Cortex XDR

version: 3.0.0

Cortex XDR stitches together data from the endpoint, network, and cloud in a robust data lake. Applying advanced machine learning and analytics, it identifies threats and benign events with superior accuracy and gives analysts contextualized information, simplifying and accelerating investigations. This integration supports 'public_api/v1' endpoint.

Connect Cortex XDR with LogicHub

  1. Navigate to Automations > Integrations.
  2. Search for Cortex XDR.
  3. Click Details, then the + icon. Enter the required information in the following fields.
    • Label: Enter a connection name.
    • Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.
    • Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).
    • Remote Agent: Run this integration using the LogicHub Remote Agent.
    • URL: URL to your Cortex XDR instance.
    • API Key ID: API key ID for Cortex XDR.
    • API Key: API key for Cortex XDR.
  4. After you've entered all the details, click Connect.

Actions for Cortex XDR

Isolate Endpoint

Isolates the specified endpoint.

Input Field

Input NameDescriptionRequired
Endpoint Hostname or IPColumn name from parent table that contains endpoint Hostname or IP.Required

Output

A JSON object containing multiple rows of result:

  • has_error: True/False
  • error: message/null
  • result: {
    "action_id":"",
    "status": "1",
    "endpoints_count": "1"
    }

Isolate Endpoint Status

Returns the status of the isolate operation.

Input Field

Input NameDescriptionRequired
Action IdColumn name from parent table that contains the ID of isolate operation submitted to Cortex XDR.Required

Output

A JSON object containing multiple rows of result:

  • has_error: True/False
  • error: message/null
  • <ACTION ID>: "COMPLETED_SUCCESSFULLY"

Unisolate Endpoint

Un-Isolate the specified endpoint.

Input Field

Input NameDescriptionRequired
Endpoint Hostname or IPColumn name from parent table that contains endpoint Hostname or IP.Required

Output

A JSON object containing multiple rows of result:

  • has_error: True/False
  • error: message/null
  • result: {
    "action_id":"",
    "status": "1",
    "endpoints_count": "1"
    }

Scan Endpoint

Performs a scan operation on the specified endpoint.

Input Field

Input NameDescriptionRequired
Endpoint Hostname or IPColumn name from parent table that contains endpoint Hostname or IP.Required

Output

A JSON object containing multiple rows of result:

  • has_error: True/False
  • error: message/null
  • result: {
    "action_id":"",
    "status": "1",
    "endpoints_count": "1"
    }

Scan Endpoint Status

Returns the status of the scan operation.

Input Field

Input NameDescriptionRequired
Action IdColumn name from parent table that contains the ID of isolate operation submitted to Cortex XDR.Required

Output

A JSON object containing multiple rows of result:

  • has_error: True/False
  • error: message/null
  • <ACTION ID>: "COMPLETED_SUCCESSFULLY"

Get Endpoint Details

Returns details for the specified endpoint.

Input Field

Input NameDescriptionRequired
Endpoint Hostname or IPColumn name from parent table that contains endpoint Hostname or IP.Required

Output

A JSON object containing multiple rows of result:

  • has_error: True/False
  • error: message/null
  • result: {
    "endpoint_id":"",
    "endpoint_name":"",
    "endpoint_type":"",
    "endpoint_status":"CONNECTED",
    "os_type":"AGENT_OS_WINDOWS",
    "ip":[
    ""
    ],
    "users":[
    "XDR"
    ],
    "domain":"WORKGROUP",
    "alias":"",
    "first_seen":1606218761377,
    "last_seen":1606218769163,
    "content_version":"",
    "installation_package":"XDR",
    "active_directory":null,
    "install_date":1606218762089,
    "endpoint_version":"",
    "is_isolated":"AGENT_UNISOLATED",
    "isolated_date":null,
    "group_name":[],
    "operational_status":"PARTIALLY_PROTECTED",
    "operational_status_description":"[{"name": "generalStatus", "error_code": 10004}]",
    "scan_status":"SCAN_STATUS_NONE"
    }

Release Notes

  • v3.0.0 - Updated architecture to support IO via filesystem

© 2017-2021 LogicHub®. All Rights Reserved.