-
Notifications
You must be signed in to change notification settings - Fork 385
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #1123 from joeslazaro-cdw/jl/pa-cortex-xdr-responder
Implement Palo Alto Cortex XDR responder
- Loading branch information
Showing
9 changed files
with
704 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,6 @@ | ||
| FROM python:3.10-alpine | ||
| WORKDIR /worker | ||
| COPY requirements.txt PaloAltoCortexXDR/ | ||
| RUN pip3 install --no-cache-dir -r PaloAltoCortexXDR/requirements.txt | ||
| COPY . PaloAltoCortexXDR/ | ||
| ENTRYPOINT ["python3", "PaloAltoCortexXDR/cortex_xdr.py"] |
84 changes: 84 additions & 0 deletions
84
responders/PaloAltoCortexXDR/PaloAltoCortexXDR_isolate.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,84 @@ | ||
| { | ||
| "name": "PaloAltoCortexXDR_isolate", | ||
| "version": "1.0", | ||
| "author": "Joe Lazaro", | ||
| "url": "https://github.com/TheHive-Project/Cortex-Analyzers", | ||
| "license": "AGPL-V3", | ||
| "description": "Isolate endpoints identified by hostname or IP list", | ||
| "dataTypeList": [ | ||
| "thehive:case_artifact" | ||
| ], | ||
| "command": "PaloAltoCortexXDR/cortex_xdr.py", | ||
| "baseConfig": "PaloAltoCortexXDR", | ||
| "config": { | ||
| "service": "isolate" | ||
| }, | ||
| "registration_required": true, | ||
| "subscription_required": true, | ||
| "free_subscription": false, | ||
| "service_homepage": "https://www.paloaltonetworks.com/cortex/cortex-xdr", | ||
| "service_logo": { | ||
| "path": "assets/cortex_logo.png", | ||
| "caption": "logo" | ||
| }, | ||
| "screenshots": [ | ||
| { | ||
| "path": "assets/PaloAltoCortexXDR_isolate.png", | ||
| "caption": "Example responder action result" | ||
| } | ||
| ], | ||
| "configurationItems": [ | ||
| { | ||
| "name": "api_key", | ||
| "description": "API key", | ||
| "type": "string", | ||
| "multi": false, | ||
| "required": true | ||
| }, | ||
| { | ||
| "name": "api_key_id", | ||
| "description": "API key ID", | ||
| "type": "string", | ||
| "multi": false, | ||
| "required": true | ||
| }, | ||
| { | ||
| "name": "advanced_security", | ||
| "description": "Set True if the API key was generated with Advanced security level. False for a Standard security key.", | ||
| "type": "boolean", | ||
| "multi": false, | ||
| "required": true | ||
| }, | ||
| { | ||
| "name": "api_host", | ||
| "description": "Fully qualified domain name for the API host. Example: api-example.xdr.us.paloaltonetworks.com", | ||
| "type": "string", | ||
| "multi": false, | ||
| "required": true | ||
| }, | ||
| { | ||
| "name": "isolate_polling_interval", | ||
| "description": "Interval, in seconds between requests for isolate or unisolate actions.", | ||
| "type": "number", | ||
| "multi": false, | ||
| "required": false, | ||
| "defaultValue": 30 | ||
| }, | ||
| { | ||
| "name": "isolate_max_polling_retries", | ||
| "description": "Maximum number of time to retry action status when the isolate or unisolate action is still in progress.", | ||
| "type": "number", | ||
| "multi": false, | ||
| "required": false, | ||
| "defaultValue": 120 | ||
| }, | ||
| { | ||
| "name": "allow_multiple_isolation_targets", | ||
| "description": "Allow the responder to send multiple targets for isolation/unisolation in one multi-line observable. Set to false as a safety mechanism to allow only a single endpoint to be affected while refusing requests to operate on multiple endpoints.", | ||
| "type": "boolean", | ||
| "multi": false, | ||
| "required": true, | ||
| "defaultValue": false | ||
| } | ||
| ] | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,76 @@ | ||
| { | ||
| "name": "PaloAltoCortexXDR_scan", | ||
| "version": "1.0", | ||
| "author": "Joe Lazaro", | ||
| "url": "https://github.com/TheHive-Project/Cortex-Analyzers", | ||
| "license": "AGPL-V3", | ||
| "description": "Scan endpoints identified by hostname or IP list", | ||
| "dataTypeList": [ | ||
| "thehive:case_artifact" | ||
| ], | ||
| "command": "PaloAltoCortexXDR/cortex_xdr.py", | ||
| "baseConfig": "PaloAltoCortexXDR", | ||
| "config": { | ||
| "service": "scan" | ||
| }, | ||
| "registration_required": true, | ||
| "subscription_required": true, | ||
| "free_subscription": false, | ||
| "service_homepage": "https://www.paloaltonetworks.com/cortex/cortex-xdr", | ||
| "service_logo": { | ||
| "path": "assets/cortex_logo.png", | ||
| "caption": "logo" | ||
| }, | ||
| "screenshots": [ | ||
| { | ||
| "path": "assets/PaloAltoCortexXDR_isolate.png", | ||
| "caption": "Example responder action result" | ||
| } | ||
| ], | ||
| "configurationItems": [ | ||
| { | ||
| "name": "api_key", | ||
| "description": "API key", | ||
| "type": "string", | ||
| "multi": false, | ||
| "required": true | ||
| }, | ||
| { | ||
| "name": "api_key_id", | ||
| "description": "API key ID", | ||
| "type": "string", | ||
| "multi": false, | ||
| "required": true | ||
| }, | ||
| { | ||
| "name": "advanced_security", | ||
| "description": "Set True if the API key was generated with Advanced security level. False for a Standard security key.", | ||
| "type": "boolean", | ||
| "multi": false, | ||
| "required": true | ||
| }, | ||
| { | ||
| "name": "api_host", | ||
| "description": "Fully qualified domain name for the API host. Example: api-example.xdr.us.paloaltonetworks.com", | ||
| "type": "string", | ||
| "multi": false, | ||
| "required": true | ||
| }, | ||
| { | ||
| "name": "scan_polling_interval", | ||
| "description": "Interval, in seconds between requests for scan actions.", | ||
| "type": "number", | ||
| "multi": false, | ||
| "required": false, | ||
| "defaultValue": 60 | ||
| }, | ||
| { | ||
| "name": "scan_max_polling_retries", | ||
| "description": "Maximum number of time to retry action status when a scan action is still in progress.", | ||
| "type": "number", | ||
| "multi": false, | ||
| "required": false, | ||
| "defaultValue": 240 | ||
| } | ||
| ] | ||
| } |
84 changes: 84 additions & 0 deletions
84
responders/PaloAltoCortexXDR/PaloAltoCortexXDR_unisolate.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,84 @@ | ||
| { | ||
| "name": "PaloAltoCortexXDR_unisolate", | ||
| "version": "1.0", | ||
| "author": "Joe Lazaro", | ||
| "url": "https://github.com/TheHive-Project/Cortex-Analyzers", | ||
| "license": "AGPL-V3", | ||
| "description": "Unisolate endpoints identified by hostname or IP list", | ||
| "dataTypeList": [ | ||
| "thehive:case_artifact" | ||
| ], | ||
| "command": "PaloAltoCortexXDR/cortex_xdr.py", | ||
| "baseConfig": "PaloAltoCortexXDR", | ||
| "config": { | ||
| "service": "unisolate" | ||
| }, | ||
| "registration_required": true, | ||
| "subscription_required": true, | ||
| "free_subscription": false, | ||
| "service_homepage": "https://www.paloaltonetworks.com/cortex/cortex-xdr", | ||
| "service_logo": { | ||
| "path": "assets/cortex_logo.png", | ||
| "caption": "logo" | ||
| }, | ||
| "screenshots": [ | ||
| { | ||
| "path": "assets/PaloAltoCortexXDR_isolate.png", | ||
| "caption": "Example responder action result" | ||
| } | ||
| ], | ||
| "configurationItems": [ | ||
| { | ||
| "name": "api_key", | ||
| "description": "API key", | ||
| "type": "string", | ||
| "multi": false, | ||
| "required": true | ||
| }, | ||
| { | ||
| "name": "api_key_id", | ||
| "description": "API key ID", | ||
| "type": "string", | ||
| "multi": false, | ||
| "required": true | ||
| }, | ||
| { | ||
| "name": "advanced_security", | ||
| "description": "Set True if the API key was generated with Advanced security level. False for a Standard security key.", | ||
| "type": "boolean", | ||
| "multi": false, | ||
| "required": true | ||
| }, | ||
| { | ||
| "name": "api_host", | ||
| "description": "Fully qualified domain name for the API host. Example: api-example.xdr.us.paloaltonetworks.com", | ||
| "type": "string", | ||
| "multi": false, | ||
| "required": true | ||
| }, | ||
| { | ||
| "name": "isolate_polling_interval", | ||
| "description": "Interval, in seconds between requests for isolate or unisolate actions.", | ||
| "type": "number", | ||
| "multi": false, | ||
| "required": false, | ||
| "defaultValue": 30 | ||
| }, | ||
| { | ||
| "name": "isolate_max_polling_retries", | ||
| "description": "Maximum number of time to retry action status when the isolate or unisolate action is still in progress.", | ||
| "type": "number", | ||
| "multi": false, | ||
| "required": false, | ||
| "defaultValue": 120 | ||
| }, | ||
| { | ||
| "name": "allow_multiple_isolation_targets", | ||
| "description": "Allow the responder to send multiple targets for isolation/unisolation in one multi-line observable. Set to false as a safety mechanism to allow only a single endpoint to be affected while refusing requests to operate on multiple endpoints.", | ||
| "type": "boolean", | ||
| "multi": false, | ||
| "required": true, | ||
| "defaultValue": false | ||
| } | ||
| ] | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,12 @@ | ||
| Palo Alto Cortex XDR: Extended Detection and Response | ||
|
|
||
| Cortex XDR is the industry’s first extended detection and response platform that integrates network, endpoint, cloud, and third-party data to stop sophisticated attacks. Cortex XDR has been designed from the ground up to help organizations secure their digital assets and users while simplifying operations. Using behavioral analytics, it identifies unknown and highly evasive threats targeting your network. Machine learning and AI models uncover threats from any source, including managed and unmanaged devices. | ||
|
|
||
| This responder interacts with the Cortex XDR API to support three actions: | ||
| * Isolate an endpoint from the network. Prevents a suspected compromised system from causing any further harm to the network. | ||
| * Unisolate an endpoint that was previously isolated. | ||
| * Scan: initial a full scan of an endpoint. | ||
|
|
||
| The responder operates on a 'fqdn' or 'ip' case artifact (observable) from TheHive. The value of the FQDN should be the endpoint name as it appears in the Cortex XDR console. | ||
|
|
||
| The responder accepts multiple inputs at once if your observable is multi-line value with one entry per line. |
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Oops, something went wrong.