_name A comma-separated list of distribution package names or installation package names.
Example: dist_name1,dist_name2. 		Optional
ip_list A comma-separated list of IP addresses.
Example: 8.8.8.8,1.1.1.1. 		Optional
group_name The group name to which the agent belongs.
Example: group_name1,group_name2. 		Optional
platform The endpoint platform. Valid values are\: "windows", "linux", "macos", or "android". . Possible values are: windows, linux, macos, android. Optional
alias_name A comma-separated list of alias names.
Examples: alias_name1,alias_name2. 		Optional
isolate Specifies whether the endpoint was isolated or unisolated. Possible values are: isolated, unisolated. Optional
hostname Hostname
Example: hostname1,hostname2. 		Optional
first_seen_gte All the agents that were first seen after {first_seen_gte}.
Supported values:
1579039377301 (time in milliseconds)
"3 days" (relative date)
"2019-10-21T23:45:00" (date). 		Optional
first_seen_lte All the agents that were first seen before {first_seen_lte}.
Supported values:
1579039377301 (time in milliseconds)
"3 days" (relative date)
"2019-10-21T23:45:00" (date). 		Optional
last_seen_gte All the agents that were last seen before {last_seen_gte}.
Supported values:
1579039377301 (time in milliseconds)
"3 days" (relative date)
"2019-10-21T23:45:00" (date). 		Optional
last_seen_lte All the agents that were last seen before {last_seen_lte}.
Supported values:
1579039377301 (time in milliseconds)
"3 days" (relative date)
"2019-10-21T23:45:00" (date). 		Optional
page Page number (for pagination). The default is 0 (the first page). Default is 0. Optional
limit Maximum number of endpoints to return per page. The default and maximum is 30. Default is 30. Optional
sort_by Specifies whether to sort endpoints by the first time or last time they were seen. Can be "first_seen" or "last_seen". Possible values are: first_seen, last_seen. Optional
sort_order The order by which to sort results. Can be "asc" (ascending) or "desc" ( descending). Default set to asc. Possible values are: asc, desc. Default is asc. Optional
username The usernames to query for, accepts a single user, or comma-separated list of usernames. Optional

Context Output#

PathTypeDescription
PaloAltoNetworksXDR.Endpoint.endpoint_id String The endpoint ID.
PaloAltoNetworksXDR.Endpoint.endpoint_name String The endpoint name.
PaloAltoNetworksXDR.Endpoint.endpoint_type String The endpoint type.
PaloAltoNetworksXDR.Endpoint.endpoint_status String The status of the endpoint.
PaloAltoNetworksXDR.Endpoint.os_type String The endpoint OS type.
PaloAltoNetworksXDR.Endpoint.ip Unknown A list of IP addresses.
PaloAltoNetworksXDR.Endpoint.users Unknown A list of users.
PaloAltoNetworksXDR.Endpoint.domain String The endpoint domain.
PaloAltoNetworksXDR.Endpoint.alias String The endpoint's aliases.
PaloAltoNetworksXDR.Endpoint.first_seen Unknown First seen date/time in Epoch (milliseconds).
PaloAltoNetworksXDR.Endpoint.last_seen Date Last seen date/time in Epoch (milliseconds).
PaloAltoNetworksXDR.Endpoint.content_version String Content version.
PaloAltoNetworksXDR.Endpoint.installation_package String Installation package.
PaloAltoNetworksXDR.Endpoint.active_directory String Active directory.
PaloAltoNetworksXDR.Endpoint.install_date Date Install date in Epoch (milliseconds).
PaloAltoNetworksXDR.Endpoint.endpoint_version String Endpoint version.
PaloAltoNetworksXDR.Endpoint.is_isolated String Whether the endpoint is isolated.
PaloAltoNetworksXDR.Endpoint.group_name String The name of the group to which the endpoint belongs.
PaloAltoNetworksXDR.Endpoint.count String Number of endpoints returned.
Endpoint.Hostname String The hostname that is mapped to this endpoint.
Endpoint.ID String The unique ID within the tool retrieving the endpoint.
Endpoint.IPAddress String The IP address of the endpoint.
Endpoint.Domain String The domain of the endpoint.
Endpoint.OS String The endpoint's operation system.
Account.Username String The username in the relevant system.
Account.Domain String The domain of the account.
Endpoint.Status String The endpoint's status.
Endpoint.IsIsolated String The endpoint's isolation status.
Endpoint.MACAddress String The endpoint's MAC address.
Endpoint.Vendor String The integration name of the endpoint vendor.
Command Example#

!xdr-get-endpoints isolate="unisolated" first_seen_gte="3 month" page="0" limit="30" sort_order="asc"

Context Example#
Human Readable Output#

Endpoints#

active_directoryaliascontent_versiondomainendpoint_idendpoint_nameendpoint_statusendpoint_typeendpoint_versionfirst_seengroup_nameinstall_dateinstallation_packageipis_isolatedlast_seenos_typeusers
111-17757 ea303670c76e4ad09600c8b346f7c804 aaaaa.compute.internal CONNECTED AGENT_TYPE_SERVER 7.0.0.1915 1575795969644 1575795969644 linux 172.31.11.11 AGENT_UNISOLATED 1579290023629 AGENT_OS_LINUX ec2-user
111-17757 WORKGROUP f8a2f58846b542579c12090652e79f3d EC2AMAZ-P7PPOI4 CONNECTED AGENT_TYPE_SERVER 7.0.0.27797 1575796381739 1575796381739 Windows Server 2016 2.2.2.2 AGENT_UNISOLATED 1579289957412 AGENT_OS_WINDOWS Administrator

xdr-get-distribution-versions#

Gets a list of all the agent versions to use for creating a distribution list.

Base Command#

xdr-get-distribution-versions

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
PaloAltoNetworksXDR.DistributionVersions.windows Unknown A list of Windows agent versions.
PaloAltoNetworksXDR.DistributionVersions.linux Unknown A list of Linux agent versions.
PaloAltoNetworksXDR.DistributionVersions.macos Unknown A list of Mac agent versions.
Command Example#

!xdr-get-distribution-versions

Context Example#
Human Readable Output#

windows#

versions
5.0.8.29673
5.0.9.30963
6.1.4.28751
7.0.0.28644

linux#

versions
6.1.4.1680
7.0.0.1916

macos#

versions
6.1.4.1681
7.0.0.1914

xdr-create-distribution#

Creates an installation package. This is an asynchronous call that returns the distribution ID. This does not mean that the creation succeeded. To confirm that the package has been created, check the status of the distribution by running the Get Distribution Status API.

Base Command#

xdr-create-distribution

Input#

Argument NameDescriptionRequired
name A string representing the name of the installation package. Required
platform String, valid values are:
• windows
• linux
• macos
• android. Possible values are: windows, linux, macos, android. 		Required
package_type A string representing the type of package to create.
standalone - An installation for a new agent
upgrade - An upgrade of an agent from ESM. Possible values are: standalone, upgrade. 		Required
agent_version agent_version returned from xdr-get-distribution-versions. Not required for Android platfom. Required
description Information about the package. Optional

Context Output#

PathTypeDescription
PaloAltoNetworksXDR.Distribution.id String The installation package ID.
PaloAltoNetworksXDR.Distribution.name String The name of the installation package.
PaloAltoNetworksXDR.Distribution.platform String The installation OS.
PaloAltoNetworksXDR.Distribution.agent_version String Agent version.
PaloAltoNetworksXDR.Distribution.description String Information about the package.
Command Example#

!xdr-create-distribution agent_version=6.1.4.1680 name="dist_1" package_type=standalone platform=linux description="some description"

Context Example#
Human Readable Output#

Distribution 43aede7f846846fa92b50149663fbb25 created successfully

xdr-get-distribution-url#

Gets the distribution URL for downloading the installation package.

Base Command#

xdr-get-distribution-url

Input#

Argument NameDescriptionRequired
distribution_id The ID of the installation package.
Copy the distribution_id from the "id" field on Endpoints > Agent Installation page. 		Required
package_type The installation package type. Valid
values are:
• upgrade
• sh - For Linux
• rpm - For Linux
• deb - For Linux
• pkg - For Mac
• x86 - For Windows
• x64 - For Windows. Possible values are: upgrade, sh, rpm, deb, pkg, x86, x64. 		Required

Context Output#

PathTypeDescription
PaloAltoNetworksXDR.Distribution.id String Distribution ID.
PaloAltoNetworksXDR.Distribution.url String URL for downloading the installation package.
Command Example#

!xdr-get-distribution-url distribution_id=2c74c11b63074653aa01d575a82bf52a package_type=sh

xdr-get-create-distribution-status#

Gets the status of the installation package.

Base Command#

xdr-get-create-distribution-status

Input#

Argument NameDescriptionRequired
distribution_ids A comma-separated list of distribution IDs to get the status of. Required

Context Output#

PathTypeDescription
PaloAltoNetworksXDR.Distribution.id String Distribution ID.
PaloAltoNetworksXDR.Distribution.status String The status of installation package.
Command Example#

!xdr-get-create-distribution-status distribution_ids=2c74c11b63074653aa01d575a82bf52a

xdr-get-audit-management-logs#

Gets management logs. You can filter by multiple fields, which will be concatenated using the AND condition (OR is not supported). Maximum result set size is 100. Offset is the zero-based number of management logs from the start of the result set (start by counting from 0).

Context Example#
Human Readable Output#

Distribution Status#

idstatus
2c74c11b63074653aa01d575a82bf52a Completed

Base Command#

xdr-get-audit-management-logs

Input#

Argument NameDescriptionRequired
email User’s email address. Optional
type The audit log type. Possible values are: LIVE_TERMINAL, RULES, AUTH, RESPONSE, INCIDENT_MANAGEMENT, ENDPOINT_MANAGEMENT, ALERT_WHITELIST, PUBLIC_API, DISTRIBUTIONS, STARRED_INCIDENTS, POLICY_PROFILES, DEVICE_CONTROL_PROFILE, HOST_FIREWALL_PROFILE, POLICY_RULES, PROTECTION_POLICY, DEVICE_CONTROL_TEMP_EXCEPTIONS, DEVICE_CONTROL_GLOBAL_EXCEPTIONS, GLOBAL_EXCEPTIONS, MSSP, REPORTING, DASHBOARD, BROKER_VM. Optional
sub_type The audit log subtype. Optional
result Result type. Possible values are: SUCCESS, FAIL, PARTIAL. Optional
timestamp_gte Return logs for which the timestamp is after 'log_time_after'.
Supported values:
1579039377301 (time in milliseconds)
"3 days" (relative date)
"2019-10-21T23:45:00" (date). 		Optional
timestamp_lte Return logs for which the timestamp is before the 'log_time_after'.
Supported values:
1579039377301 (time in milliseconds)
"3 days" (relative date)
"2019-10-21T23:45:00" (date). 		Optional
page Page number (for pagination). The default is 0 (the first page). Default is 0. Optional
limit Maximum number of audit logs to return per page. The default and maximum is 30. Default is 30. Optional
sort_by Specifies the field by which to sort the results. By default the sort is defined as creation-time and DESC. Can be "type", "sub_type", "result", or "timestamp". Possible values are: type, sub_type, result, timestamp. Optional
sort_order The sort order. Can be "asc" (ascending) or "desc" (descending). Default set to "desc". Possible values are: asc, desc. Default is desc. Optional

Context Output#

PathTypeDescription
PaloAltoNetworksXDR.AuditManagementLogs.AUDIT_ID Number Audit log ID.
PaloAltoNetworksXDR.AuditManagementLogs.AUDIT_OWNER_NAME String Audit owner name.
PaloAltoNetworksXDR.AuditManagementLogs.AUDIT_OWNER_EMAIL String Audit owner email address.
PaloAltoNetworksXDR.AuditManagementLogs.AUDIT_ASSET_JSON String Asset JSON.
PaloAltoNetworksXDR.AuditManagementLogs.AUDIT_ASSET_NAMES String Audit asset names.
PaloAltoNetworksXDR.AuditManagementLogs.AUDIT_HOSTNAME String Host name.
PaloAltoNetworksXDR.AuditManagementLogs.AUDIT_RESULT String Audit result.
PaloAltoNetworksXDR.AuditManagementLogs.AUDIT_REASON String Audit reason.
PaloAltoNetworksXDR.AuditManagementLogs.AUDIT_DESCRIPTION String Description of the audit.
PaloAltoNetworksXDR.AuditManagementLogs.AUDIT_ENTITY String Audit entity (e.g., AUTH, DISTRIBUTIONS).
PaloAltoNetworksXDR.AuditManagementLogs.AUDIT_ENTITY_SUBTYPE String Entity subtype (e.g., Login, Create).
PaloAltoNetworksXDR.AuditManagementLogs.AUDIT_CASE_ID Number Audit case ID.
PaloAltoNetworksXDR.AuditManagementLogs.AUDIT_INSERT_TIME Date Log's insert time.

xdr-get-audit-agent-reports#

Gets agent event reports. You can filter by multiple fields, which will be concatenated using the AND condition (OR is not supported). Maximum result set size is 100. Offset is the zero-based number of reports from the start of the result set (start by counting from 0).

Base Command#

xdr-get-audit-agent-reports

Input#

Argument NameDescriptionRequired
endpoint_ids A comma-separated list of endpoint IDs. Optional
endpoint_names A comma-separated list of endpoint names. Optional
type The report type. Can be "Installation", "Policy", "Action", "Agent Service", "Agent Modules", or "Agent Status". Possible values are: Installation, Policy, Action, Agent Service, Agent Modules, Agent Status. Optional
sub_type The report subtype. Possible values are: Install, Uninstall, Upgrade, Local Configuration, Content Update, Policy Update, Process Exception, Hash Exception, Scan, File Retrieval, File Scan, Terminate Process, Isolate, Cancel Isolation, Payload Execution, Quarantine, Restore, Stop, Start, Module Initialization, Local Analysis Model, Local Analysis Feature Extraction, Fully Protected, OS Incompatible, Software Incompatible, Kernel Driver Initialization, Kernel Extension Initialization, Proxy Communication, Quota Exceeded, Minimal Content, Reboot Required, Missing Disc Access. Optional
result The result type. Can be "Success" or "Fail". If not passed, returns all event reports. Possible values are: Success, Fail. Optional
timestamp_gte Return logs that their timestamp is greater than 'log_time_after'.
Supported values:
1579039377301 (time in milliseconds)
"3 days" (relative date)
"2019-10-21T23:45:00" (date). 		Optional
timestamp_lte Return logs for which the timestamp is before the 'timestamp_lte'.

Supported values:
1579039377301 (time in milliseconds)
"3 days" (relative date)
"2019-10-21T23:45:00" (date).

Optional
page Page number (for pagination). The default is 0 (the first page). Default is 0. Optional
limit The maximum number of reports to return. Default and maximum is 30. Default is 30. Optional
sort_by The field by which to sort results. Can be "type", "category", "trapsversion", "timestamp", or "domain"). Possible values are: type, category, trapsversion, timestamp, domain. Optional
sort_order The sort order. Can be "asc" (ascending) or "desc" (descending). Default is "asc". Possible values are: asc, desc. Default is asc. Optional

Context Output#

PathTypeDescription
PaloAltoNetworksXDR.AuditAgentReports.ENDPOINTID String Endpoint ID.
PaloAltoNetworksXDR.AuditAgentReports.ENDPOINTNAME String Endpoint name.
PaloAltoNetworksXDR.AuditAgentReports.DOMAIN String Agent domain.
PaloAltoNetworksXDR.AuditAgentReports.TRAPSVERSION String Traps version.
PaloAltoNetworksXDR.AuditAgentReports.RECEIVEDTIME Date Received time in Epoch time.
PaloAltoNetworksXDR.AuditAgentReports.TIMESTAMP Date Timestamp in Epoch time.
PaloAltoNetworksXDR.AuditAgentReports.CATEGORY String Report category (e.g., Audit).
PaloAltoNetworksXDR.AuditAgentReports.TYPE String Report type (e.g., Action, Policy).
PaloAltoNetworksXDR.AuditAgentReports.SUBTYPE String Report subtype (e.g., Fully Protected,Policy Update,Cancel Isolation).
PaloAltoNetworksXDR.AuditAgentReports.RESULT String Report result.
PaloAltoNetworksXDR.AuditAgentReports.REASON String Report reason.
PaloAltoNetworksXDR.AuditAgentReports.DESCRIPTION String Agent report description.
Endpoint.ID String The unique ID within the tool retrieving the endpoint.
Endpoint.Hostname String The hostname that is mapped to this endpoint.
Endpoint.Domain String The domain of the endpoint.

xdr-blocklist-files#

Block lists requested files which have not already been block listed or added to allow lists.

Base Command#

xdr-blocklist-files

Input#

Argument NameDescriptionRequired
incident_id Links the response action to the triggered incident. Optional
hash_list String that represents a list of hashed files you want to block list. Must be a valid SHA256 hash. Required
comment String that represents additional information regarding the action. Optional
detailed_response Choose either regular response or detailed response. Default value = false, regular response. Possible values are: true, false. Default is false. Optional

Context Output#

PathTypeDescription
PaloAltoNetworksXDR.blocklist.added_hashes Number Added fileHash to blocklist
PaloAltoNetworksXDR.blocklist.excluded_hashes Number Added fileHash to blocklist

xdr-allowlist-files#

Adds requested files to allow list if they are not already on block list or allow list.

Base Command#

xdr-allowlist-files

Input#

Argument NameDescriptionRequired
incident_id Links the response action to the triggered incident. Optional
hash_list String that represents a list of hashed files you want to add to allow lists. Must be a valid SHA256 hash. Required
comment String that represents additional information regarding the action. Optional
detailed_response Choose either regular response or detailed response. Default value = false, regular response. Possible values are: true, false. Default is false. Optional

Context Output#

PathTypeDescription
PaloAltoNetworksXDR.allowlist.added_hashes Number Added fileHash to allowlist
PaloAltoNetworksXDR.allowlist.excluded_hashes Number Added fileHash to allowlist

xdr-file-quarantine#

Quarantines a file on selected endpoints. You can select up to 1000 endpoints.

Base Command#

xdr-file-quarantine

Input#

Argument NameDescriptionRequired
incident_id Allows to link the response action to the incident that triggered it. Optional
endpoint_id_list List of endpoint IDs. Required
file_path String that represents the path of the file you want to quarantine. Required
file_hash String that represents the file’s hash. Must be a valid SHA256 hash. Required
interval_in_seconds Interval in seconds between each poll. Optional
timeout_in_seconds Polling timeout in seconds. Optional
action_id For polling use. Optional

Context Output#

There is no context output for this command.

xdr-get-quarantine-status#

Retrieves the quarantine status for a selected file.

Base Command#

xdr-get-quarantine-status

Input#

Argument NameDescriptionRequired
endpoint_id String the represents the endpoint ID. Required
file_hash String that represents the file hash. Must be a valid SHA256 hash. Required
file_path String that represents the file path. Required

Context Output#

There is no context output for this command.

xdr-file-restore#

Restores a quarantined file on requested endpoints.

Base Command#

xdr-file-restore

Input#

Argument NameDescriptionRequired
incident_id Allows to link the response action to the incident that triggered it. Optional
file_hash String that represents the file in hash. Must be a valid SHA256 hash. Required
endpoint_id String that represents the endpoint ID. If you do not enter a specific endpoint ID, the request will run restore on all endpoints which relate to the quarantined file you defined. Optional
interval_in_seconds Interval in seconds between each poll. Optional
timeout_in_seconds Polling timeout in seconds. Optional
action_id For polling use. Optional

Context Output#

There is no context output for this command.

xdr-endpoint-scan-execute#

Runs a scan on a selected endpoint. To scan all endpoints, run this command with argument all=true. Do note that scanning all the endpoints may cause performance issues and latency.

Base Command#

xdr-endpoint-scan-execute

Input#

Argument NameDescriptionRequired
incident_id Allows to link the response action to the incident that triggered it. Optional
endpoint_id_list List of endpoint IDs. Optional
dist_name Name of the distribution list. Optional
gte_first_seen Epoch timestamp in milliseconds. Optional
gte_last_seen Epoch timestamp in milliseconds. Optional
lte_first_seen Epoch timestamp in milliseconds. Optional
lte_last_seen Epoch timestamp in milliseconds. Optional
ip_list List of IP addresses. Optional
group_name Name of the endpoint group. Optional
platform Type of operating system. Possible values are: windows, linux, macos, android. Optional
alias Endpoint alias name. Optional
isolate Whether an endpoint has been isolated. Can be "isolated" or "unisolated". Possible values are: isolated, unisolated. Optional
hostname Name of the host. Optional
all Whether to scan all of the endpoints or not. Default is false. Scanning all of the endpoints may cause performance issues and latency. Possible values are: true, false. Default is false. Optional
action_id For polling use. Optional
interval_in_seconds Interval in seconds between each poll. Optional
timeout_in_seconds Polling timeout in seconds. Optional

Context Output#

PathTypeDescription
PaloAltoNetworksXDR.endpointScan.actionId Number The action ID of the scan request.
PaloAltoNetworksXDR.endpointScan.aborted Boolean Was the scan aborted.

xdr-endpoint-scan-abort#

Cancel the scan of selected endpoints. A scan can only be aborted if the selected endpoints are Pending or In Progress. To scan all endpoints, run the command with the argument all=true. Note that scanning all of the endpoints may cause performance issues and latency.

Base Command#

xdr-endpoint-scan-abort

Input#

Argument NameDescriptionRequired
incident_id Allows to link the response action to the incident that triggered it. Optional
endpoint_id_list List of endpoint IDs. Optional
dist_name Name of the distribution list. Optional
gte_first_seen Epoch timestamp in milliseconds. Optional
gte_last_seen Epoch timestamp in milliseconds. Optional
lte_first_seen Epoch timestamp in milliseconds. Optional
lte_last_seen Epoch timestamp in milliseconds. Optional
ip_list List of IP addresses. Optional
group_name Name of the endpoint group. Optional
platform Type of operating system. Possible values are: windows, linux, macos, android. Optional
alias Endpoint alias name. Optional
isolate Whether an endpoint has been isolated. Can be "isolated" or "unisolated". Possible values are: isolated, unisolated. Optional
hostname Name of the host. Optional
all Whether to scan all of the endpoints or not. Default is false. Note that scanning all of the endpoints may cause performance issues and latency. Possible values are: true, false. Default is false. Optional

Context Output#

PathTypeDescription
PaloAltoNetworksXDR.endpointScan.actionId Unknown The action id of the abort scan request.
PaloAltoNetworksXDR.endpointScan.aborted Boolean Was the scan aborted.

get-mapping-fields#

Get mapping fields from remote incident. Please note that this method will not update the current incident, it's here for debugging purposes.

Base Command#

get-mapping-fields

Input#

There are no input arguments for this command.

Context Output#

There is no context output for this command.

get-remote-data#

Get remote data from a remote incident. Please note that this method will not update the current incident, it's here for debugging purposes.

Base Command#

get-remote-data

Input#

Argument NameDescriptionRequired
id The remote incident id. Required
lastUpdate UTC timestamp in seconds. The incident is only updated if it was modified after the last update time. Default is 0. Optional

Context Output#

There is no context output for this command.

get-modified-remote-data#

Get the list of incidents that were modified since the last update. Please note that this method is here for debugging purposes. get-modified-remote-data is used as part of a Mirroring feature, which is available since version 6.1.

Base Command#

get-modified-remote-data

Input#

Argument NameDescriptionRequired
lastUpdate Date string representing the local time.The incident is only returned if it was modified after the last update time. Optional

Context Output#

There is no context output for this command.

xdr-get-policy#

Gets the policy name for a specific endpoint.

Base Command#

xdr-get-policy

Input#

Argument NameDescriptionRequired
endpoint_id The endpoint ID. Can be retrieved by running the xdr-get-endpoints command. Required

Context Output#

PathTypeDescription
PaloAltoNetworksXDR.Policy string The policy allocated with the endpoint.
PaloAltoNetworksXDR.Policy.policy_name string Name of the policy allocated with the endpoint.
PaloAltoNetworksXDR.Policy.endpoint_id string Endpoint ID.

xdr-get-scripts#

Gets a list of scripts available in the scripts library.

Base Command#

xdr-get-scripts

Input#

Argument NameDescriptionRequired
script_name A comma-separated list of the script names. Optional
description A comma-separated list of the script descriptions. Optional
created_by A comma-separated list of the users who created the script. Optional
limit The maximum number of scripts returned to the War Room. Default is 50. Optional
offset (Int) Offset in the data set. Default is 0. Optional
windows_supported Whether the script can be executed on a Windows operating system. Possible values are: true, false. Optional
linux_supported Whether the script can be executed on a Linux operating system. Possible values are: true, false. Optional
macos_supported Whether the script can be executed on a Mac operating system. Possible values are: true, false. Optional
is_high_risk Whether the script has a high-risk outcome. Possible values are: true, false. Optional

Context Output#

PathTypeDescription
PaloAltoNetworksXDR.Scripts Unknown The scripts command results.
PaloAltoNetworksXDR.Scripts.script_id Unknown Script ID.
PaloAltoNetworksXDR.Scripts.name string Name of the script.
PaloAltoNetworksXDR.Scripts.description string Description of the script.
PaloAltoNetworksXDR.Scripts.modification_date Unknown Timestamp of when the script was last modified.
PaloAltoNetworksXDR.Scripts.created_by string Name of the user who created the script.
PaloAltoNetworksXDR.Scripts.windows_supported boolean Whether the script can be executed on a Windows operating system.
PaloAltoNetworksXDR.Scripts.linux_supported boolean Whether the script can be executed on a Linux operating system.
PaloAltoNetworksXDR.Scripts.macos_supported boolean Whether the script can be executed on Mac operating system.
PaloAltoNetworksXDR.Scripts.is_high_risk boolean Whether the script has a high-risk outcome.
PaloAltoNetworksXDR.Scripts.script_uid string Globally Unique Identifier of the script, used to identify the script when executing.

xdr-delete-endpoints#

Deletes selected endpoints in the Cortex XDR app. You can delete up to 1000 endpoints.

Base Command#

xdr-delete-endpoints

Input#

Argument NameDescriptionRequired
endpoint_ids Comma-separated list of endpoint IDs. You can retrieve the endpoint IDs from the xdr-get-endpoints command. Required

Context Output#

There is no context output for this command.

xdr-get-endpoint-device-control-violations#

Gets a list of device control violations filtered by selected fields. You can retrieve up to 100 violations.

Base Command#

xdr-get-endpoint-device-control-violations

Input#

Argument NameDescriptionRequired
endpoint_ids Comma-separated list of endpoint IDs. You can retrieve the endpoint IDs from the xdr-get-endpoints command. Optional
type Type of violation. Possible values are: "cd-rom", "disk drive", "floppy disk", and "portable device". Possible values are: cd-rom, disk drive, floppy disk, portable device. Optional
timestamp_gte Timestamp of the violation. Violations that are greater than or equal to this timestamp will be returned. Values can be in either ISO date format, relative time, or epoch timestamp. For example: "2019-10-21T23:45:00" (ISO date format), "3 days ago" (relative time) 1579039377301 (epoch time). Optional
timestamp_lte Timestamp of the violation. Violations that are less than or equal to this timestamp will be returned. Values can be in either ISO date format, relative time, or epoch timestamp. For example: "2019-10-21T23:45:00" (ISO date format), "3 days ago" (relative time) 1579039377301 (epoch time). Optional
ip_list Comma-separated list of IP addresses. Optional
vendor Name of the vendor. Optional
vendor_id Vendor ID. Optional
product Name of the product. Optional
product_id Product ID. Optional
serial Serial number. Optional
hostname Hostname. Optional
violation_id_list Comma-separated list of violation IDs. Optional
username Username. Optional

Context Output#

PathTypeDescription
PaloAltoNetworksXDR.EndpointViolations Unknown Endpoint violations command results.
PaloAltoNetworksXDR.EndpointViolations.violations Unknown A list of violations.
PaloAltoNetworksXDR.EndpointViolations.violations.os_type string Type of the operating system.
PaloAltoNetworksXDR.EndpointViolations.violations.hostname string Hostname of the violation.
PaloAltoNetworksXDR.EndpointViolations.violations.username string Username of the violation.
PaloAltoNetworksXDR.EndpointViolations.violations.ip string IP address of the violation.
PaloAltoNetworksXDR.EndpointViolations.violations.timestamp number Timestamp of the violation.
PaloAltoNetworksXDR.EndpointViolations.violations.violation_id number Violation ID.
PaloAltoNetworksXDR.EndpointViolations.violations.type string Type of violation.
PaloAltoNetworksXDR.EndpointViolations.violations.vendor_id string Vendor ID of the violation.
PaloAltoNetworksXDR.EndpointViolations.violations.vendor string Name of the vendor of the violation.
PaloAltoNetworksXDR.EndpointViolations.violations.product_id string Product ID of the violation.
PaloAltoNetworksXDR.EndpointViolations.violations.product string Name of the product of the violation.
PaloAltoNetworksXDR.EndpointViolations.violations.serial string Serial number of the violation.
PaloAltoNetworksXDR.EndpointViolations.violations.endpoint_id string Endpoint ID of the violation.

xdr-file-retrieve#

Retrieves files from selected endpoints. You can retrieve up to 20 files, from no more than 10 endpoints. At least one endpoint ID and one file path are necessary in order to run the command. After running this command, you can use the xdr-action-status-get command with returned action_id, to check the action status.

Base Command#

xdr-file-retrieve

Input#

Argument NameDescriptionRequired
incident_id Allows to link the response action to the incident that triggered it. Optional
endpoint_ids Comma-separated list of endpoint IDs. Required
windows_file_paths A comma-separated list of file paths on the Windows platform. Optional
linux_file_paths A comma-separated list of file paths on the Linux platform. Optional
mac_file_paths A comma-separated list of file paths on the Mac platform. Optional
generic_file_path A comma-separated list of file paths in any platform. Can be used instead of the mac/windows/linux file paths. The order of the files path list must be parallel to the endpoints list order, therefore, the first file path in the list is related to the first endpoint and so on. Optional
interval_in_seconds Interval in seconds between each poll. Optional
timeout_in_seconds Polling timeout in seconds. Optional
action_id For polling use. Optional

Context Output#

PathTypeDescription
PaloAltoNetworksXDR.RetrievedFiles.action_id string ID of the action to retrieve files from selected endpoints.
PaloAltoNetworksXDR.RetrievedFiles.endpoint_id string Endpoint ID. Added only when the operation is successful.
PaloAltoNetworksXDR.RetrievedFiles.file_link string Link to the file. Added only when the operation is successful.
PaloAltoNetworksXDR.RetrievedFiles.status string The action status. Added only when the operation is unsuccessful.

xdr-retrieve-file-details#

View the file retrieved by the xdr-retrieve-files command according to the action ID. Before running this command, you can use the xdr-action-status-get command to check if this action completed successfully.

Base Command#

xdr-retrieve-file-details

Input#

Argument NameDescriptionRequired
action_id Action ID retrieved from the xdr-retrieve-files command. Required

Context Output#

PathTypeDescription
File Unknown The file details command results.
File.Name String The full file name (including the file extension).
File.EntryID String The ID for locating the file in the War Room.
File.Size Number The size of the file in bytes.
File.MD5 String The MD5 hash of the file.
File.SHA1 String The SHA1 hash of the file.
File.SHA256 String The SHA256 hash of the file.
File.SHA512 String The SHA512 hash of the file.
File.Extension String The file extension. For example: "xls".
File.Type String The file type, as determined by libmagic (same as displayed in file entries).

xdr-get-script-metadata#

Gets the full definition of a specific script in the scripts library.

Base Command#

xdr-get-script-metadata

Input#

Argument NameDescriptionRequired
script_uid Unique identifier of the script, returned by the xdr-get-scripts command. Required

Context Output#

PathTypeDescription
PaloAltoNetworksXDR.ScriptMetadata Unknown The script metadata command results.
PaloAltoNetworksXDR.ScriptMetadata.script_id number Script ID.
PaloAltoNetworksXDR.ScriptMetadata.name string Script name.
PaloAltoNetworksXDR.ScriptMetadata.description string Script description.
PaloAltoNetworksXDR.ScriptMetadata.modification_date unknown Timestamp of when the script was last modified.
PaloAltoNetworksXDR.ScriptMetadata.created_by string Name of the user who created the script.
PaloAltoNetworksXDR.ScriptMetadata.is_high_risk boolean Whether the script has a high-risk outcome.
PaloAltoNetworksXDR.ScriptMetadata.windows_supported boolean Whether the script can be executed on a Windows operating system.
PaloAltoNetworksXDR.ScriptMetadata.linux_supported boolean Whether the script can be executed on a Linux operating system.
PaloAltoNetworksXDR.ScriptMetadata.macos_supported boolean Whether the script can be executed on a Mac operating system.
PaloAltoNetworksXDR.ScriptMetadata.entry_point string Name of the entry point selected for the script. An empty string indicates the script defined as just run.
PaloAltoNetworksXDR.ScriptMetadata.script_input string Name and type for the specified entry point.
PaloAltoNetworksXDR.ScriptMetadata.script_output_type string Type of the output.
PaloAltoNetworksXDR.ScriptMetadata.script_output_dictionary_definitions Unknown If the script_output_type is a dictionary, an array with friendly name, name, and type for each output.

xdr-get-script-code#

Gets the code of a specific script in the script library.

Base Command#

xdr-get-script-code

Input#

Argument NameDescriptionRequired
script_uid Unique identifier of the script, returned by the xdr-get-scripts command. Required

Context Output#

PathTypeDescription
PaloAltoNetworksXDR.ScriptCode Unknown The script code command results.
PaloAltoNetworksXDR.ScriptCode.code string The code of a specific script in the script library.
PaloAltoNetworksXDR.ScriptCode.script_uid string Unique identifier of the script.

xdr-action-status-get#

Retrieves the status of the requested actions according to the action ID.

Base Command#

xdr-action-status-get

Input#

Argument NameDescriptionRequired
action_id The action ID of the selected request. After performing an action, you will receive an action ID. Required

Context Output#

PathTypeDescription
PaloAltoNetworksXDR.GetActionStatus Unknown The action status command results.
PaloAltoNetworksXDR.GetActionStatus.endpoint_id string Endpoint ID.
PaloAltoNetworksXDR.GetActionStatus.status string The status of the specific endpoint ID.
PaloAltoNetworksXDR.GetActionStatus.action_id number The specified action ID.

xdr-run-script#

Initiates a new endpoint script execution action using a script from the script library.

Base Command#

xdr-run-script

Input#

Argument NameDescriptionRequired
incident_id Allows to link the response action to the incident that triggered it. Optional
endpoint_ids Comma-separated list of endpoint IDs. Can be retrieved by running the xdr-get-endpoints command. Required
script_uid Unique identifier of the script. Can be retrieved by running the xdr-get-scripts command. Required
parameters Dictionary contains the parameter name as key and its value for this execution as the value. For example, {"param1":"param1_value","param2":"param2_value"}. Optional
timeout The timeout in seconds for this execution. Default is 600. Optional

Context Output#

PathTypeDescription
PaloAltoNetworksXDR.ScriptRun.action_id Number ID of the action initiated.
PaloAltoNetworksXDR.ScriptRun.endpoints_count Number Number of endpoints the action was initiated on.

xdr-snippet-code-script-execute#

Initiates a new endpoint script execution action using the provided snippet code.

Base Command#

xdr-snippet-code-script-execute

Input#

Argument NameDescriptionRequired
incident_id Allows to link the response action to the incident that triggered it. Optional
endpoint_ids Comma-separated list of endpoint IDs. Can be retrieved by running the xdr-get-endpoints command. Required
snippet_code Section of a script you want to initiate on an endpoint (e.g., print("7")). Required
interval_in_seconds Interval in seconds between each poll. Optional
timeout_in_seconds Polling timeout in seconds. Optional
action_id For polling use. Optional

Context Output#

PathTypeDescription
PaloAltoNetworksXDR.ScriptRun.action_id Number ID of the action initiated.
PaloAltoNetworksXDR.ScriptRun.endpoints_count Number Number of endpoints the action was initiated on.

xdr-get-script-execution-status#

Retrieves the status of a script execution action.

Base Command#

xdr-get-script-execution-status

Input#

Argument NameDescriptionRequired
action_id Action IDs retrieved from the xdr-run-script command. Required

Context Output#

PathTypeDescription
PaloAltoNetworksXDR.ScriptStatus.general_status String General status of the action, considering the status of all the endpoints.
PaloAltoNetworksXDR.ScriptStatus.error_message String Error message regarding permissions for running APIs or the action doesn’t exist.
PaloAltoNetworksXDR.ScriptStatus.endpoints_timeout Number Number of endpoints in "timeout" status.
PaloAltoNetworksXDR.ScriptStatus.action_id Number ID of the action initiated.
PaloAltoNetworksXDR.ScriptStatus.endpoints_pending_abort Number Number of endpoints in "pending abort" status.
PaloAltoNetworksXDR.ScriptStatus.endpoints_pending Number Number of endpoints in "pending" status.
PaloAltoNetworksXDR.ScriptStatus.endpoints_in_progress Number Number of endpoints in "in progress" status.
PaloAltoNetworksXDR.ScriptStatus.endpoints_failed Number Number of endpoints in "failed" status.
PaloAltoNetworksXDR.ScriptStatus.endpoints_expired Number Number of endpoints in "expired" status.
PaloAltoNetworksXDR.ScriptStatus.endpoints_completed_successfully Number Number of endpoints in "completed successfully" status.
PaloAltoNetworksXDR.ScriptStatus.endpoints_canceled Number Number of endpoints in "canceled" status.
PaloAltoNetworksXDR.ScriptStatus.endpoints_aborted Number Number of endpoints in "aborted" status.

xdr-get-script-execution-results#

Retrieve the results of a script execution action.

Base Command#

xdr-get-script-execution-results

Input#

Argument NameDescriptionRequired
action_id Action IDs retrieved from the xdr-run-script command. Required

Context Output#

PathTypeDescription
PaloAltoNetworksXDR.ScriptResult.action_id Number ID of the action initiated.
PaloAltoNetworksXDR.ScriptResult.results.retrieved_files Number Number of successfully retrieved files.
PaloAltoNetworksXDR.ScriptResult.results.endpoint_ip_address String Endpoint IP address.
PaloAltoNetworksXDR.ScriptResult.results.endpoint_name String Number of successfully retrieved files.
PaloAltoNetworksXDR.ScriptResult.results.failed_files Number Number of files failed to retrieve.
PaloAltoNetworksXDR.ScriptResult.results.endpoint_status String Endpoint status.
PaloAltoNetworksXDR.ScriptResult.results.domain String Domain to which the endpoint belongs.
PaloAltoNetworksXDR.ScriptResult.results.endpoint_id String Endpoint ID.
PaloAltoNetworksXDR.ScriptResult.results.execution_status String Execution status of this endpoint.
PaloAltoNetworksXDR.ScriptResult.results.return_value String Value returned by the script in case the type is not a dictionary.
PaloAltoNetworksXDR.ScriptResult.results.standard_output String The STDOUT and the STDERR logged by the script during the execution.
PaloAltoNetworksXDR.ScriptResult.results.retention_date Date Timestamp in which the retrieved files will be deleted from the server.

xdr-get-script-execution-result-files#

Gets the files retrieved from a specific endpoint during a script execution.

Base Command#

xdr-get-script-execution-result-files

Input#

Argument NameDescriptionRequired
action_id Action ID retrieved from the xdr-run-script command. Required
endpoint_id Endpoint ID. Can be retrieved by running the xdr-get-endpoints command. Required

Context Output#

PathTypeDescription
File.Size String The size of the file.
File.SHA1 String The SHA1 hash of the file.
File.SHA256 String The SHA256 hash of the file.
File.SHA512 String The SHA512 hash of the file.
File.Name String The name of the file.
File.SSDeep String The SSDeep hash of the file.
File.EntryID String EntryID of the file
File.Info String Information about the file.
File.Type String The file type.
File.MD5 String The MD5 hash of the file.
File.Extension String The extension of the file.

xdr-script-commands-execute#

Initiate a new endpoint script execution of shell commands.

Base Command#

xdr-script-commands-execute

Input#

Argument NameDescriptionRequired
incident_id Allows to link the response action to the incident that triggered it. Optional
endpoint_ids Comma-separated list of endpoint IDs. Can be retrieved by running the xdr-get-endpoints command. Required
commands Comma-separated list of shell commands to execute. Required
timeout The timeout in seconds for this execution. Default is 600. Optional
interval_in_seconds Interval in seconds between each poll. Optional
timeout_in_seconds Polling timeout in seconds. Optional
action_id For polling use. Optional

Context Output#

PathTypeDescription
PaloAltoNetworksXDR.ScriptRun.action_id Number ID of the action initiated.
PaloAltoNetworksXDR.ScriptRun.endpoints_count Number Number of endpoints the action was initiated on.

xdr-file-delete-script-execute#

Initiates a new endpoint script execution to delete the specified file.

Base Command#

xdr-file-delete-script-execute

Input#

Argument NameDescriptionRequired
incident_id Allows to link the response action to the incident that triggered it. Optional
endpoint_ids Comma-separated list of endpoint IDs. Can be retrieved by running the xdr-get-endpoints command. Required
file_path Paths of the files to delete, in a comma-separated list. Paths of the files to check for existence. All of the given file paths will run on all of the endpoints. Required
timeout The timeout in seconds for this execution. Default is 600. Optional
interval_in_seconds Interval in seconds between each poll. Optional
timeout_in_seconds Polling timeout in seconds. Optional
action_id For polling use. Optional

Context Output#

PathTypeDescription
PaloAltoNetworksXDR.ScriptRun.action_id Number ID of the action initiated.
PaloAltoNetworksXDR.ScriptRun.endpoints_count Number Number of endpoints the action was initiated on.

xdr-file-exist-script-execute#

Initiates a new endpoint script execution to check if file exists.

Base Command#

xdr-file-exist-script-execute

Input#

Argument NameDescriptionRequired
incident_id Allows to link the response action to the incident that triggered it. Optional
endpoint_ids Comma-separated list of endpoint IDs. Can be retrieved by running the xdr-get-endpoints command. Required
file_path Paths of the files to check for existence, in a comma-separated list. All of the given file paths will run on all of the endpoints. Required
timeout The timeout in seconds for this execution. Default is 600. Optional
interval_in_seconds Interval in seconds between each poll. Optional
timeout_in_seconds Polling timeout in seconds. Optional
action_id For polling use. Optional

Context Output#

PathTypeDescription
PaloAltoNetworksXDR.ScriptRun.action_id Number ID of the action initiated.
PaloAltoNetworksXDR.ScriptRun.endpoints_count Number Number of endpoints the action was initiated on.

xdr-kill-process-script-execute#

Initiates a new endpoint script execution kill process.

Base Command#

xdr-kill-process-script-execute

Input#

Argument NameDescriptionRequired
incident_id Allows to link the response action to the incident that triggered it. Optional
endpoint_ids Comma-separated list of endpoint IDs. Can be retrieved by running the xdr-get-endpoints command. Required
process_name Names of processes to kill. Will kill all of the given processes on all of the endpoints. Required
timeout The timeout in seconds for this execution. Default is 600. Optional
interval_in_seconds Interval in seconds between each poll. Optional
timeout_in_seconds Polling timeout in seconds. Optional
action_id For polling use. Optional

Context Output#

PathTypeDescription
PaloAltoNetworksXDR.ScriptRun.action_id Number ID of the action initiated.
PaloAltoNetworksXDR.ScriptRun.endpoints_count Number Number of endpoints the action was initiated on.

endpoint#

Returns information about an endpoint.

Base Command#

endpoint

Input#

Argument NameDescriptionRequired
id The endpoint ID. Optional
ip The endpoint IP address. Optional
hostname The endpoint hostname. Optional

Context Output#

PathTypeDescription
Endpoint.Hostname String The endpoint's hostname.
Endpoint.OS String The endpoint's operation system.
Endpoint.IPAddress String The endpoint's IP address.
Endpoint.ID String The endpoint's ID.
Endpoint.Status String The endpoint's status.
Endpoint.IsIsolated String The endpoint's isolation status.
Endpoint.MACAddress String The endpoint's MAC address.
Endpoint.Vendor String The integration name of the endpoint vendor.

xdr-get-endpoints-by-status#

Returns the number of the connected\disconnected endpoints.

Base Command#

xdr-get-endpoints-by-status

Input#

Argument NameDescriptionRequired
status The status of the endpoint to filter. Possible values are: connected, disconnected, lost, uninstalled. Required
last_seen_gte All the agents that were last seen before {last_seen_gte}. Supported
values: 1579039377301 (time in milliseconds) "3 days" (relative date) "2019-10-21T23:45:00"
(date). 		Optional
last_seen_lte All the agents that were last seen before {last_seen_lte}. Supported
values: 1579039377301 (time in milliseconds) "3 days" (relative date) "2019-10-21T23:45:00"
(date). 		Optional

Context Output#

PathTypeDescription
PaloAltoNetworksXDR.EndpointsStatus.status String The endpoint's status.
PaloAltoNetworksXDR.EndpointsStatus.count Number The number of endpoint's with this status.

xdr-get-cloud-original-alerts#

Returns information about each alert ID.

Base Command#

xdr-get-cloud-original-alerts

Input#

Argument NameDescriptionRequired
alert_ids A comma-separated list of alert IDs. Required

Context Output#

PathTypeDescription
PaloAltoNetworksXDR.OriginalAlert.event._time String The timestamp of the occurrence of the event.
PaloAltoNetworksXDR.OriginalAlert.event.vendor String Vendor name.
PaloAltoNetworksXDR.OriginalAlert.event.event_timestamp Number Event timestamp.
PaloAltoNetworksXDR.OriginalAlert.event.event_type Number Event type (static 500).
PaloAltoNetworksXDR.OriginalAlert.event.cloud_provider String The cloud provider - GCP, AZURE, or AWS.
PaloAltoNetworksXDR.OriginalAlert.event.project String The project in which the event occurred.
PaloAltoNetworksXDR.OriginalAlert.event.cloud_provider_event_id String The ID given to the event by the cloud provider, if the ID exists.
PaloAltoNetworksXDR.OriginalAlert.event.cloud_correlation_id String The ID the cloud provider is using to aggregate events that are part of the same general event.
PaloAltoNetworksXDR.OriginalAlert.event.operation_name_orig String The name of the operation that occurred, as supplied by the cloud provider.
PaloAltoNetworksXDR.OriginalAlert.event.operation_name String The normalized name of the operation performed by the event.
PaloAltoNetworksXDR.OriginalAlert.event.identity_orig String Contains the original identity related fields as provided by the cloud provider.
PaloAltoNetworksXDR.OriginalAlert.event.identity_name String The name of the identity that initiated the action.
PaloAltoNetworksXDR.OriginalAlert.event.identity_uuid String Same as identity_name but also contains the UUID of the identity if it exists.
PaloAltoNetworksXDR.OriginalAlert.event.identity_type String An enum representing the type of the identity.
PaloAltoNetworksXDR.OriginalAlert.event.identity_sub_type String An enum representing the sub-type of the identity, respective to its identity_type.
PaloAltoNetworksXDR.OriginalAlert.event.identity_invoked_by_name String The name of the identity that invoked the action as it appears in the log.
PaloAltoNetworksXDR.OriginalAlert.event.identity_invoked_by_uuid String The UUID of the identity that invoked the action as it appears in the log.
PaloAltoNetworksXDR.OriginalAlert.event.identity_invoked_by_type String An enum that represents the type of identity event that invoked the action.
PaloAltoNetworksXDR.OriginalAlert.event.identity_invoked_by_sub_type String An enum that represents the respective sub_type of the type of identity (identity_type) that has invoked the action.
PaloAltoNetworksXDR.OriginalAlert.event.operation_status String Status of whether the operation has succeed or failed, if provided.
PaloAltoNetworksXDR.OriginalAlert.event.operation_status_orig String The operation status code as it appears in the log, including lookup from code number to code name.
PaloAltoNetworksXDR.OriginalAlert.event.operation_status_orig_code String The operation status code as it appears in the log.
PaloAltoNetworksXDR.OriginalAlert.event.operation_status_reason_provided String Description of the error, if the log record indicates an error and the cloud provider supplied the reason.
PaloAltoNetworksXDR.OriginalAlert.event.resource_type String The normalized type of the service that emitted the log row.
PaloAltoNetworksXDR.OriginalAlert.event.resource_type_orig String The type of the service that omitted the log as provided by the cloud provider.
PaloAltoNetworksXDR.OriginalAlert.event.resource_sub_type String The sub-type respective to the resource_type field, normalized across all cloud providers.
PaloAltoNetworksXDR.OriginalAlert.event.resource_sub_type_orig String The sub-type of the service that emitted this log row as provided by the cloud provider.
PaloAltoNetworksXDR.OriginalAlert.event.region String The cloud region of the resource that emitted the log.
PaloAltoNetworksXDR.OriginalAlert.event.zone String The availability zone of the resource that emitted the log.
PaloAltoNetworksXDR.OriginalAlert.event.referenced_resource String The cloud resource referenced in the audit log.
PaloAltoNetworksXDR.OriginalAlert.event.referenced_resource_name String Same as referenced_resource but provides only the substring that represents the resource name instead of the full asset ID.
PaloAltoNetworksXDR.OriginalAlert.event.referenced_resources_count Number The number of extracted resources referenced in this audit log.
PaloAltoNetworksXDR.OriginalAlert.event.user_agent String The user agent provided in the call to the API of the cloud provider.
PaloAltoNetworksXDR.OriginalAlert.event.caller_ip String The IP of the caller that performed the action in the log.
PaloAltoNetworksXDR.OriginalAlert.event.caller_ip_geolocation String The geolocation associated with the caller_ip's value.
PaloAltoNetworksXDR.OriginalAlert.event.caller_ip_asn Number The ASN of the caller_ip's value.
PaloAltoNetworksXDR.OriginalAlert.event.caller_project String The project of the caller entity.
PaloAltoNetworksXDR.OriginalAlert.event.raw_log Unknown The raw log that is being normalized.
PaloAltoNetworksXDR.OriginalAlert.event.log_name String The name of the log that contains the log row.
PaloAltoNetworksXDR.OriginalAlert.event.caller_ip_asn_org String The organization associated with the ASN of the caller_ip's value.
PaloAltoNetworksXDR.OriginalAlert.event.event_base_id String Event base ID.
PaloAltoNetworksXDR.OriginalAlert.event.ingestion_time String Ingestion time.

xdr-remove-allowlist-files#

Removes requested files from allow list.

Base Command#

xdr-remove-allowlist-files

Input#

Argument NameDescriptionRequired
incident_id Links the response action to the incident that triggered it. Optional
hash_list String that represents a list of hashed files you want to add to allow list. Must be a valid SHA256 hash. Required
comment String that represents additional information regarding the action. Optional

Context Output#

PathTypeDescription
PaloAltoNetworksXDR.allowlist.removed_hashes Number Removed file hash

xdr-remove-blocklist-files#

Removes requested files from block list.

Base Command#

xdr-remove-blocklist-files

Input#

Argument NameDescriptionRequired
incident_id Links the response action to the incident that triggered it. Optional
hash_list String that represents a list of hashed files you want to add to allow list. Must be a valid SHA256 hash. Required
comment String that represents additional information regarding the action. Optional

Context Output#

PathTypeDescription
PaloAltoNetworksXDR.blocklist.removed_hashes Number Removed fileHash from blocklist

There is no context output for this command.

xdr-get-alerts#

Returns a list of alerts and their meta-data, which you can filter by built-in arguments or use the custom_filter to input a JSON filter object. Multiple filter arguments will be concatenated using AND operator, while arguments that support a comma-separated list of values will use an OR operator between each value.

Base Command#

xdr-get-alerts

Input#

Argument NameDescriptionRequired
alert_id The unique ID of the alert. Optional
severity The severity of the alert. Possible values are: low, medium, high. Optional
custom_filter a custom filter, when using this argument, other filter arguments are not relevant except time_frame, start_time and end_time which are used to filter the time. example:
{
"OR": [
{
"SEARCH_FIELD": "actor_process_command_line",
"SEARCH_TYPE": "EQ",
"SEARCH_VALUE": "path_to_file"
}
]
}. 		Optional
Identity_type Account type. Possible values are: ANONYMOUS, APPLICATION, COMPUTE, FEDERATED_IDENTITY, SERVICE, SERVICE_ACCOUNT, TEMPORARY_CREDENTIALS, TOKEN, UNKNOWN, USER. Optional
agent_id A unique identifier per agent. Optional
action_external_hostname The hostname to connect to. In case of a proxy connection, this value will differ from action_remote_ip. Optional
rule_id A string identifying the user rule. Optional
rule_name The name of the user rule. Optional
alert_name The alert name. Optional
alert_source The alert source. Optional
time_frame Supports relative times or “custom” time option. If you choose the "custom" option, you should use start_time and end_time arguments. Possible values are: 60 minutes, 3 hours, 12 hours, 24 hours, 2 days, 7 days, 14 days, 30 days, custom. Optional
user_name The name assigned to the user_id during agent runtime. Optional
actor_process_image_name The file name of the binary file. Optional
causality_actor_process_image_command_line CGO CMD. Optional
actor_process_image_command_line Trimmed to 128 unicode chars during event serialization.
Full value reported as part of the original process event. 		Optional
action_process_image_command_line The command line of the process created. Optional
actor_process_image_sha256 SHA256 of the binary file. Optional
causality_actor_process_image_sha256 SHA256 of the binary file. Optional
action_process_image_sha256 SHA256 of the binary file. Optional
action_file_image_sha256 SHA256 of the file related to the event. Optional
action_registry_name The name of the registry. Optional
action_registry_key_data The key data of the registry. Optional
host_ip The host IP. Optional
action_local_ip The local IP address for the connection. Optional
action_remote_ip Remote IP address for the connection. Optional
action_local_port The local IP address for the connection. Optional
action_remote_port The remote port for the connection. Optional
dst_action_external_hostname The hostname we connect to. In case of a proxy connection, this value will differ from action_remote_ip. Optional
sort_field The field by which we will sort the results. Default is source_insert_ts. Optional
sort_order The order in which we sort the results. Possible values are: DESC, ASC. Optional
offset The first page from which we bring the alerts. Default is 0. Optional
limit The last page from which we bring the alerts. Default is 50. Optional
start_time Relevant when "time_frame" argument is "custom". Supports Epoch timestamp and simplified extended ISO format (YYYY-MM-DDThh:mm:ss.000Z). Optional
end_time Relevant when "time_frame" argument is "custom". Supports Epoch timestamp and simplified extended ISO format (YYYY-MM-DDThh:mm:ss.000Z). Optional
starred Whether the alert is starred or not. Possible values are: true, false. Optional

Context Output#

PathTypeDescription
PaloAltoNetworksXDR.Alert.internal_id String The unique ID of the alert.
PaloAltoNetworksXDR.Alert.source_insert_ts Number The detection timestamp.
PaloAltoNetworksXDR.Alert.alert_name String The name of the alert.
PaloAltoNetworksXDR.Alert.severity String The severity of the alert.
PaloAltoNetworksXDR.Alert.alert_category String The category of the alert.
PaloAltoNetworksXDR.Alert.alert_action_status String The alert action.
PaloAltoNetworksXDR.Alert.alert_name String The alert name.
PaloAltoNetworksXDR.Alert.alert_description String The alert description.
PaloAltoNetworksXDR.Alert.agent_ip_addresses String The host IP
PaloAltoNetworksXDR.Alert.agent_hostname String The host name
PaloAltoNetworksXDR.Alert.mitre_tactic_id_and_name String The MITRE attack tactic.
PaloAltoNetworksXDR.Alert.mitre_technique_id_and_name String The MITRE attack technique.
PaloAltoNetworksXDR.Alert.starred Boolean Whether the alert is starred or not.

xdr-get-contributing-event#

Retrieves contributing events for a specific alert.

Base Command#

xdr-get-contributing-event

Input#

Argument NameDescriptionRequired
alert_ids The alert ID's from where to retrieve the contributing events. Required
limit The maximum number of contributing events to retrieve. Default is 50. Optional
page_number The page number to retrieve. Default (and minimum) is 1. Optional
page_size The page size. Default is 50. Optional

Context Output#

PathTypeDescription
PaloAltoNetworksXDR.ContributingEvent.alertID String The alert ID.
PaloAltoNetworksXDR.ContributingEvent.events Unknown Contributing events per alert.

Command example#

``!xdr-get-contributing-event alert_ids=[123456 , 123457]````

Context Example#

Human Readable Output#

Contributing events#

Alert _ IdEvents
123456 - Logon_Type: 7
User_Name: xsoar
Domain: WIN10X64
Source_IP: 1.1.1.1
Process_Name: C:\Windows\System32\svchost.exe
Host_Name: WIN10X64
Raw_Message: An account was successfully logged on. _time: 165298280000
555555: a1b2c3d4
222222: 165298280000
333333: abcdef
111111: 15
444444: 1
insert_timestamp: 165298280001
_vendor: PANW
_product: XDR agent
_is_cardable: true
123457 - Logon_Type: 7
User_Name: xsoar
Domain: WIN10X64
Source_IP: 1.1.1.1
Process_Name: C:\Windows\System32\svchost.exe
Host_Name: WIN10X64
Raw_Message: An account was successfully logged on. _time: 165298280000
555555: ghijk
222222: 165298280000
333333: abcdef
111111: 15
444444: 1
insert_timestamp: 165298280001
_vendor: PANW
_product: XDR agent
_is_cardable: true

Replace the featured hosts\users\ip addresses\active directory groups listed in your environment.

Base Command#

xdr-replace-featured-field

Input#

Argument NameDescriptionRequired
field_type The field type that should change. Possible values are: hosts, users, ip_addresses, ad_groups. Required
values String value that defines the new field. Maximum length is 256 characters. Required
comments String that represents additional information regarding the featured alert field. Optional
ad_type String value identifying if you want to replace to an active directory group or organizational unit.
Possible values are: group, ou. Default is group. 		Optional

Context Output#

PathTypeDescription
PaloAltoNetworksXDR.FeaturedField.fieldType String The field type that changed.
PaloAltoNetworksXDR.FeaturedField.fields String The string value that defines the new field.

Command example#

``!xdr-replace-featured-field field_type=ip_addresses values=["1.1.1.1"] comments=new ip address````

Context Example#

Human Readable Output#

CommentValue
new ip address 1.1.1.1

xdr-script-run#

This command will soon be deprecated; prefer xdr-script-run instead. Initiates a new endpoint script execution action using a script from the script library.

Base Command#

xdr-script-run

Input#

Argument NameDescriptionRequired
incident_id Allows linking the response action to the incident that triggered it. Optional
endpoint_ids A comma-separated list of endpoint IDs. Can be retrieved by running the xdr-get-endpoints command. Required
script_uid Unique identifier of the script. Can be retrieved by running the xdr-get-scripts command. Required
parameters Dictionary containing the parameter name as key and its value for this execution as the value. For example, {"param1":"param1_value","param2":"param2_value"}. Optional
timeout The timeout in seconds for this execution. Default is 600. Optional
polling_interval_in_seconds Interval in seconds between each poll. Default is 10. Optional
polling_timeout_in_seconds Polling timeout in seconds. Default is 600. Optional

Context Output#

PathTypeDescription
PaloAltoNetworksXDR.ScriptResult.action_id Number ID of the action initiated.
PaloAltoNetworksXDR.ScriptResult.results.retrieved_files Number Number of successfully retrieved files.
PaloAltoNetworksXDR.ScriptResult.results.endpoint_ip_address String Endpoint IP address.
PaloAltoNetworksXDR.ScriptResult.results.endpoint_name String Number of successfully retrieved files.
PaloAltoNetworksXDR.ScriptResult.results.failed_files Number Number of files failed to retrieve.
PaloAltoNetworksXDR.ScriptResult.results.endpoint_status String Endpoint status.
PaloAltoNetworksXDR.ScriptResult.results.domain String Domain to which the endpoint belongs.
PaloAltoNetworksXDR.ScriptResult.results.endpoint_id String Endpoint ID.
PaloAltoNetworksXDR.ScriptResult.results.execution_status String Execution status of this endpoint.
PaloAltoNetworksXDR.ScriptResult.results.return_value String Value returned by the script in case the type is not a dictionary.
PaloAltoNetworksXDR.ScriptResult.results.standard_output String The STDOUT and the STDERR logged by the script during the execution.
PaloAltoNetworksXDR.ScriptResult.results.retention_date Date Timestamp in which the retrieved files will be deleted from the server.

Command example#

!xdr-script-run endpoint_ids=1 script_uid=123

Human Readable Output#

Waiting for the script to finish running on the following endpoints: ['1']...

Script Execution Results - 10368#

_return_valuedomainendpoint_idendpoint_ip_addressendpoint_nameendpoint_statusexecution_statusfailed_filesretention_dateretrieved_filesstandard_output
Name: return value WORKGROUP 1 1.1.1.1 WIN10X64 STATUS_010_CONNECTED COMPLETED_SUCCESSFULLY 0 0

Context Example#

Which malware protection module uses a machine learning technique to detect malware?

Local Analysis via Machine Learning If a file remains unknown after the initial hash lookup, the Cortex XDR agent uses local analysis via machine learning on the endpoint—trained by the rich threat intelligence from global sources including WildFire—to determine whether the file can run.

What is difference between XDR and EDR?

What Is Extended Detection and Response? While traditional EDR tools focus only on endpoint data, XDR solutions seek to unify siloed security tools to deliver protection, detection and response across all data sources.

Which endpoint protection technique is commonly used to prevent end users from running Unauthorised applications including malware on their endpoints?

EPPs secure endpoints through application control—which blocks the use of applications that are unsafe or unauthorized—and through encryption, which helps prevent data loss. When the EPP is set up, it can quickly detect malware and other threats.

What does cortex XDR prevent do for endpoints?

Cortex XDR Prevent—provides protection for endpoints and includes device control, disk encryption, and host firewall features. It also includes an incident engine, integrated response capabilities, and an optional threat intelligence feed.

Cortex XDR antivirus

Bài Viết Liên Quan

Các dạng bài tập hóa hữu cơ 11 năm 2024
Các dạng bài tập hóa hữu cơ 11 năm 2024

mẹo hay Khỏe Đẹp Bài tập
Muốn làm bác sĩ thì học trường nào năm 2024
Muốn làm bác sĩ thì học trường nào năm 2024

mẹo hay Học Tốt Học
Hóa học 8 bài 3 thực hành 1 năm 2024
Hóa học 8 bài 3 thực hành 1 năm 2024

mẹo hay Học Tốt Học
Coông ty mua hàng không có hóa đơn đỏ năm 2024
Coông ty mua hàng không có hóa đơn đỏ năm 2024

mẹo hay thông tư 96/2015/tt-btc
Soạn văn 9 tập 2 bài khởi ngữ năm 2024
Soạn văn 9 tập 2 bài khởi ngữ năm 2024

mẹo hay
Michael kors womens medium anabelle top zip năm 2024
Michael kors womens medium anabelle top zip năm 2024

mẹo hay Top List Top
Chương trình học lấy bằng kế toán trưởng năm 2024
Chương trình học lấy bằng kế toán trưởng năm 2024

mẹo hay Học Tốt Học
Viết đoạn văn đi mua sắm bằng tiếng hàn năm 2024
Viết đoạn văn đi mua sắm bằng tiếng hàn năm 2024

mẹo hay Học Tốt Tiếng hàn Mua Sắm Mua sắm
Nhập hóa đơn vào ra trên phần mềm smart pro năm 2024
Nhập hóa đơn vào ra trên phần mềm smart pro năm 2024

mẹo hay
Diễn văn khai mạc ngày đại đoàn kết toàn dân năm 2024
Diễn văn khai mạc ngày đại đoàn kết toàn dân năm 2024

mẹo hay
Giải toán lớp 5 bài luyện tập trang 99 năm 2024
Giải toán lớp 5 bài luyện tập trang 99 năm 2024

mẹo hay
Bán nhà ở đường kiệt phan văn trị liên chiểu năm 2024
Bán nhà ở đường kiệt phan văn trị liên chiểu năm 2024

mẹo hay Xây Đựng Nhà
Bài tập cấp số cộng lớp 11 có lời giải năm 2024
Bài tập cấp số cộng lớp 11 có lời giải năm 2024

mẹo hay Khỏe Đẹp Bài tập
Cân sức khỏe cơ học loại nào tốt năm 2024
Cân sức khỏe cơ học loại nào tốt năm 2024

mẹo hay Khỏe Đẹp Khỏe Học Tốt Học
Khi thực hiện macro thì excel bị lỗi năm 2024
Khi thực hiện macro thì excel bị lỗi năm 2024

mẹo hay
Hạch toán chênh lệch tỷ giá hàng xuất khẩu năm 2024
Hạch toán chênh lệch tỷ giá hàng xuất khẩu năm 2024

mẹo hay Cryto Giá
Phụ trách văn hóa xã hội ubnd tỉnh quảng bình năm 2024
Phụ trách văn hóa xã hội ubnd tỉnh quảng bình năm 2024

mẹo hay
Giải bài tập toán 9 trang 19 tập 2 năm 2024
Giải bài tập toán 9 trang 19 tập 2 năm 2024

mẹo hay Khỏe Đẹp Bài tập
Địa điểm ăn uống ở đồng văn hà nam năm 2024
Địa điểm ăn uống ở đồng văn hà nam năm 2024

mẹo hay
Kim loại nào tác dụng được với nước năm 2024
Kim loại nào tác dụng được với nước năm 2024

mẹo hay

Quảng Cáo

Có thể bạn quan tâm

Ứng dụng giải bài tập vật lý 10 năm 2024
1 tuần trước . bởi ImmutableMonarchy
Có ai thấy thông báo cấm nấu ăn nào ko năm 2024
1 tuần trước . bởi AttemptedAccomplice
Sửa lỗi không thấy wifi trên win 10 năm 2024
1 tuần trước . bởi SpecifiedWoodward
Dạng toán tìm quy luật dãy số lớp 4 năm 2024
1 tuần trước . bởi LeanIntercession
Đề kiểm tra 1 tiết hóa 9 học kì 1 năm 2024
1 tuần trước . bởi WorriedInaction
Lỗi lấn làn đè vạch bao nhiêu tiền năm 2024
1 tuần trước . bởi DeferredDetention
Cách khắc phục lỗi wifi trên android tự bât năm 2024
1 tuần trước . bởi AssertiveFeedback
Phân biệt văn hóa với các khái niệm liên quan năm 2024
1 tuần trước . bởi DevotedRepublic
Bài văn mẫu tả về cô giáo lớp 2 năm 2024
1 tuần trước . bởi EnviableDriver
Sửa lỗi win 7 chơi game bị tắt máy năm 2024
1 tuần trước . bởi SternMailing

Toplist được quan tâm

#1
Top 9 cho tập hợp s gồm 17 số nguyên dương đầu tiên 2023
6 tháng trước
#2
Top 10 nằm mơ thấy con gái ruột của mình 2023
6 tháng trước
#3
Top 8 giải tập làm văn lớp 5 tập 2 trang 34 2023
6 tháng trước
#4
Top 6 hãy chọn phương án ghép sai mã hóa thông tin nhằm mục đích 2023
6 tháng trước
#5
Top 9 chi phí du lịch nha trang 4 ngày 3 đêm 2023
6 tháng trước
#6
Top 8 đường thẳng song song với trục hoành cắt trục tung tại điểm có tung độ bằng 2 2023
6 tháng trước
#7
Top 6 đối tượng nào là cơ sở xã hội và nguồn bổ sung lực lượng quan trọng nhất của đảng 2023
6 tháng trước
#8
Top 7 công ty giày da đồng nai tuyển dụng 2023
6 tháng trước
#9
Top 8 khái niệm tư tưởng hồ chí minh được nêu trong đại hội đảng toàn quốc lần thứ máy 2023
6 tháng trước

Quảng cáo

Xem Nhiều

Mọi nỗ lực gầy dựng hóa thành công cốc năm 2024
2 ngày trước . bởi PendingEyewitness
Chia sẻ acc cf vip không lỗi đăng nhập năm 2024
1 tuần trước . bởi ShapelyReinforcement
Sách giáo khoa toán lớp 7 phần đại số năm 2024
5 ngày trước . bởi ResoundingOuting
Học tốt môn hóa lớp 11 lê đăng khương năm 2024
3 ngày trước . bởi PayableDioxide
Bài văn tả cây dừa lớp 4 ngắn năm 2024
3 ngày trước . bởi UnusedDucking
Giao thông tác động như thế nào đến du lịch năm 2024
3 ngày trước . bởi SenatorialSeating
Thẻ vietcombank rút được ở những ngân hàng nào năm 2024
5 ngày trước . bởi MeasurableValidity
Bơm tiêm thuốc thanh toán như thế nào năm 2024
2 ngày trước . bởi ConstantDisobedience
Cân sức khỏe cơ học loại nào tốt năm 2024
1 ngày trước . bởi JuicyDiagnosis
Có ai thấy thông báo cấm nấu ăn nào ko năm 2024
1 tuần trước . bởi AttemptedAccomplice

Quảng cáo

Chúng tôi

Điều khoản

Trợ giúp

Mạng xã hội

DMCA.com Protection Status
Bản quyền © 2021 emcovu.com Inc.