Cortex Core - IR
The Cortex Core IR integration uses the Cortex API for detection and response, by natively integrating network, endpoint, and cloud data to stop sophisticated attacks.
Endpoint · Core
Configuration parameters
url— Server URL (copy URL from Core - click ? to see more info.)apikey_id— API Key IDapikey— API Keytimeout— HTTP Timeout
Commands (73)
-
core-action-status-getRetrieves the status of the requested actions using the action ID.
-
core-add-endpoint-tagAdd a tag to one or more endpoints.
-
core-add-exclusionAdds alert exclusion rule based on filterObject.
-
core-add-indicator-ruleUpload the IOC rules to XSIAM. When the ioc_object is defined, disregard any other provided arguments, as the ioc_object takes precedence. Validate the indicator parameters when ioc_object is used. If `vendor_name`, `vendor_reputation`, and `vendor_reliability` are used, only a single vendor is supported. For multiple vendors, utilize an `ioc_object` in JSON format. Adding a rule with the same indicator, but with different parameters, will update the existing rule.
-
core-allowlist-filesAdds requested files to the allow list if they are not already on the block list or the allow list.
-
core-block-ipBlock malicious or suspicious IP addresses.
-
core-blocklist-filesBlocks requested files that are not already on the block list or the allow list.
-
core-create-distributionCreates an installation package. This is an asynchronous call that returns the distribution ID. This does not mean that the creation succeeded. To confirm that the package has been created, check the status of the distribution by running the Get Distribution Status API.
-
core-delete-endpointsDeletes selected endpoints in the Cortex app. You can delete up to 1000 endpoints.
-
core-delete-exclusionDelete an alert exclusion rule based on rule ID.
-
core-endpoint-alias-changeGets a list of endpoints according to the passed filters, and changes their alias name. Filtering by multiple fields will be concatenated using the AND condition (OR is not supported).
-
core-endpoint-scanRuns a scan on a selected endpoint. To scan all endpoints, use the argument all=true. Scanning all endpoints may affect performance and cause latency.
-
core-endpoint-scan-abortCancels the scan on the selected endpoints. A scan can only be canceled if the selected endpoints are Pending or In Progress. To scan all endpoints, run the command with the argument all=true. Scanning all endpoints may impact performance and cause latency.
-
core-endpoint-scan-quick-actionRuns a scan on a selected endpoint. To scan all endpoints, run the command with the argument all=true. Scanning all endpoints may impact performance and cause latency. This quick action is deprecated. Use the new built-in Run Malware Scan quick action instead.
-
core-execute-commandRun a shell command on a specific endpoint and return its result.
-
core-get-IP-analytics-prevalenceGet the prevalence of an ip, identified by ip_address.
-
core-get-asset-detailsDeprecatedGet asset information.
-
core-get-audit-agent-reportsGets agent event reports. You can filter by multiple fields, which are combined using an AND condition (OR is not supported). The maximum result set size is 100. The offset specifies the zero-based index of reports from the start of the result set (start by counting from 0).
-
core-get-audit-management-logsGets management logs. You can filter by multiple fields, which will be concatenated using the AND condition (OR is not supported). Maximum result set size is 100. Offset is the zero-based number of management logs from the start of the result set (start by counting from 0).
-
core-get-cloud-original-alertsReturns information about each alert ID.
-
core-get-cmd-analytics-prevalenceGet the prevalence of a process_command_line, identified by process_command_line.
-
core-get-contributing-eventRetrieves contributing events for a specific correlation alert.
-
core-get-create-distribution-statusGets the status of the installation package.
-
core-get-distribution-urlGets the distribution URL for downloading the installation package.
-
core-get-distribution-versionsGets a list of all the agent versions to use for creating a distribution list.
-
core-get-domain-analytics-prevalenceGet the prevalence of a domain, identified by domain_name.
-
core-get-dynamic-analysisReturns dynamic analysis of each alert ID.
-
core-get-endpoint-device-control-violationsGets a list of device control violations filtered by selected fields. You can retrieve up to 100 violations.
-
core-get-endpointsGets a list of endpoints, according to the passed filters. If there are no filters, all endpoints are returned. Filtering by multiple fields will be concatenated using AND condition (OR is not supported). Maximum result set size is 100. Offset is the zero-based number of endpoint from the start of the result set (start by counting from 0).
-
core-get-exclusionGet a list of the alerts exclusion.
-
core-get-hash-analytics-prevalenceGet the prevalence of a file, identified by sha256.
-
core-get-incidentsReturns a list of incidents, which you can filter by a list of incident IDs (max. 100), the time the incident was last modified, and the time the incident was created. If you pass multiple filtering arguments, they will be concatenated using the AND condition. The OR condition is not supported.
-
core-get-policyGets the policy name for a specific endpoint.
-
core-get-process-analytics-prevalenceGet the prevalence of a process, identified by process_name.
-
core-get-quarantine-statusRetrieves the quarantine status of a selected file.
-
core-get-registry-analytics-prevalenceGet the prevalence of a registry_path, identified by key_name, value_name.
-
core-get-script-codeGets the code of a specific script in the script library.
-
core-get-script-execution-result-filesGets the files retrieved from a specific endpoint during a script execution.
-
core-get-script-execution-resultsRetrieve the results of a script execution.
-
core-get-script-execution-statusRetrieves the status of a script execution.
-
core-get-script-metadataGets the full definition of a specific script in the scripts library.
-
core-get-scriptsGets a list of scripts available in the scripts library.
-
core-isolate-endpointIsolates the specified endpoint.
-
core-isolate-endpoint-quick-actionIsolates the specified endpoint. This quick action is deprecated. Use the new built-in Isolate Endpoint quick action instead.
-
core-list-risky-hostsRetrieve the risk score of a specific host or list of hosts with the highest risk score in the environment along with the reason affecting each score.
-
core-list-risky-usersRetrieve the risk score of a specific user or list of users with the highest risk score in the environment along with the reason affecting each score.
-
core-list-user-groupsRetrieve a list of the current user emails associated with one or more user groups in your environment.
-
core-list-usersRetrieve a list of the current users in your environment.
-
core-quarantine-filesQuarantines a file on selected endpoints. You can select up to 1000 endpoints.
-
core-quarantine-files-quick-actionQuarantines a file on selected endpoints. You can select up to 1000 endpoints. This quick action is deprecated. Use the new built-in Quarantine File quick action instead.
-
core-remove-allowlist-filesRemoves the requested files from the allow list.
-
core-remove-blocklist-filesRemoves the requested files from the block list.
-
core-remove-endpoint-tagRemove a tag from one or more endpoints.
-
core-report-incorrect-wildfireReports to WildFire about incorrect hash verdict through Cortex.
-
core-restore-fileRestores a quarantined file on the requested endpoints.
-
core-restore-file-quick-actionRestores a quarantined file on the requested endpoints. This quick action is deprecated. Use the new built-in Restore File From Quarantine quick action instead.
-
core-retrieve-file-detailsViews the file retrieved by the core-retrieve-files command using the action ID. Before running this command, use the core-action-status-get command to check if the action completed successfully.
-
core-retrieve-filesRetrieves files from selected endpoints. You can retrieve up to 20 files from no more than 10 endpoints. At least one endpoint ID and one file path are required to run the command. After running the command, use the core-action-status-get command with the returned action_id to check the action status.
-
core-retrieve-files-quick-actionRetrieves files from selected endpoints. You can retrieve up to 20 files from no more than 10 endpoints. At least one endpoint ID and one file path are required to run the command. After running the command, use the core-action-status-get command with the returned action_id to check the action status. This quick action is deprecated. Use the new built-in Retrieve File quick action instead.
-
core-run-scriptDeprecatedDeprecated. Use the core-script-run command instead.
-
core-run-script-delete-fileInitiates a new endpoint script execution to delete a specified file.
-
core-run-script-execute-commandsInitiates a new endpoint script execution of shell commands.
-
core-run-script-file-existsInitiates a new endpoint script execution to check if a file exists.
-
core-run-script-kill-processInitiates a new endpoint script execution to kill a process.
-
core-run-snippet-code-scriptInitiates a new endpoint script execution using the provided snippet code.
-
core-script-runInitiates a new endpoint script execution using a script from the script library and returns the results.
-
core-script-run-quick-actionInitiates a new endpoint script execution using a script from the script library and returns the results. This quick action is deprecated. Use the new built-in Run Endpoint Script quick action instead.
-
core-terminate-causalityTerminates a process tree by its causality ID. Available only for XSIAM 2.4 and above.
-
core-terminate-causality-quick-actionTerminate a process tree by its causality ID. Available only for Cortex XSIAM 2.4 and above. This quick action is deprecated. Use the new built-in Terminate CGO quick action instead.
-
core-terminate-processTerminates a process by its instance ID. Available only for XSIAM 2.4 and above.
-
core-unisolate-endpointReverses the isolation of an endpoint.
-
core-update-endpoint-tagsUpdate tags of one or more endpoints.
-
endpointReturns information about an endpoint.