Palo Alto Cortex XDR

Supported Actions

• on poll: Callback action for the on_poll ingest functionality
• test connectivity: Validate the asset configuration for connectivity using supplied configuration
• list endpoints: List all the endpoints/sensors configured on the device
• get policy: Get the policy name for a specific endpoint
• get action status: Retrieve the status of the requested actions according to the action ID
• retrieve file: Retrieve files from a specified endpoint
• retrieve file details: View the file retrieved by the Retrieve File action according to the action ID
• quarantine file: Quarantine file on a specified endpoint
• unquarantine file: Restore a quarantined file on a specified endpoint
• block hash: Add a hash that does not exist in the allow or block list to a block list
• allow hash: Add files that do not exist in the allow or block list to an allow list
• quarantine device: Quarantine a specified endpoint
• unquarantine device: Unquarantine a specified endpoint
• scan endpoint: Run a scan on selected endpoints
• cancel scan endpoint: Cancel the scan of selected endpoints
• get incidents: Get a list of incidents filtered by a list of incident IDs, modification time, or creation time
• get incident details: Get extra data fields of a specific incident including alerts and key artifacts
• get alerts: Get a list of alerts with multiple events