Cortex XDR

Cortex XDR stitches together data from the endpoint, network, and cloud in a robust data lake. Applying advanced machine learning and analytics, it identifies threats and benign events with superior accuracy and gives analysts contextualized information, simplifying and accelerating investigations. This integration supports 'public_api/v1' endpoint.

Integration with LogicHub

Connecting with Cortex XDR

To connect to Cortex XDR following details are required:

  • Label: Connection name.
  • Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.
  • URL: URL to your Cortex XDR instance.
  • API Key ID: API key ID for Cortex XDR.
  • API Key: API key for Cortex XDR.

Actions with Cortex XDR

Isolate Endpoint

Isolates the specified endpoint.

Inputs to this action

  • Endpoint Hostname or IP: Column name from parent table that contains endpoint Hostname or IP

Output of action
JSON containing the following items:

  • has_error: True/False
  • error: message/null
  • result: {
    "action_id":"",
    "status": "1",
    "endpoints_count": "1"
    }

Isolate Endpoint Status

Returns the status of the isolate operation.

Inputs to this action

  • Action Id: Column name from parent table that contains the ID of isolate operation submitted to Cortex XDR.

Output of action
JSON containing following items:

  • has_error: True/False
  • error: message/null
  • <ACTION ID>: "COMPLETED_SUCCESSFULLY"

Unisolate Endpoint

Un-Isolate the specified endpoint.

Inputs to this action

  • Endpoint Hostname or IP: Column name from parent table that contains endpoint Hostname or I

Output of action
JSON containing the following items:

  • has_error: True/False
  • error: message/null
  • result: {
    "action_id":"",
    "status": "1",
    "endpoints_count": "1"
    }

Scan Endpoint

Performs a scan operation on the specified endpoint.

Inputs to this action

  • Endpoint Hostname or IP: Column name from parent table that contains endpoint Hostname or IP.

Output of action
JSON containing the following items:

  • has_error: True/False
  • error: message/null
  • result: {
    "action_id":"",
    "status": "1",
    "endpoints_count": "1"
    }

Scan Endpoint Status

Returns the status of the scan operation.

Inputs to this action

  • Action Id: Column name from parent table that contains the ID of isolate operation submitted to Cortex XDR.

Output of action
JSON containing following items:

  • has_error: True/False
  • error: message/null
  • <ACTION ID>: "COMPLETED_SUCCESSFULLY"

Get Endpoint Details

Returns details for the specified endpoint.

Inputs to this action

  • Endpoint Hostname or IP: Column name from parent table that contains endpoint Hostname or IP.

Output of action:
JSON containing the following items:

  • has_error: True/False
  • error: message/null
  • result: {
    "endpoint_id":"",
    "endpoint_name":"",
    "endpoint_type":"",
    "endpoint_status":"CONNECTED",
    "os_type":"AGENT_OS_WINDOWS",
    "ip":[
    ""
    ],
    "users":[
    "XDR"
    ],
    "domain":"WORKGROUP",
    "alias":"",
    "first_seen":1606218761377,
    "last_seen":1606218769163,
    "content_version":"",
    "installation_package":"XDR",
    "active_directory":null,
    "install_date":1606218762089,
    "endpoint_version":"",
    "is_isolated":"AGENT_UNISOLATED",
    "isolated_date":null,
    "group_name":[],
    "operational_status":"PARTIALLY_PROTECTED",
    "operational_status_description":"[{"name": "generalStatus", "error_code": 10004}]",
    "scan_status":"SCAN_STATUS_NONE"
    }

Did this page help you?