CortexXDRClient APIs
Actions API
- class cortex_xdr_client.api.actions_api.ActionsAPI(auth, fqdn, timeout)
Bases:
BaseAPI
- get_action_status(group_action_id)
Retrieve the status of the requested actions according to the action ID.
- Parameters
group_action_id (
int
) – String the represents the Action ID of the selected request.- Return type
Optional
[GetActionStatus
]- Returns
Returns a GetActionStatus object if successful.
- get_file_retrieval_details(group_action_id)
Retrieve the status of the requested file retrieval action.
- Parameters
group_action_id (
int
) – String the represents the Action ID of the selected request.- Return type
Optional
[GetActionStatus
]- Returns
Returns a GetActionStatus object if successful.
Alerts API
- class cortex_xdr_client.api.alerts_api.AlertsAPI(auth, fqdn, timeout)
Bases:
BaseAPI
- get_alerts(alert_id_list=None, alert_source_list=None, severities=None, creation_time=None, after_creation=False, server_creation_time=None, after_server_creation=False, search_from=None, search_to=None)
Get a list of alerts with multiple events.
- Parameters
alert_id_list (
Optional
[List
[int
]]) – List of integers of the Alert IDalert_source_list (
Optional
[List
[str
]]) – List of strings of the Alert sourceseverities (
Optional
[List
[AlertSeverity
]]) – List of strings of the Alert severitycreation_time (
Optional
[int
]) – Timestamp of the Creation time. Also known as detection_timestamp.after_creation (
bool
) – If the creation date will be the upper or lower bound limit.server_creation_time (
Optional
[int
]) – Timestamp of the Server creation time. Also known as local_insert_ts.after_server_creation (
bool
) – If the server creation date will be the upper or lower bound limit.search_to (
Optional
[int
]) – Integer representing the end offset within the result set after which you do not want incidents returned.search_from (
Optional
[int
]) – Integer representing the starting offset within the query result set from which you want incidents returned.
- Return type
Optional
[GetAlertsResponse
]- Returns
Returns a GetAlertsResponse object if successful.
- cortex_xdr_client.api.alerts_api.get_enum_values(p)
- Return type
List
[str
]
Download API
- class cortex_xdr_client.api.download_api.DownloadAPI(auth, fqdn, timeout)
Bases:
BaseAPI
- download_file(file_api_value)
Downloads the file at the given URI, previously requested by get_file_retrieval_details function
- File_api_value
UID assigned to the file that is requested to be downloaded
- Returns
Contents of the file
Endpoints API
- class cortex_xdr_client.api.endpoints_api.EndpointsAPI(auth, fqdn, timeout)
Bases:
BaseAPI
- get_all_endpoints()
Gets a list of your endpoints.
- Return type
Optional
[GetAllEndpointsResponse
]- Returns
A GetAllEndpointsResponse object if successful.
- get_endpoint(endpoint_id_list=None, endpoint_status=None, dist_name=None, first_seen=None, after_first_seen=False, last_seen=None, after_last_seen=False, ip_list=None, group_name=None, platform=None, alias=None, hostname=None, isolate=None, scan_status=None, username=None, search_from=None, search_to=None)
Gets a list of filtered endpoints.
- Parameters
endpoint_id_list (
Optional
[List
[str
]]) – List of endpoint IDs.endpoint_status (
Optional
[List
[EndpointStatus
]]) – Status of the endpoint ID.dist_name (
Optional
[List
[str
]]) – Distribution / Installation Package name.first_seen (
Optional
[int
]) – When the agent was first seen.after_first_seen (
bool
) – If the first seen date will be the upper or lower bound limit.last_seen (
Optional
[int
]) – When the agent was last seen.after_last_seen (
bool
) – If the last seen date will be the upper or lower bound limit.ip_list (
Optional
[List
[str
]]) – List of IP addresses.group_name (
Optional
[List
[str
]]) – Group name the agent belongs to.platform (
Optional
[List
[EndpointPlatform
]]) – Platform name.alias (
Optional
[List
[str
]]) – Alias name.hostname (
Optional
[List
[str
]]) – Hostname.isolate (
Optional
[List
[IsolateStatus
]]) – If the endpoint was isolated.scan_status (
Optional
[List
[ScanStatus
]]) – A list of ScanStatususername (
Optional
[List
[str
]]) – Username.search_from (
Optional
[int
]) – Integer representing the starting offset within the query result set from which you want incidents returned.search_to (
Optional
[int
]) – Integer representing the end offset within the result set after which you do not want incidents returned.
- Return type
Optional
[GetEndpointResponse
]- Returns
A GetEndpointResponse object if successful.
- isolate_endpoints(endpoint_id_list=None)
Isolate one or more endpoints in a single request. Request is limited to 1000 endpoints.
- Parameters
endpoint_id_list (
Optional
[List
[str
]]) – List of endpoint IDs.- Return type
Optional
[ResponseActionResponse
]- Returns
A ResponseActionResponse object if successful.
- quarantine_file(endpoint_id_list=None, file_path=None, file_hash=None, incident_id=None)
Quarantine file on selected endpoints. You can select up to 1000 endpoints.
- Parameters
endpoint_id_list (
Optional
[List
[str
]]) – List of endpoint IDs.file_path (
Optional
[str
]) – String that represents the path of the file you want to quarantine. You must enter a proper path and not symbolic links.file_hash (
Optional
[str
]) – String that represents the file’s hash. Hash must be a valid SHA256.incident_id (
Optional
[str
]) – When included in the request, the Quarantine File action will appear in the Cortex XDR Incident View Timeline tab.
- Return type
Optional
[ResponseActionResponse
]- Returns
A ResponseActionResponse object if successful.
- retrieve_file(endpoint_id_list=None, files=None, incident_id=None)
Retrieve files from selected endpoints. You can retrieve up to 20 files, from no more than 10 endpoints.
- Parameters
endpoint_id_list (
Optional
[List
[str
]]) – List of endpoint IDs.files (
Optional
[Dict
[str
,List
[str
]]]) – dictionary containing the type of platform and list of file paths you want to retrieve. Valid platform type keywords are: [“windows”, “linux”, “macos”].incident_id (
Optional
[str
]) – When included in the request, the Retrieve File action will appear in the Cortex XDR Incident View Timeline tab.
- Return type
Optional
[ResponseActionResponse
]- Returns
A ResponseActionResponse object if successful.
- scan_all_endpoints()
Scans all endpoints.
- Return type
Optional
[ResponseActionResponse
]- Returns
A ResponseActionResponse object if successful.
- scan_endpoints(endpoint_id_list=None, dist_name=None, first_seen=None, after_first_seen=False, last_seen=None, after_last_seen=False, ip_list=None, group_name=None, platform=None, alias=None, hostname=None, isolate=None, scan_status=None, username=None)
Run a scan on selected endpoints.
- Parameters
endpoint_id_list (
Optional
[List
[str
]]) – List of endpoint IDs.dist_name (
Optional
[List
[str
]]) – Name of the distribution list.first_seen (
Optional
[int
]) – When an endpoint was first seen.after_first_seen (
bool
) – If the first seen date will be the upper or lower bound limit.last_seen (
Optional
[int
]) – When an endpoint was last seen.after_last_seen (
bool
) – If the last seen date will be the upper or lower bound limit.ip_list (
Optional
[List
[str
]]) – List of IP addresses.group_name (
Optional
[List
[str
]]) – Name of the endpoint group.platform (
Optional
[List
[EndpointPlatform
]]) – Platform name.alias (
Optional
[List
[str
]]) – Endpoint alias name.hostname (
Optional
[List
[str
]]) – Name of host.isolate (
Optional
[List
[IsolateStatus
]]) – If the endpoint has been isolated.scan_status (
Optional
[List
[ScanStatus
]]) – The scan status.username (
Optional
[List
[str
]]) – Username.
- Return type
Optional
[ResponseActionResponse
]- Returns
A ResponseActionResponse object if successful.
- set_endpoint_alias(new_alias, endpoint_id_list=None, endpoint_status=None, dist_name=None, ip_list=None, group_name=None, platform=None, alias=None, isolate=None, hostname=None)
Set or modify an Alias field for your endpoints.
- Parameters
new_alias (
str
) – The alias name you want to set or modify.endpoint_id_list (
Optional
[List
[str
]]) – List of endpoint IDs.endpoint_status (
Optional
[EndpointStatus
]) – Status of the endpoint ID.dist_name (
Optional
[str
]) – Distribution / Installation Package name.ip_list (
Optional
[List
[str
]]) – List of IP addresses.group_name (
Optional
[List
[str
]]) – Group name the agent belongs to.platform (
Optional
[List
[EndpointPlatform
]]) – Platform name.alias (
Optional
[List
[str
]]) – Alias name.isolate (
Optional
[List
[IsolateStatus
]]) – If the endpoint was isolated.hostname (
Optional
[List
[str
]]) – Hostname
- Return type
Optional
[ResponseStatusResponse
]- Returns
A ResponseStatusResponse if successful.
- unisolate_endpoints(endpoint_id_list=None)
Unisolate one or more endpoints in a single request. Request is limited to 1000 endpoints.
- Parameters
endpoint_id_list (
Optional
[List
[str
]]) – List of endpoint IDs.- Return type
Optional
[ResponseActionResponse
]- Returns
A ResponseActionResponse object if successful.
Incidents API
- class cortex_xdr_client.api.incidents_api.IncidentsAPI(auth, fqdn, timeout)
Bases:
BaseAPI
- get_incident_extra_data(incident_id, alerts_limit=1000)
Get extra data fields of a specific incident including alerts and key artifacts.
- Parameters
incident_id (
str
) – The ID of the incident for which you want to retrieve extra data.alerts_limit (
int
) – Maximum number of related alerts in the incident that you want to retrieve (default 1000).
- Return type
Optional
[GetExtraIncidentDataResponse
]- Returns
Returns a GetExtraIncidentDataResponse object if successful.
- get_incidents(modification_time=None, after_modification=False, creation_time=None, after_creation=False, incident_id_list=None, description=None, description_contains=False, alert_sources=None, status=None, status_equal=True, search_from=None, search_to=None)
Get a list of incidents filtered by a list of incident IDs, modification time, or creation time.
- Parameters
modification_time (
Optional
[int
]) – Time the incident has been modified.after_modification (
bool
) – If the modification date will be the upper or lower bound limit.creation_time (
Optional
[int
]) – Incident’s creation time.after_creation (
bool
) – If the creation date will be the upper or lower bound limit.incident_id_list (
Optional
[List
[str
]]) – List of incident IDs.description (
Optional
[str
]) – Incident description.description_contains (
bool
) – If the description will contain the search string.alert_sources (
Optional
[List
[str
]]) – Source which detected the alert.status (
Optional
[IncidentStatus
]) – Represents the status of the incident.status_equal (
bool
) – If the status will be equal to the given status.search_from (
Optional
[int
]) – Integer representing the starting offset within the query result set from which you want incidents returned.search_to (
Optional
[int
]) – Integer representing the end offset within the result set after which you do not want incidents returned.
- Return type
Optional
[GetIncidentsResponse
]- Returns
Returns a GetIncidentsResponse object if successful.
IoC API
- class cortex_xdr_client.api.ioc_api.IocAPI(auth, fqdn, timeout)
Bases:
BaseAPI
- insert_json(indicators, validate=True)
Upload IOCs as JSON objects that you retrieved from external threat intelligence sources. :type indicators:
List
[IoC
] :param indicators: List of IoC objects :type validate:Optional
[bool
] :param validate: Whether to return an array of errors in the case of an unsuccessful update indicator API request. :rtype:IoCResponse
:return: Returns an IoCResponse object if successful.
Scripts API
- class cortex_xdr_client.api.scripts_api.ScriptsAPI(auth, fqdn, timeout)
Bases:
BaseAPI
- get_script_execution_result_files(action_id, endpoint_id)
Get the files retrieved from a specific endpoint during a script execution.
- Parameters
action_id (
int
) – Integer, identifier of the actionendpoint_id (
int
) – Integer, endpoint ID.
- Return type
Optional
[str
]- Returns
A signed public link to a zip file containing the retrieved files. Link expires after 10 minutes.
- get_script_execution_results(action_id)
Retrieve the results of a script execution action. :type action_id:
int
:param action_id: Integer, identifier of the action :rtype:Optional
[GetScriptExecutionResults
] :return: The results of a script execution action.
- get_script_execution_status(action_id)
Retrieve the status of a script execution action.
- Parameters
action_id (
int
) – Integer, identifier of the action- Return type
Optional
[GetScriptsExecutionStatus
]- Returns
An object of type GetScriptsExecutionStatus if successful.
- get_script_metadata(script_uid)
Get the full definitions of a specific script in the scripts library.
- Parameters
script_uid (
str
) – Unique identifier of the script, returned by the Get Scripts API per script.- Return type
Optional
[GetScriptMetadataResponse
]- Returns
An object of type GetScriptMetadataResponse if successful.
- get_scripts(name=None, description=None, created_by=None, script_uid=None, modification_time=None, after_modification=False, windows_supported=None, linux_supported=None, macos_supported=None, is_high_risk=None)
Get a list of scripts available in the scripts library.
- Parameters
name (
Optional
[List
[str
]]) – Script namesdescription (
Optional
[List
[str
]]) – Script descriptionscreated_by (
Optional
[List
[str
]]) – Username(s) of who created the script(s).script_uid (
Optional
[List
[str
]]) – GUID, global ID of the script(s), used to identify the script(s) when executing.modification_time (
Optional
[int
]) – Datetime of when the script was last modified.after_modification (
bool
) – If the modification date will be the upper or lower bound limit.windows_supported (
Optional
[bool
]) – Whether the script can be executed on Windows operating system.linux_supported (
Optional
[bool
]) – Whether the script can be executed on Linux operating system.macos_supported (
Optional
[bool
]) – Whether the script can be executed on Mac operating system.is_high_risk (
Optional
[bool
]) – Whether the script has a high-risk outcome.
- Return type
Optional
[GetScriptsResponse
]- Returns
An object of type GetScriptsResponse if successful.
- run_script(script_uid, parameters_values, endpoint_id_list, timeout=600, incident_id=None)
Initiate a new endpoint script execution action using a script from the script library.
- Parameters
script_uid (
str
) – GUID, unique identifier of the script, returned by the Get Scripts API per scriptparameters_values (
dict
) – Dictionary, contains the parameter name, key and its value for this execution, value. You can locate these values by running Get Script Metadataendpoint_id_list (
List
[str
]) – List of endpoint IDs.timeout (
int
) – Integer, represents the timeout in seconds for this execution. Default value is 600.incident_id (
Optional
[str
]) – String representing the incident ID. When included in the request, the Run Script action will appear in the Cortex XDR Incident View Timeline tab.
- Return type
Optional
[dict
]- Returns
A dict containing action_id, status and endpoints_count.
- run_snippet_code_script(snippet_code, endpoint_id_list, timeout=600, incident_id=None)
Initiate a new endpoint script execution action using a snippet code.
- Parameters
snippet_code (
str
) – String, contains the snippet code to be executed.endpoint_id_list (
List
[str
]) – List of endpoint IDs.timeout (
int
) – Integer, represents the timeout in seconds for this execution. Default value is 600.incident_id (
Optional
[str
]) – String representing the incident ID. When included in the request, the Run Script action will appear in the Cortex XDR Incident View Timeline tab.
- Return type
Optional
[dict
]- Returns
A dict containing action_id and endpoints_count.
XQL API
- class cortex_xdr_client.api.xql_api.XQLAPI(auth, fqdn, timeout)
Bases:
BaseAPI
- get_query_results(query_id, limit=None, params={})
Returns the results of an XQL Query. :type query_id:
str
:param query_id: teger representing the unique execution ID generated by the response to Start an XQL Query API :type limit:Optional
[int
] :param limit: Integer representing the maximum number of results to return. Max 1000. :type params:dict
:param params: Dictionary of parameters to be passed to the request data :rtype:Optional
[dict
] :return: Dictionary of results
- get_query_results_stream(stream_id)
Returns the results of an XQL Query. :type stream_id:
str
:param stream_id: Integer representing the unique ID generate by the response to Get XQL Query Results API. :rtype:Optional
[dict
] :return: Dictionary of results
- start_xql_query(query, time_period=None, from_date=None, to_date=None, tenants=None, params={})
Starts an XQL Query. :type query:
str
:param query: String of the XQL query. :type time_period:Optional
[int
] :param time_period: Relative Unix timestamp representing the last X hours. :type from_date:Optional
[int
] :param from_date: Absolute Unix timestamp representing a date :type to_date:Optional
[int
] :param to_date: Absolute Unix timestamp representing a date :type tenants:Optional
[List
[str
]] :param tenants: List of strings used for running APIs on local and Managed Security tenants. :type params:dict
:param params: Dictionary of parameters to be passed to the request data :rtype:Optional
[str
] :return: String representing the unique ID generate by the response to Start XQL Query API.