TheHive-Project
diff --git a/‎responders/PaloAltoCortexXDR/PaloAltoCortexXDR_allow_list.json‎
Lines changed: 63 additions & 0 deletions b/‎responders/PaloAltoCortexXDR/PaloAltoCortexXDR_allow_list.json‎
Lines changed: 63 additions & 0 deletions
diff --git a/‎responders/PaloAltoCortexXDR/PaloAltoCortexXDR_block_list.json‎
Lines changed: 63 additions & 0 deletions b/‎responders/PaloAltoCortexXDR/PaloAltoCortexXDR_block_list.json‎
Lines changed: 63 additions & 0 deletions
diff --git a/‎responders/PaloAltoCortexXDR/PaloAltoCortexXDR_cancel_scan.json‎
Lines changed: 71 additions & 0 deletions b/‎responders/PaloAltoCortexXDR/PaloAltoCortexXDR_cancel_scan.json‎
Lines changed: 71 additions & 0 deletions
diff --git a/‎responders/PaloAltoCortexXDR/PaloAltoCortexXDR_initiate_forensics.json‎
Lines changed: 62 additions & 0 deletions b/‎responders/PaloAltoCortexXDR/PaloAltoCortexXDR_initiate_forensics.json‎
Lines changed: 62 additions & 0 deletions
diff --git a/‎responders/PaloAltoCortexXDR/PaloAltoCortexXDR_quarantine.json.disabled‎
Lines changed: 85 additions & 0 deletions b/‎responders/PaloAltoCortexXDR/PaloAltoCortexXDR_quarantine.json.disabled‎
Lines changed: 85 additions & 0 deletions
@@ -0,0 +1,63 @@
+{
+    "name": "PaloAltoCortexXDR_allow_list",
+    "version": "1.0",
+    "author": "Joe Lazaro; Fabien Bloume, StrangeBee",
+    "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
+    "license": "AGPL-V3",
+    "description": "Add a file hash to the Cortex XDR allow list",
+    "dataTypeList": [
+        "thehive:case_artifact"
+    ],
+    "command": "PaloAltoCortexXDR/cortex_xdr.py",
+    "baseConfig": "PaloAltoCortexXDR",
+    "config": {
+        "service": "allow_list"
+    },
+    "registration_required": true,
+    "subscription_required": true,
+    "free_subscription": false,
+    "service_homepage": "https://www.paloaltonetworks.com/cortex/cortex-xdr",
+    "service_logo": {
+        "path": "assets/cortex_logo.png",
+        "caption": "logo"
+    },
+    "screenshots": [],
+    "configurationItems": [
+        {
+            "name": "api_key",
+            "description": "API key",
+            "type": "string",
+            "multi": false,
+            "required": true
+        },
+        {
+            "name": "api_key_id",
+            "description": "API key ID",
+            "type": "string",
+            "multi": false,
+            "required": true
+        },
+        {
+            "name": "advanced_security",
+            "description": "Set True if the API key was generated with Advanced security level. False for a Standard security key.",
+            "type": "boolean",
+            "multi": false,
+            "required": true
+        },
+        {
+            "name": "api_host",
+            "description": "Fully qualified domain name for the API host. Example: api-example.xdr.us.paloaltonetworks.com",
+            "type": "string",
+            "multi": false,
+            "required": true
+        },
+        {
+            "name": "comment",
+            "description": "Optional comment added to the allow list entry for audit purposes.",
+            "type": "string",
+            "multi": false,
+            "required": false,
+            "defaultValue": "Allowed via TheHive"
+        }
+    ]
+}
@@ -0,0 +1,63 @@
+{
+    "name": "PaloAltoCortexXDR_block_list",
+    "version": "1.0",
+    "author": "Joe Lazaro; Fabien Bloume, StrangeBee",
+    "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
+    "license": "AGPL-V3",
+    "description": "Add a file hash to the Cortex XDR block list",
+    "dataTypeList": [
+        "thehive:case_artifact"
+    ],
+    "command": "PaloAltoCortexXDR/cortex_xdr.py",
+    "baseConfig": "PaloAltoCortexXDR",
+    "config": {
+        "service": "block_list"
+    },
+    "registration_required": true,
+    "subscription_required": true,
+    "free_subscription": false,
+    "service_homepage": "https://www.paloaltonetworks.com/cortex/cortex-xdr",
+    "service_logo": {
+        "path": "assets/cortex_logo.png",
+        "caption": "logo"
+    },
+    "screenshots": [],
+    "configurationItems": [
+        {
+            "name": "api_key",
+            "description": "API key",
+            "type": "string",
+            "multi": false,
+            "required": true
+        },
+        {
+            "name": "api_key_id",
+            "description": "API key ID",
+            "type": "string",
+            "multi": false,
+            "required": true
+        },
+        {
+            "name": "advanced_security",
+            "description": "Set True if the API key was generated with Advanced security level. False for a Standard security key.",
+            "type": "boolean",
+            "multi": false,
+            "required": true
+        },
+        {
+            "name": "api_host",
+            "description": "Fully qualified domain name for the API host. Example: api-example.xdr.us.paloaltonetworks.com",
+            "type": "string",
+            "multi": false,
+            "required": true
+        },
+        {
+            "name": "comment",
+            "description": "Optional comment added to the block list entry for audit purposes.",
+            "type": "string",
+            "multi": false,
+            "required": false,
+            "defaultValue": "Blocked via TheHive"
+        }
+    ]
+}
@@ -0,0 +1,71 @@
+{
+    "name": "PaloAltoCortexXDR_cancel_scan",
+    "version": "1.0",
+    "author": "Joe Lazaro; Fabien Bloume, StrangeBee",
+    "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
+    "license": "AGPL-V3",
+    "description": "Cancel a running scan on endpoints identified by hostname or IP list",
+    "dataTypeList": [
+        "thehive:case_artifact"
+    ],
+    "command": "PaloAltoCortexXDR/cortex_xdr.py",
+    "baseConfig": "PaloAltoCortexXDR",
+    "config": {
+        "service": "cancel_scan"
+    },
+    "registration_required": true,
+    "subscription_required": true,
+    "free_subscription": false,
+    "service_homepage": "https://www.paloaltonetworks.com/cortex/cortex-xdr",
+    "service_logo": {
+        "path": "assets/cortex_logo.png",
+        "caption": "logo"
+    },
+    "screenshots": [],
+    "configurationItems": [
+        {
+            "name": "api_key",
+            "description": "API key",
+            "type": "string",
+            "multi": false,
+            "required": true
+        },
+        {
+            "name": "api_key_id",
+            "description": "API key ID",
+            "type": "string",
+            "multi": false,
+            "required": true
+        },
+        {
+            "name": "advanced_security",
+            "description": "Set True if the API key was generated with Advanced security level. False for a Standard security key.",
+            "type": "boolean",
+            "multi": false,
+            "required": true
+        },
+        {
+            "name": "api_host",
+            "description": "Fully qualified domain name for the API host. Example: api-example.xdr.us.paloaltonetworks.com",
+            "type": "string",
+            "multi": false,
+            "required": true
+        },
+        {
+            "name": "scan_polling_interval",
+            "description": "Interval, in seconds between requests for scan actions.",
+            "type": "number",
+            "multi": false,
+            "required": false,
+            "defaultValue": 30
+        },
+        {
+            "name": "scan_max_polling_retries",
+            "description": "Maximum number of time to retry action status when a cancel scan action is still in progress.",
+            "type": "number",
+            "multi": false,
+            "required": false,
+            "defaultValue": 30
+        }
+    ]
+}
@@ -0,0 +1,62 @@
+{
+    "name": "PaloAltoCortexXDR_initiate_forensics",
+    "version": "1.0",
+    "author": "Joe Lazaro; Fabien Bloume, StrangeBee",
+    "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
+    "license": "AGPL-V3",
+    "description": "Initiate forensics triage collection on endpoints identified by hostname or IP list",
+    "dataTypeList": [
+        "thehive:case_artifact"
+    ],
+    "command": "PaloAltoCortexXDR/cortex_xdr.py",
+    "baseConfig": "PaloAltoCortexXDR",
+    "config": {
+        "service": "initiate_forensics"
+    },
+    "registration_required": true,
+    "subscription_required": true,
+    "free_subscription": false,
+    "service_homepage": "https://www.paloaltonetworks.com/cortex/cortex-xdr",
+    "service_logo": {
+        "path": "assets/cortex_logo.png",
+        "caption": "logo"
+    },
+    "screenshots": [],
+    "configurationItems": [
+        {
+            "name": "api_key",
+            "description": "API key",
+            "type": "string",
+            "multi": false,
+            "required": true
+        },
+        {
+            "name": "api_key_id",
+            "description": "API key ID",
+            "type": "string",
+            "multi": false,
+            "required": true
+        },
+        {
+            "name": "advanced_security",
+            "description": "Set True if the API key was generated with Advanced security level. False for a Standard security key.",
+            "type": "boolean",
+            "multi": false,
+            "required": true
+        },
+        {
+            "name": "api_host",
+            "description": "Fully qualified domain name for the API host. Example: api-example.xdr.us.paloaltonetworks.com",
+            "type": "string",
+            "multi": false,
+            "required": true
+        },
+        {
+            "name": "collector_uuid",
+            "description": "Optional UUID of the triage configuration preset to use. If not specified, the XDR default configuration is used.",
+            "type": "string",
+            "multi": false,
+            "required": false
+        }
+    ]
+}
@@ -0,0 +1,85 @@
+{
+    "name": "PaloAltoCortexXDR_quarantine",
+    "version": "1.0",
+    "author": "Joe Lazaro",
+    "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
+    "license": "AGPL-V3",
+    "description": "Quarantine a file on endpoints identified by hostname or IP list. The file hash (SHA256) must be set in the responder configuration.",
+    "dataTypeList": [
+        "thehive:case_artifact"
+    ],
+    "command": "PaloAltoCortexXDR/cortex_xdr.py",
+    "baseConfig": "PaloAltoCortexXDR",
+    "config": {
+        "service": "quarantine"
+    },
+    "registration_required": true,
+    "subscription_required": true,
+    "free_subscription": false,
+    "service_homepage": "https://www.paloaltonetworks.com/cortex/cortex-xdr",
+    "service_logo": {
+        "path": "assets/cortex_logo.png",
+        "caption": "logo"
+    },
+    "screenshots": [],
+    "configurationItems": [
+        {
+            "name": "api_key",
+            "description": "API key",
+            "type": "string",
+            "multi": false,
+            "required": true
+        },
+        {
+            "name": "api_key_id",
+            "description": "API key ID",
+            "type": "string",
+            "multi": false,
+            "required": true
+        },
+        {
+            "name": "advanced_security",
+            "description": "Set True if the API key was generated with Advanced security level. False for a Standard security key.",
+            "type": "boolean",
+            "multi": false,
+            "required": true
+        },
+        {
+            "name": "api_host",
+            "description": "Fully qualified domain name for the API host. Example: api-example.xdr.us.paloaltonetworks.com",
+            "type": "string",
+            "multi": false,
+            "required": true
+        },
+        {
+            "name": "file_hash",
+            "description": "SHA256 hash of the file to quarantine.",
+            "type": "string",
+            "multi": false,
+            "required": true
+        },
+        {
+            "name": "file_path",
+            "description": "Optional full path of the file to quarantine (e.g. C:\\path\\to\\file.exe). Do not use symbolic links.",
+            "type": "string",
+            "multi": false,
+            "required": false
+        },
+        {
+            "name": "scan_polling_interval",
+            "description": "Interval, in seconds between requests for quarantine actions.",
+            "type": "number",
+            "multi": false,
+            "required": false,
+            "defaultValue": 30
+        },
+        {
+            "name": "scan_max_polling_retries",
+            "description": "Maximum number of time to retry action status when a quarantine action is still in progress.",
+            "type": "number",
+            "multi": false,
+            "required": false,
+            "defaultValue": 30
+        }
+    ]
+}