Cortex Core - IR

The Cortex Core IR integration uses the Cortex API for detection and response, by natively integrating network, endpoint, and cloud data to stop sophisticated attacks.

Endpoint · Core

Configuration parameters

  • url — Server URL (copy URL from Core - click ? to see more info.)
  • apikey_id — API Key ID
  • apikey — API Key
  • timeout — HTTP Timeout

Commands (73)

  • core-action-status-get

    Retrieves the status of the requested actions using the action ID.

  • core-add-endpoint-tag

    Add a tag to one or more endpoints.

  • core-add-exclusion

    Adds alert exclusion rule based on filterObject.

  • core-add-indicator-rule

    Upload the IOC rules to XSIAM. When the ioc_object is defined, disregard any other provided arguments, as the ioc_object takes precedence. Validate the indicator parameters when ioc_object is used. If `vendor_name`, `vendor_reputation`, and `vendor_reliability` are used, only a single vendor is supported. For multiple vendors, utilize an `ioc_object` in JSON format. Adding a rule with the same indicator, but with different parameters, will update the existing rule.

  • core-allowlist-files

    Adds requested files to the allow list if they are not already on the block list or the allow list.

  • core-block-ip

    Block malicious or suspicious IP addresses.

  • core-blocklist-files

    Blocks requested files that are not already on the block list or the allow list.

  • core-create-distribution

    Creates an installation package. This is an asynchronous call that returns the distribution ID. This does not mean that the creation succeeded. To confirm that the package has been created, check the status of the distribution by running the Get Distribution Status API.

  • core-delete-endpoints

    Deletes selected endpoints in the Cortex app. You can delete up to 1000 endpoints.

  • core-delete-exclusion

    Delete an alert exclusion rule based on rule ID.

  • core-endpoint-alias-change

    Gets a list of endpoints according to the passed filters, and changes their alias name. Filtering by multiple fields will be concatenated using the AND condition (OR is not supported).

  • core-endpoint-scan

    Runs a scan on a selected endpoint. To scan all endpoints, use the argument all=true. Scanning all endpoints may affect performance and cause latency.

  • core-endpoint-scan-abort

    Cancels the scan on the selected endpoints. A scan can only be canceled if the selected endpoints are Pending or In Progress. To scan all endpoints, run the command with the argument all=true. Scanning all endpoints may impact performance and cause latency.

  • core-endpoint-scan-quick-action

    Runs a scan on a selected endpoint. To scan all endpoints, run the command with the argument all=true. Scanning all endpoints may impact performance and cause latency. This quick action is deprecated. Use the new built-in Run Malware Scan quick action instead.

  • core-execute-command

    Run a shell command on a specific endpoint and return its result.

  • core-get-IP-analytics-prevalence

    Get the prevalence of an ip, identified by ip_address.

  • core-get-asset-details Deprecated

    Get asset information.

  • core-get-audit-agent-reports

    Gets agent event reports. You can filter by multiple fields, which are combined using an AND condition (OR is not supported). The maximum result set size is 100. The offset specifies the zero-based index of reports from the start of the result set (start by counting from 0).

  • core-get-audit-management-logs

    Gets management logs. You can filter by multiple fields, which will be concatenated using the AND condition (OR is not supported). Maximum result set size is 100. Offset is the zero-based number of management logs from the start of the result set (start by counting from 0).

  • core-get-cloud-original-alerts

    Returns information about each alert ID.

  • core-get-cmd-analytics-prevalence

    Get the prevalence of a process_command_line, identified by process_command_line.

  • core-get-contributing-event

    Retrieves contributing events for a specific correlation alert.

  • core-get-create-distribution-status

    Gets the status of the installation package.

  • core-get-distribution-url

    Gets the distribution URL for downloading the installation package.

  • core-get-distribution-versions

    Gets a list of all the agent versions to use for creating a distribution list.

  • core-get-domain-analytics-prevalence

    Get the prevalence of a domain, identified by domain_name.

  • core-get-dynamic-analysis

    Returns dynamic analysis of each alert ID.

  • core-get-endpoint-device-control-violations

    Gets a list of device control violations filtered by selected fields. You can retrieve up to 100 violations.

  • core-get-endpoints

    Gets a list of endpoints, according to the passed filters. If there are no filters, all endpoints are returned. Filtering by multiple fields will be concatenated using AND condition (OR is not supported). Maximum result set size is 100. Offset is the zero-based number of endpoint from the start of the result set (start by counting from 0).

  • core-get-exclusion

    Get a list of the alerts exclusion.

  • core-get-hash-analytics-prevalence

    Get the prevalence of a file, identified by sha256.

  • core-get-incidents

    Returns a list of incidents, which you can filter by a list of incident IDs (max. 100), the time the incident was last modified, and the time the incident was created. If you pass multiple filtering arguments, they will be concatenated using the AND condition. The OR condition is not supported.

  • core-get-policy

    Gets the policy name for a specific endpoint.

  • core-get-process-analytics-prevalence

    Get the prevalence of a process, identified by process_name.

  • core-get-quarantine-status

    Retrieves the quarantine status of a selected file.

  • core-get-registry-analytics-prevalence

    Get the prevalence of a registry_path, identified by key_name, value_name.

  • core-get-script-code

    Gets the code of a specific script in the script library.

  • core-get-script-execution-result-files

    Gets the files retrieved from a specific endpoint during a script execution.

  • core-get-script-execution-results

    Retrieve the results of a script execution.

  • core-get-script-execution-status

    Retrieves the status of a script execution.

  • core-get-script-metadata

    Gets the full definition of a specific script in the scripts library.

  • core-get-scripts

    Gets a list of scripts available in the scripts library.

  • core-isolate-endpoint

    Isolates the specified endpoint.

  • core-isolate-endpoint-quick-action

    Isolates the specified endpoint. This quick action is deprecated. Use the new built-in Isolate Endpoint quick action instead.

  • core-list-risky-hosts

    Retrieve the risk score of a specific host or list of hosts with the highest risk score in the environment along with the reason affecting each score.

  • core-list-risky-users

    Retrieve the risk score of a specific user or list of users with the highest risk score in the environment along with the reason affecting each score.

  • core-list-user-groups

    Retrieve a list of the current user emails associated with one or more user groups in your environment.

  • core-list-users

    Retrieve a list of the current users in your environment.

  • core-quarantine-files

    Quarantines a file on selected endpoints. You can select up to 1000 endpoints.

  • core-quarantine-files-quick-action

    Quarantines a file on selected endpoints. You can select up to 1000 endpoints. This quick action is deprecated. Use the new built-in Quarantine File quick action instead.

  • core-remove-allowlist-files

    Removes the requested files from the allow list.

  • core-remove-blocklist-files

    Removes the requested files from the block list.

  • core-remove-endpoint-tag

    Remove a tag from one or more endpoints.

  • core-report-incorrect-wildfire

    Reports to WildFire about incorrect hash verdict through Cortex.

  • core-restore-file

    Restores a quarantined file on the requested endpoints.

  • core-restore-file-quick-action

    Restores a quarantined file on the requested endpoints. This quick action is deprecated. Use the new built-in Restore File From Quarantine quick action instead.

  • core-retrieve-file-details

    Views the file retrieved by the core-retrieve-files command using the action ID. Before running this command, use the core-action-status-get command to check if the action completed successfully.

  • core-retrieve-files

    Retrieves files from selected endpoints. You can retrieve up to 20 files from no more than 10 endpoints. At least one endpoint ID and one file path are required to run the command. After running the command, use the core-action-status-get command with the returned action_id to check the action status.

  • core-retrieve-files-quick-action

    Retrieves files from selected endpoints. You can retrieve up to 20 files from no more than 10 endpoints. At least one endpoint ID and one file path are required to run the command. After running the command, use the core-action-status-get command with the returned action_id to check the action status. This quick action is deprecated. Use the new built-in Retrieve File quick action instead.

  • core-run-script Deprecated

    Deprecated. Use the core-script-run command instead.

  • core-run-script-delete-file

    Initiates a new endpoint script execution to delete a specified file.

  • core-run-script-execute-commands

    Initiates a new endpoint script execution of shell commands.

  • core-run-script-file-exists

    Initiates a new endpoint script execution to check if a file exists.

  • core-run-script-kill-process

    Initiates a new endpoint script execution to kill a process.

  • core-run-snippet-code-script

    Initiates a new endpoint script execution using the provided snippet code.

  • core-script-run

    Initiates a new endpoint script execution using a script from the script library and returns the results.

  • core-script-run-quick-action

    Initiates a new endpoint script execution using a script from the script library and returns the results. This quick action is deprecated. Use the new built-in Run Endpoint Script quick action instead.

  • core-terminate-causality

    Terminates a process tree by its causality ID. Available only for XSIAM 2.4 and above.

  • core-terminate-causality-quick-action

    Terminate a process tree by its causality ID. Available only for Cortex XSIAM 2.4 and above. This quick action is deprecated. Use the new built-in Terminate CGO quick action instead.

  • core-terminate-process

    Terminates a process by its instance ID. Available only for XSIAM 2.4 and above.

  • core-unisolate-endpoint

    Reverses the isolation of an endpoint.

  • core-update-endpoint-tags

    Update tags of one or more endpoints.

  • endpoint

    Returns information about an endpoint.