Palo Alto Networks Cortex XDR Actions

Actions for Palo Alto Networks Cortex XDR #

• Send Data to Palo Alto Networks Cortex XDR. Sends a custom set of Lucidum data to Palo Alto Networks Cortex XDR.

Use Cases #

Below are the possible use cases for these actions:

• If you want to run Lucidum “headless”, you can send relevant data to Palo Alto Networks Cortex XDR on a regular schedule.

• You can send normalized, enriched Lucidum data to Palo Alto Networks Cortex XDR to be indexed, searched, and analyzed.

Prerequisites #

To execute Palo Alto Networks Cortex XDR actions, you must:

• Configure a Palo Alto Networks Cortex XDR API connection beforehand. The required parameters are described in the instructions for creating a Palo Alto Networks Cortex XDR connector in Lucidum https://lucidum.io/docs/palo-alto-networks-cortex-xdr/.

Workflows #

• Creating a new Configuration and a new Action
• Cloning an Existing Action
• Creating a new Action from the Location Results page
• Editing a Configuration
• Editing an Action
• Viewing Information about an Action

Palo Alto Networks Cortex XDR Configuration #

To create a configuration for Palo Alto Networks Cortex XDR actions:

• Configuration Name. Identifier for the Configuration. This name will appear in the Lucidum Action Center.

• Host. The hostname of the API for Palo Alto Networks Cortex XDR. For example, lucidum.xrd.us.paloaltonetworks.com. For details, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-API-Reference/Get-Started-with-APIs.

• API Key. API key for a Palo Alto Cortex XDR account. The API Key must be of type Advanced and have the read and write permissions/role for:

  • Assets > Asset Inventory
  • Assets > Compliance
  • Assets >  Network Config
  • Endpoint > Device Control
  • Endpoint > Endpoint Admin
  • Incident Response > Host Insights
  • Incident Response > Investigations
  • Incident Response > Personal Query Library
  • Incident Response > Query Center

For details, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-API-Reference/Get-Started-with-APIs

• API Key ID. API key for a Palo Alto Cortex XDR account. The API Key must be of type Advanced and have the permissions/role specified above.

  For details, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-API-Reference/Get-Started-with-API

• Max # of Records per Payload. The maximum number of records to send to Palo Alto Networks Cortex XDR in each action. The default value is “50”.

Create a New Action #

To create an action for Palo Alto Networks Cortex XDR, contact Lucidum customer care.