CortexXDRClient API Data Models

Alerts

class cortex_xdr_client.api.models.alerts.Alert(**data)

class Config

use_enum_values = True

action: Optional[str]

action_pretty: Optional[str]

agent_data_collection_status: Optional[bool]

agent_device_domain: Optional[str]

agent_fqdn: Optional[str]

agent_is_vdi: Optional[str]

agent_os_sub_type: Optional[str]

agent_os_type: Optional[str]

agent_version: Optional[str]

alert_id: Optional[str]

attempt_counter: Optional[int]

bioc_category_enum_key: Optional[str]

bioc_indicator: Optional[str]

category: Optional[str]

contains_featured_host: Optional[bool]

contains_featured_ip: Optional[bool]

contains_featured_user: Optional[bool]

deduplicate_tokens: Optional[str]

description: Union[str, List[AlertDescriptionItem]]

detection_timestamp: Optional[int]

end_match_attempt_ts: Optional[int]

endpoint_id: Optional[str]

events: List[Event]

external_id: Optional[str]

filter_rule_id: Optional[str]

host_ip: Optional[List[str]]

host_name: Optional[str]

is_whitelisted: Optional[bool]

local_insert_ts: Optional[int]

mac: Optional[str]

mac_address: Optional[List[str]]

matching_service_rule_id: Optional[str]

matching_status: Optional[str]

mitre_tactic_id_and_name: Optional[List[str]]

mitre_technique_id_and_name: Optional[List[str]]

name: Optional[str]

severity: Optional[AlertSeverity]

source: Optional[str]

starred: Optional[bool]

class cortex_xdr_client.api.models.alerts.AlertDescriptionItem(**data)

data_type: Optional[Any]

dml_type: Optional[Any]

dml_ui: Optional[bool]

entity_map: Optional[Any]

pretty_name: str

render_type: str

class cortex_xdr_client.api.models.alerts.AlertSeverity(value)

Severity of an alert.

HIGH = 'high'

LOW = 'low'

MEDIUM = 'medium'

UNKNOWN = 'unknown'

class cortex_xdr_client.api.models.alerts.Event(**data)

action_country: Optional[str]

action_external_hostname: Optional[str]

action_file_macro_sha256: Optional[str]

action_file_md5: Optional[str]

action_file_name: Optional[str]

action_file_path: Optional[str]

action_file_sha256: Optional[str]

action_local_ip: Optional[str]

action_local_port: Optional[str]

action_process_causality_id: Optional[str]

action_process_image_command_line: Optional[str]

action_process_image_name: Optional[str]

action_process_image_sha256: Optional[str]

action_process_instance_id: Optional[str]

action_process_signature_status: Optional[str]

action_process_signature_vendor: Optional[str]

action_registry_data: Optional[str]

action_registry_full_key: Optional[str]

action_registry_key_name: Optional[str]

action_registry_value_name: Optional[str]

action_remote_ip: Optional[str]

action_remote_port: Optional[str]

actor_causality_id: Optional[str]

actor_process_causality_id: Optional[str]

actor_process_command_line: Optional[str]

actor_process_image_md5: Optional[str]

actor_process_image_name: Optional[str]

actor_process_image_path: Optional[str]

actor_process_image_sha256: Optional[str]

actor_process_instance_id: Optional[str]

actor_process_os_pid: Optional[str]

actor_process_signature_status: Optional[str]

actor_process_signature_vendor: Optional[str]

actor_thread_thread_id: Optional[str]

agent_host_boot_time: Optional[str]

agent_install_type: Optional[str]

association_strength: Optional[str]

causality_actor_causality_id: Optional[str]

causality_actor_process_command_line: Optional[str]

causality_actor_process_execution_time: Optional[str]

causality_actor_process_image_md5: Optional[str]

causality_actor_process_image_name: Optional[str]

causality_actor_process_image_path: Optional[str]

causality_actor_process_image_sha256: Optional[str]

causality_actor_process_signature_status: Optional[str]

causality_actor_process_signature_vendor: Optional[str]

dns_query_name: Optional[str]

dst_action_country: Optional[str]

dst_action_external_hostname: Optional[str]

dst_action_external_port: Optional[str]

dst_agent_id: Optional[str]

dst_association_strength: Optional[str]

dst_causality_actor_process_execution_time: Optional[str]

event_id: Optional[str]

event_sub_type: Optional[str]

event_timestamp: Optional[int]

event_type: Optional[str]

fw_app_category: Optional[str]

fw_app_id: Optional[str]

fw_app_subcategory: Optional[str]

fw_app_technology: Optional[str]

fw_device_name: Optional[str]

fw_email_recipient: Optional[str]

fw_email_sender: Optional[str]

fw_email_subject: Optional[str]

fw_interface_from: Optional[str]

fw_interface_to: Optional[str]

fw_is_phishing: Optional[str]

fw_misc: Optional[str]

fw_rule: Optional[str]

fw_rule_id: Optional[str]

fw_serial_number: Optional[str]

fw_url_domain: Optional[str]

fw_vsys: Optional[str]

fw_xff: Optional[str]

module_id: Optional[str]

os_actor_causality_id: Optional[str]

os_actor_effective_username: Optional[str]

os_actor_process_causality_id: Optional[str]

os_actor_process_command_line: Optional[str]

os_actor_process_image_name: Optional[str]

os_actor_process_image_path: Optional[str]

os_actor_process_image_sha256: Optional[str]

os_actor_process_instance_id: Optional[str]

os_actor_process_os_pid: Optional[str]

os_actor_process_signature_status: Optional[str]

os_actor_process_signature_vendor: Optional[str]

os_actor_thread_thread_id: Optional[str]

story_id: Optional[str]

user_name: Optional[str]

class cortex_xdr_client.api.models.alerts.GetAlertsResponse(**data)

reply: GetAlertsResponseItem

class cortex_xdr_client.api.models.alerts.GetAlertsResponseItem(**data)

alerts: List[Alert]

result_count: Optional[int]

total_count: Optional[int]

Endpoints

class cortex_xdr_client.api.models.endpoints.Endpoint(**data)

class Config

use_enum_names = True

active_directory: Optional[Union[List[str], str]]

alias: Optional[str]

content_version: Optional[str]

domain: Optional[str]

endpoint_id: Optional[str]

endpoint_name: Optional[str]

endpoint_status: EndpointStatus

endpoint_type: Optional[str]

endpoint_version: Optional[str]

first_seen: Optional[int]

group_name: Optional[List[str]]

install_date: Optional[int]

installation_package: Optional[str]

ip: Optional[List[str]]

is_isolated: IsolateStatus

isolated_date: Optional[str]

last_content_update_time: Optional[int]

last_seen: Optional[int]

mac_address: Optional[List[str]]

operational_status: Optional[str]

operational_status_description: Optional[str]

os_type: Optional[EndpointPlatform]

scan_status: Optional[ScanStatus]

users: Union[List[str], None, str]

class cortex_xdr_client.api.models.endpoints.EndpointPlatform(value)

Enum for endpoint platform

android = 'AGENT_OS_ANDROID'

linux = 'AGENT_OS_LINUX'

mac = 'AGENT_OS_MAC'

macos = 'AGENT_OS_MACOS'

windows = 'AGENT_OS_WINDOWS'

class cortex_xdr_client.api.models.endpoints.EndpointStatus(value)

Enum for endpoint status

connected = 'CONNECTED'

disconnected = 'DISCONNECTED'

lost = 'LOST'

class cortex_xdr_client.api.models.endpoints.GetAllEndpointsResponse(**data)

reply: List[LightEndpoint]

class cortex_xdr_client.api.models.endpoints.GetEndpointResponse(**data)

reply: GetEndpointResponseItem

class cortex_xdr_client.api.models.endpoints.GetEndpointResponseItem(**data)

endpoints: List[Endpoint]

result_count: Optional[int]

total_count: Optional[int]

class cortex_xdr_client.api.models.endpoints.IsolateStatus(value)

Enum for isolate status

isolated = 'AGENT_ISOLATED'

unisolated = 'AGENT_UNISOLATED'

class cortex_xdr_client.api.models.endpoints.LightEndpoint(**data)

agent_id: Optional[str]

agent_status: Optional[str]

agent_type: Optional[str]

host_name: Optional[str]

ip: Optional[List[str]]

class cortex_xdr_client.api.models.endpoints.ResponseActionResponse(**data)

reply: ResponseActionResponseItem

class cortex_xdr_client.api.models.endpoints.ResponseActionResponseItem(**data)

action_id: Optional[str]

endpoints_count: Optional[int]

status: Optional[int]

class cortex_xdr_client.api.models.endpoints.ScanStatus(value)

Enum for scan status

aborted = 'SCAN_STATUS_ABORTED'

cancel = 'SCAN_STATUS_CANCEL'

canceled = 'SCAN_STATUS_CANCELED'

error = 'SCAN_STATUS_ERROR'

in_progress = 'SCAN_STATUS_IN_PROGRESS'

none = 'SCAN_STATUS_NONE'

pending = 'SCAN_STATUS_PENDING'

pending_cancellation = 'SCAN_STATUS_PENDING_CANCELLATION'

success = 'SCAN_STATUS_SUCCESS'

Exceptions

exception cortex_xdr_client.api.models.exceptions.InvalidResponseException(response, missing_items)

exception cortex_xdr_client.api.models.exceptions.UnsuccessfulQueryStatusException(status)

Incidents

class cortex_xdr_client.api.models.incidents.AlertDatums(**data)

data: List[AlertsDatum]

total_count: Optional[int]

class cortex_xdr_client.api.models.incidents.AlertsDatum(**data)

action: Optional[str]

action_country: Optional[str]

action_external_hostname: Optional[str]

action_file_macro_sha256: Optional[str]

action_file_md5: Optional[str]

action_file_name: Optional[str]

action_file_path: Optional[str]

action_file_sha256: Optional[str]

action_local_ip: Optional[str]

action_local_port: Optional[int]

action_pretty: Optional[str]

action_process_causality_id: Optional[str]

action_process_image_command_line: Optional[str]

action_process_image_name: Optional[str]

action_process_image_sha256: Optional[str]

action_process_instance_id: Optional[str]

action_process_signature_status: Optional[str]

action_process_signature_vendor: Optional[str]

action_registry_data: Optional[str]

action_registry_full_key: Optional[str]

action_registry_key_name: Optional[str]

action_registry_value_name: Optional[str]

action_remote_ip: Optional[str]

action_remote_port: Optional[int]

actor_causality_id: Optional[str]

actor_process_causality_id: Optional[str]

actor_process_command_line: Optional[str]

actor_process_image_md5: Optional[str]

actor_process_image_name: Optional[str]

actor_process_image_path: Optional[str]

actor_process_image_sha256: Optional[str]

actor_process_instance_id: Optional[str]

actor_process_os_pid: Optional[str]

actor_process_signature_status: Optional[str]

actor_process_signature_vendor: Optional[str]

actor_thread_thread_id: Optional[str]

agent_data_collection_status: Optional[str]

agent_device_domain: Optional[str]

agent_fqdn: Optional[str]

agent_host_boot_time: Optional[str]

agent_install_type: Optional[str]

agent_is_vdi: Optional[str]

agent_os_sub_type: Optional[str]

agent_os_type: Optional[str]

agent_version: Optional[str]

alert_id: Optional[int]

association_strength: Optional[str]

attempt_counter: Optional[str]

bioc_category_enum_key: Optional[str]

bioc_indicator: Optional[str]

case_id: Optional[int]

category: Optional[str]

causality_actor_causality_id: Optional[str]

causality_actor_process_command_line: Optional[str]

causality_actor_process_execution_time: Optional[str]

causality_actor_process_image_md5: Optional[str]

causality_actor_process_image_name: Optional[str]

causality_actor_process_image_path: Optional[str]

causality_actor_process_image_sha256: Optional[str]

causality_actor_process_signature_status: Optional[str]

causality_actor_process_signature_vendor: Optional[str]

contains_featured_host: Optional[str]

contains_featured_ip_address: Optional[str]

contains_featured_user: Optional[str]

deduplicate_tokens: Optional[str]

description: Optional[str]

detection_timestamp: Optional[int]

dns_query_name: Optional[str]

dst_action_country: Optional[str]

dst_action_external_hostname: Optional[str]

dst_action_external_port: Optional[str]

dst_agent_id: Optional[str]

dst_association_strength: Optional[str]

dst_causality_actor_process_execution_time: Optional[str]

end_match_attempt_ts: Optional[str]

endpoint_id: Optional[str]

event_id: Optional[str]

event_sub_type: Optional[str]

event_timestamp: Optional[str]

event_type: Optional[str]

external_id: Optional[str]

filter_rule_id: Optional[str]

fw_app_category: Optional[str]

fw_app_id: Optional[str]

fw_app_subcategory: Optional[str]

fw_app_technology: Optional[str]

fw_device_name: Optional[str]

fw_email_recipient: Optional[str]

fw_email_sender: Optional[str]

fw_email_subject: Optional[str]

fw_interface_from: Optional[str]

fw_interface_to: Optional[str]

fw_is_phishing: Optional[str]

fw_misc: Optional[str]

fw_rule: Optional[str]

fw_rule_id: Optional[str]

fw_serial_number: Optional[str]

fw_url_domain: Optional[str]

fw_vsys: Optional[str]

fw_xff: Optional[str]

host_ip: Optional[str]

host_name: Optional[str]

is_whitelisted: Optional[bool]

local_insert_ts: Optional[int]

mac: Optional[str]

matching_service_rule_id: Optional[str]

matching_status: Optional[str]

mitre_tactic_id_and_name: Optional[str]

mitre_technique_id_and_name: Optional[str]

module_id: Optional[str]

name: Optional[str]

os_actor_causality_id: Optional[str]

os_actor_effective_username: Optional[str]

os_actor_process_causality_id: Optional[str]

os_actor_process_command_line: Optional[str]

os_actor_process_image_name: Optional[str]

os_actor_process_image_path: Optional[str]

os_actor_process_image_sha256: Optional[str]

os_actor_process_instance_id: Optional[str]

os_actor_process_os_pid: Optional[str]

os_actor_process_signature_status: Optional[str]

os_actor_process_signature_vendor: Optional[str]

os_actor_thread_thread_id: Optional[str]

severity: Optional[str]

source: Optional[str]

starred: Optional[bool]

story_id: Optional[str]

user_name: Optional[str]

class cortex_xdr_client.api.models.incidents.GetExtraIncidentDataResponse(**data)

reply: GetExtraIncidentDataResponseItem

class cortex_xdr_client.api.models.incidents.GetExtraIncidentDataResponseItem(**data)

alerts: AlertDatums

file_artifacts: AlertDatums

incident: Incident

network_artifacts: NetworkArtifacts

class cortex_xdr_client.api.models.incidents.GetIncidentsResponse(**data)

reply: GetIncidentsResponseItem

class cortex_xdr_client.api.models.incidents.GetIncidentsResponseItem(**data)

incidents: List[Incident]

result_count: Optional[int]

total_count: Optional[int]

class cortex_xdr_client.api.models.incidents.Incident(**data)

alert_categories: Optional[List[str]]

alert_count: Optional[int]

alerts_grouping_status: Optional[str]

assigned_user_mail: Optional[str]

assigned_user_pretty_name: Optional[str]

creation_time: Optional[int]

description: Optional[str]

detection_time: Optional[int]

high_severity_alert_count: Optional[int]

host_count: Optional[int]

hosts: Optional[List[str]]

incident_id: Optional[str]

incident_name: Optional[str]

incident_sources: Optional[List[str]]

low_severity_alert_count: Optional[int]

manual_description: Optional[str]

manual_score: Optional[int]

manual_severity: Optional[str]

med_severity_alert_count: Optional[int]

mitre_tactics_ids_and_names: Optional[List[str]]

mitre_techniques_ids_and_names: Optional[List[str]]

modification_time: Optional[int]

notes: Optional[str]

resolve_comment: Optional[str]

rule_based_score: Optional[int]

severity: Optional[str]

starred: Optional[bool]

status: IncidentStatus

user_count: Optional[int]

users: Optional[List[str]]

wildfire_hits: Optional[int]

xdr_url: Optional[str]

class cortex_xdr_client.api.models.incidents.IncidentStatus(value)

Incident Status Enum Represents the status of the incident.

NEW = 'new'

RESOLVED_AUTO_RESOLVE = 'resolved_auto_resolve'

RESOLVED_DUPLICATE_INCIDENT = 'resolved_duplicate_incident'

RESOLVED_FALSE_POSITIVE = 'resolved_false_positive'

RESOLVED_KNOWN_ISSUE = 'resolved_known_issue'

RESOLVED_THREAD_HANDLED = 'resolved_threat_handled'

UNDER_INVESTIGATION = 'under_investigation'

class cortex_xdr_client.api.models.incidents.NetworkArtifacts(**data)

data: List[NetworkArtifactsDatum]

total_count: Optional[int]

class cortex_xdr_client.api.models.incidents.NetworkArtifactsDatum(**data)

alert_count: Optional[int]

is_manual: Optional[bool]

network_country: Optional[str]

network_domain: Optional[str]

network_remote_ip: Optional[str]

network_remote_port: Optional[int]

type: Optional[str]

Scripts

class cortex_xdr_client.api.models.scripts.GetScriptExecutionResults(**data)

date_created: Optional[datetime]

error_message: Optional[str]

results: Optional[List[ScriptExecutionResult]]

scope: Optional[str]

script_description: Optional[str]

script_name: Optional[str]

script_parameters: Optional[List[ScriptIO]]

class cortex_xdr_client.api.models.scripts.GetScriptMetadataResponse(**data)

created_by: Optional[str]

description: Optional[str]

entry_point: Optional[str]

is_high_risk: Optional[bool]

linux_supported: Optional[bool]

macos_supported: Optional[bool]

modification_date: Optional[int]

name: Optional[str]

script_id: Optional[int]

script_input: Optional[List[ScriptIO]]

script_output_dictionary_definitions: Optional[List[ScriptIO]]

script_output_type: Optional[str]

script_uid: Optional[str]

windows_supported: Optional[bool]

class cortex_xdr_client.api.models.scripts.GetScriptsExecutionStatus(**data)

endpoints_aborted: Optional[int]

endpoints_canceled: Optional[int]

endpoints_completed_successfully: Optional[int]

endpoints_expired: Optional[int]

endpoints_failed: Optional[int]

endpoints_in_progress: Optional[int]

endpoints_pending: Optional[int]

endpoints_pending_abort: Optional[int]

endpoints_timeout: Optional[int]

general_status: Optional[str]

class cortex_xdr_client.api.models.scripts.GetScriptsResponse(**data)

result_count: Optional[int]

scripts: Optional[List[Script]]

total_count: Optional[int]

class cortex_xdr_client.api.models.scripts.Script(**data)

created_by: Optional[str]

description: Optional[str]

is_high_risk: Optional[bool]

linux_supported: Optional[bool]

macos_supported: Optional[bool]

modification_date: Optional[int]

name: Optional[str]

script_id: Optional[int]

script_uid: Optional[str]

windows_supported: Optional[bool]

class cortex_xdr_client.api.models.scripts.ScriptExecutionResult(**data)

domain: Optional[str]

endpoint_id: Optional[str]

endpoint_ip_address: Optional[List[str]]

endpoint_name: Optional[str]

endpoint_status: Optional[str]

execution_status: Optional[str]

failed_files: Optional[int]

retention_date: Optional[int]

retrieved_files: Optional[int]

standard_output: Optional[str]

class cortex_xdr_client.api.models.scripts.ScriptIO(**data)

name: Optional[str]

type: Optional[str]

value: Optional[str]

Actions

class cortex_xdr_client.api.models.action_status.ActionStatuStr(**data)

class cortex_xdr_client.api.models.action_status.GetActionStatus(**data)

reply: GetActionStatusItem

class cortex_xdr_client.api.models.action_status.GetActionStatusItem(**data)

data: Optional[ActionStatuStr]