CortexXDRClient APIs

Actions API

class cortex_xdr_client.api.actions_api.ActionsAPI(auth, fqdn, timeout)

Bases: BaseAPI

get_action_status(group_action_id)

Retrieve the status of the requested actions according to the action ID.

Parameters

group_action_id (int) – String the represents the Action ID of the selected request.

Return type

Optional[GetActionStatus]

Returns

Returns a GetActionStatus object if successful.

get_file_retrieval_details(group_action_id)

Retrieve the status of the requested file retrieval action.

Parameters

group_action_id (int) – String the represents the Action ID of the selected request.

Return type

Optional[GetActionStatus]

Returns

Returns a GetActionStatus object if successful.

Alerts API

class cortex_xdr_client.api.alerts_api.AlertsAPI(auth, fqdn, timeout)

Bases: BaseAPI

get_alerts(alert_id_list=None, alert_source_list=None, severities=None, creation_time=None, after_creation=False, server_creation_time=None, after_server_creation=False, search_from=None, search_to=None)

Get a list of alerts with multiple events.

Parameters

  • alert_id_list (Optional[List[int]]) – List of integers of the Alert ID

  • alert_source_list (Optional[List[str]]) – List of strings of the Alert source

  • severities (Optional[List[AlertSeverity]]) – List of strings of the Alert severity

  • creation_time (Optional[int]) – Timestamp of the Creation time. Also known as detection_timestamp.

  • after_creation (bool) – If the creation date will be the upper or lower bound limit.

  • server_creation_time (Optional[int]) – Timestamp of the Server creation time. Also known as local_insert_ts.

  • after_server_creation (bool) – If the server creation date will be the upper or lower bound limit.

  • search_to (Optional[int]) – Integer representing the end offset within the result set after which you do not want incidents returned.

  • search_from (Optional[int]) – Integer representing the starting offset within the query result set from which you want incidents returned.

Return type

Optional[GetAlertsResponse]

Returns

Returns a GetAlertsResponse object if successful.

cortex_xdr_client.api.alerts_api.get_enum_values(p)
Return type

List[str]

Download API

class cortex_xdr_client.api.download_api.DownloadAPI(auth, fqdn, timeout)

Bases: BaseAPI

download_file(file_api_value)

Downloads the file at the given URI, previously requested by get_file_retrieval_details function

File_api_value

UID assigned to the file that is requested to be downloaded

Returns

Contents of the file

Endpoints API

class cortex_xdr_client.api.endpoints_api.EndpointsAPI(auth, fqdn, timeout)

Bases: BaseAPI

get_all_endpoints()

Gets a list of your endpoints.

Return type

Optional[GetAllEndpointsResponse]

Returns

A GetAllEndpointsResponse object if successful.

get_endpoint(endpoint_id_list=None, endpoint_status=None, dist_name=None, first_seen=None, after_first_seen=False, last_seen=None, after_last_seen=False, ip_list=None, group_name=None, platform=None, alias=None, hostname=None, isolate=None, scan_status=None, username=None, search_from=None, search_to=None)

Gets a list of filtered endpoints.

Parameters

  • endpoint_id_list (Optional[List[str]]) – List of endpoint IDs.

  • endpoint_status (Optional[List[EndpointStatus]]) – Status of the endpoint ID.

  • dist_name (Optional[List[str]]) – Distribution / Installation Package name.

  • first_seen (Optional[int]) – When the agent was first seen.

  • after_first_seen (bool) – If the first seen date will be the upper or lower bound limit.

  • last_seen (Optional[int]) – When the agent was last seen.

  • after_last_seen (bool) – If the last seen date will be the upper or lower bound limit.

  • ip_list (Optional[List[str]]) – List of IP addresses.

  • group_name (Optional[List[str]]) – Group name the agent belongs to.

  • platform (Optional[List[EndpointPlatform]]) – Platform name.

  • alias (Optional[List[str]]) – Alias name.

  • hostname (Optional[List[str]]) – Hostname.

  • isolate (Optional[List[IsolateStatus]]) – If the endpoint was isolated.

  • scan_status (Optional[List[ScanStatus]]) – A list of ScanStatus

  • username (Optional[List[str]]) – Username.

  • search_from (Optional[int]) – Integer representing the starting offset within the query result set from which you want incidents returned.

  • search_to (Optional[int]) – Integer representing the end offset within the result set after which you do not want incidents returned.

Return type

Optional[GetEndpointResponse]

Returns

A GetEndpointResponse object if successful.

isolate_endpoints(endpoint_id_list=None)

Isolate one or more endpoints in a single request. Request is limited to 1000 endpoints.

Parameters

endpoint_id_list (Optional[List[str]]) – List of endpoint IDs.

Return type

Optional[ResponseActionResponse]

Returns

A ResponseActionResponse object if successful.

quarantine_file(endpoint_id_list=None, file_path=None, file_hash=None, incident_id=None)

Quarantine file on selected endpoints. You can select up to 1000 endpoints.

Parameters

  • endpoint_id_list (Optional[List[str]]) – List of endpoint IDs.

  • file_path (Optional[str]) – String that represents the path of the file you want to quarantine. You must enter a proper path and not symbolic links.

  • file_hash (Optional[str]) – String that represents the file’s hash. Hash must be a valid SHA256.

  • incident_id (Optional[str]) – When included in the request, the Quarantine File action will appear in the Cortex XDR Incident View Timeline tab.

Return type

Optional[ResponseActionResponse]

Returns

A ResponseActionResponse object if successful.

retrieve_file(endpoint_id_list=None, files=None, incident_id=None)

Retrieve files from selected endpoints. You can retrieve up to 20 files, from no more than 10 endpoints.

Parameters

  • endpoint_id_list (Optional[List[str]]) – List of endpoint IDs.

  • files (Optional[Dict[str, List[str]]]) – dictionary containing the type of platform and list of file paths you want to retrieve. Valid platform type keywords are: [“windows”, “linux”, “macos”].

  • incident_id (Optional[str]) – When included in the request, the Retrieve File action will appear in the Cortex XDR Incident View Timeline tab.

Return type

Optional[ResponseActionResponse]

Returns

A ResponseActionResponse object if successful.

scan_all_endpoints()

Scans all endpoints.

Return type

Optional[ResponseActionResponse]

Returns

A ResponseActionResponse object if successful.

scan_endpoints(endpoint_id_list=None, dist_name=None, first_seen=None, after_first_seen=False, last_seen=None, after_last_seen=False, ip_list=None, group_name=None, platform=None, alias=None, hostname=None, isolate=None, scan_status=None, username=None)

Run a scan on selected endpoints.

Parameters

  • endpoint_id_list (Optional[List[str]]) – List of endpoint IDs.

  • dist_name (Optional[List[str]]) – Name of the distribution list.

  • first_seen (Optional[int]) – When an endpoint was first seen.

  • after_first_seen (bool) – If the first seen date will be the upper or lower bound limit.

  • last_seen (Optional[int]) – When an endpoint was last seen.

  • after_last_seen (bool) – If the last seen date will be the upper or lower bound limit.

  • ip_list (Optional[List[str]]) – List of IP addresses.

  • group_name (Optional[List[str]]) – Name of the endpoint group.

  • platform (Optional[List[EndpointPlatform]]) – Platform name.

  • alias (Optional[List[str]]) – Endpoint alias name.

  • hostname (Optional[List[str]]) – Name of host.

  • isolate (Optional[List[IsolateStatus]]) – If the endpoint has been isolated.

  • scan_status (Optional[List[ScanStatus]]) – The scan status.

  • username (Optional[List[str]]) – Username.

Return type

Optional[ResponseActionResponse]

Returns

A ResponseActionResponse object if successful.

set_endpoint_alias(new_alias, endpoint_id_list=None, endpoint_status=None, dist_name=None, ip_list=None, group_name=None, platform=None, alias=None, isolate=None, hostname=None)

Set or modify an Alias field for your endpoints.

Parameters

  • new_alias (str) – The alias name you want to set or modify.

  • endpoint_id_list (Optional[List[str]]) – List of endpoint IDs.

  • endpoint_status (Optional[EndpointStatus]) – Status of the endpoint ID.

  • dist_name (Optional[str]) – Distribution / Installation Package name.

  • ip_list (Optional[List[str]]) – List of IP addresses.

  • group_name (Optional[List[str]]) – Group name the agent belongs to.

  • platform (Optional[List[EndpointPlatform]]) – Platform name.

  • alias (Optional[List[str]]) – Alias name.

  • isolate (Optional[List[IsolateStatus]]) – If the endpoint was isolated.

  • hostname (Optional[List[str]]) – Hostname

Return type

Optional[ResponseStatusResponse]

Returns

A ResponseStatusResponse if successful.

unisolate_endpoints(endpoint_id_list=None)

Unisolate one or more endpoints in a single request. Request is limited to 1000 endpoints.

Parameters

endpoint_id_list (Optional[List[str]]) – List of endpoint IDs.

Return type

Optional[ResponseActionResponse]

Returns

A ResponseActionResponse object if successful.

Incidents API

class cortex_xdr_client.api.incidents_api.IncidentsAPI(auth, fqdn, timeout)

Bases: BaseAPI

get_incident_extra_data(incident_id, alerts_limit=1000)

Get extra data fields of a specific incident including alerts and key artifacts.

Parameters

  • incident_id (str) – The ID of the incident for which you want to retrieve extra data.

  • alerts_limit (int) – Maximum number of related alerts in the incident that you want to retrieve (default 1000).

Return type

Optional[GetExtraIncidentDataResponse]

Returns

Returns a GetExtraIncidentDataResponse object if successful.

get_incidents(modification_time=None, after_modification=False, creation_time=None, after_creation=False, incident_id_list=None, description=None, description_contains=False, alert_sources=None, status=None, status_equal=True, search_from=None, search_to=None)

Get a list of incidents filtered by a list of incident IDs, modification time, or creation time.

Parameters

  • modification_time (Optional[int]) – Time the incident has been modified.

  • after_modification (bool) – If the modification date will be the upper or lower bound limit.

  • creation_time (Optional[int]) – Incident’s creation time.

  • after_creation (bool) – If the creation date will be the upper or lower bound limit.

  • incident_id_list (Optional[List[str]]) – List of incident IDs.

  • description (Optional[str]) – Incident description.

  • description_contains (bool) – If the description will contain the search string.

  • alert_sources (Optional[List[str]]) – Source which detected the alert.

  • status (Optional[IncidentStatus]) – Represents the status of the incident.

  • status_equal (bool) – If the status will be equal to the given status.

  • search_from (Optional[int]) – Integer representing the starting offset within the query result set from which you want incidents returned.

  • search_to (Optional[int]) – Integer representing the end offset within the result set after which you do not want incidents returned.

Return type

Optional[GetIncidentsResponse]

Returns

Returns a GetIncidentsResponse object if successful.

IoC API

class cortex_xdr_client.api.ioc_api.IocAPI(auth, fqdn, timeout)

Bases: BaseAPI

insert_json(indicators, validate=True)

Upload IOCs as JSON objects that you retrieved from external threat intelligence sources. :type indicators: List[IoC] :param indicators: List of IoC objects :type validate: Optional[bool] :param validate: Whether to return an array of errors in the case of an unsuccessful update indicator API request. :rtype: IoCResponse :return: Returns an IoCResponse object if successful.

Scripts API

class cortex_xdr_client.api.scripts_api.ScriptsAPI(auth, fqdn, timeout)

Bases: BaseAPI

get_script_execution_result_files(action_id, endpoint_id)

Get the files retrieved from a specific endpoint during a script execution.

Parameters

  • action_id (int) – Integer, identifier of the action

  • endpoint_id (int) – Integer, endpoint ID.

Return type

Optional[str]

Returns

A signed public link to a zip file containing the retrieved files. Link expires after 10 minutes.

get_script_execution_results(action_id)

Retrieve the results of a script execution action. :type action_id: int :param action_id: Integer, identifier of the action :rtype: Optional[GetScriptExecutionResults] :return: The results of a script execution action.

get_script_execution_status(action_id)

Retrieve the status of a script execution action.

Parameters

action_id (int) – Integer, identifier of the action

Return type

Optional[GetScriptsExecutionStatus]

Returns

An object of type GetScriptsExecutionStatus if successful.

get_script_metadata(script_uid)

Get the full definitions of a specific script in the scripts library.

Parameters

script_uid (str) – Unique identifier of the script, returned by the Get Scripts API per script.

Return type

Optional[GetScriptMetadataResponse]

Returns

An object of type GetScriptMetadataResponse if successful.

get_scripts(name=None, description=None, created_by=None, script_uid=None, modification_time=None, after_modification=False, windows_supported=None, linux_supported=None, macos_supported=None, is_high_risk=None)

Get a list of scripts available in the scripts library.

Parameters

  • name (Optional[List[str]]) – Script names

  • description (Optional[List[str]]) – Script descriptions

  • created_by (Optional[List[str]]) – Username(s) of who created the script(s).

  • script_uid (Optional[List[str]]) – GUID, global ID of the script(s), used to identify the script(s) when executing.

  • modification_time (Optional[int]) – Datetime of when the script was last modified.

  • after_modification (bool) – If the modification date will be the upper or lower bound limit.

  • windows_supported (Optional[bool]) – Whether the script can be executed on Windows operating system.

  • linux_supported (Optional[bool]) – Whether the script can be executed on Linux operating system.

  • macos_supported (Optional[bool]) – Whether the script can be executed on Mac operating system.

  • is_high_risk (Optional[bool]) – Whether the script has a high-risk outcome.

Return type

Optional[GetScriptsResponse]

Returns

An object of type GetScriptsResponse if successful.

run_script(script_uid, parameters_values, endpoint_id_list, timeout=600, incident_id=None)

Initiate a new endpoint script execution action using a script from the script library.

Parameters

  • script_uid (str) – GUID, unique identifier of the script, returned by the Get Scripts API per script

  • parameters_values (dict) – Dictionary, contains the parameter name, key and its value for this execution, value. You can locate these values by running Get Script Metadata

  • endpoint_id_list (List[str]) – List of endpoint IDs.

  • timeout (int) – Integer, represents the timeout in seconds for this execution. Default value is 600.

  • incident_id (Optional[str]) – String representing the incident ID. When included in the request, the Run Script action will appear in the Cortex XDR Incident View Timeline tab.

Return type

Optional[dict]

Returns

A dict containing action_id, status and endpoints_count.

run_snippet_code_script(snippet_code, endpoint_id_list, timeout=600, incident_id=None)

Initiate a new endpoint script execution action using a snippet code.

Parameters

  • snippet_code (str) – String, contains the snippet code to be executed.

  • endpoint_id_list (List[str]) – List of endpoint IDs.

  • timeout (int) – Integer, represents the timeout in seconds for this execution. Default value is 600.

  • incident_id (Optional[str]) – String representing the incident ID. When included in the request, the Run Script action will appear in the Cortex XDR Incident View Timeline tab.

Return type

Optional[dict]

Returns

A dict containing action_id and endpoints_count.

XQL API

class cortex_xdr_client.api.xql_api.XQLAPI(auth, fqdn, timeout)

Bases: BaseAPI

get_query_results(query_id, limit=None, params={})

Returns the results of an XQL Query. :type query_id: str :param query_id: teger representing the unique execution ID generated by the response to Start an XQL Query API :type limit: Optional[int] :param limit: Integer representing the maximum number of results to return. Max 1000. :type params: dict :param params: Dictionary of parameters to be passed to the request data :rtype: Optional[dict] :return: Dictionary of results

get_query_results_stream(stream_id)

Returns the results of an XQL Query. :type stream_id: str :param stream_id: Integer representing the unique ID generate by the response to Get XQL Query Results API. :rtype: Optional[dict] :return: Dictionary of results

start_xql_query(query, time_period=None, from_date=None, to_date=None, tenants=None, params={})

Starts an XQL Query. :type query: str :param query: String of the XQL query. :type time_period: Optional[int] :param time_period: Relative Unix timestamp representing the last X hours. :type from_date: Optional[int] :param from_date: Absolute Unix timestamp representing a date :type to_date: Optional[int] :param to_date: Absolute Unix timestamp representing a date :type tenants: Optional[List[str]] :param tenants: List of strings used for running APIs on local and Managed Security tenants. :type params: dict :param params: Dictionary of parameters to be passed to the request data :rtype: Optional[str] :return: String representing the unique ID generate by the response to Start XQL Query API.