Palo Alto Networks Cortex XDR Plugin for Threat Exchange
Palo Alto Networks Cortex XDR Plugin for Threat Exchange
This document will provide the technical documentation required to configure the Palo Alto Networks Cortex XDR integration with the Threat Exchange module of the Netskope Cloud Exchange platform.
Prerequisites
To complete this configuration, you need:
- A Netskope tenant (or multiple, for example, production and development/test instances) that is already configured in Cloud Exchange.
- Palo Alto Cortex Platform access for pulling and sharing.
- A Netskope Cloud Exchange tenant with the Threat Exchange module already configured.
- Your Palo Alto Networks Cortex XDR API credentials (API ID, Base URL, and Authentication Method).
- Connectivity to the following host: Palo Alto Networks Cortex XDR login URL.
Example: https://api-wwt3.xdr.us.paloaltonetworks.com/
CE Version Compatibility
This plugin is compatible with below Netskope CE versions.
- Netskope CE: v4.1.0, v4.2.0
Plugin Scope
This plugin supports the pulling and sharing of indicators from/to the Palo Alto Networks Cortex XDR platform. The Palo Alto Networks Cortex XDR plugin fetches indicators of types File (MD5 and SHA256) from Palo Alto Networks Cortex XDR and stores them into Netskope CE. The plugin also supports sharing the Netskope CE indicators SHA256, MD5, URL ( IPv4, Domain) with existing groups on the Palo Alto Networks Cortex XDR platform.
Palo Alto Networks Cortex XDR Support
|
Fetched indicator types |
SHA256, MD5 |
| Shared indicator types |
SHA256, MD5, URL (IPv4, Domain) |
Mappings
Mappings for Pull (Netskope field – Palo Alto Networks Cortex XDR fields)
|
Netskope CE Fields |
Palo Alto Networks Cortex XDR Fields |
|
Value |
action_process_image_sha256, action_process_image_md5 |
|
Severity |
severity (informational ⇒ Low) other levels are the same as it is) |
|
Comments |
Description: <description>, Host Name: <host_name>, Matching Status: <matching_status>, Source: <source>, Resolution Status: resolution_status |
| Firstseen |
event_timestamp |
| Lastseen |
event_timestamp |
| Tags |
tags+original_tags |
Mapping for Push (Netskope field – Third Party field)
|
Netskope CE Fields |
Palo Alto Networks Cortex XDR Fields |
|
value |
md5, sha256, URL(IPv4, Domain) |
|
type |
URL (IPv4, Domain),SHA256, MD5 |
|
severity |
unknown > Informational |
|
comments |
comments |
| expiresAt |
expiration_date |
Permissions
To create an API user, ensure that you have the Organisation Administrator role to the Palo Alto Networks Cortex XDR platform for creating an API User for getting the API Key ID, API Key, and Authentication Method.
To pull and push data from/to Palo Alto Networks Cortex XDR make sure your user has the below rights.
|
Functionality |
Permissions |
|
Pull Indicators |
Select the following: Alerts & Incidents (View) |
| Push Indicators |
Select the following: Detections (View/Edit) |
API Details
List of APIs used
|
API Detail |
Method | API Endpoint |
|
Pull Indicators |
POST |
/public_api/v1/alerts/get_alerts_multi_events/ |
| Push Indicators | POST |
/public_api/v1/indicators/insert_jsons |
Pull Indicators
Example:
API Endpoint:
POST public_api/v1/alerts/get_alerts_multi_events/
Method: Post
Parameter: None
API Request Endpoint:
{
"request_data": {
"filters": [
{
"field": "creation_time",
"operator": "gte",
"value": 1664794415000
},
{
"field": "severity",
"operator": "in",
"value": [
"informational",
"low",
"medium",
"high",
"critical"
]
}
],
"search_from": 0,
"search_to": 1,
"sort": {
"field": "creation_time",
"keyword": "asc"
}
}
}
API Response:
{
"reply": {
"total_count": 887,
"result_count": 1,
"alerts": [
{
"external_id": "7904b8db15cc4658b1e617dbafef1cca",
"severity": "medium",
"matching_status": "UNMATCHABLE",
"end_match_attempt_ts": null,
"local_insert_ts": 1683342672687,
"last_modified_ts": null,
"bioc_indicator": null,
"matching_service_rule_id": null,
"attempt_counter": 0,
"bioc_category_enum_key": null,
"is_whitelisted": false,
"starred": false,
"deduplicate_tokens": null,
"filter_rule_id": null,
"mitre_technique_id_and_name": null,
"mitre_tactic_id_and_name": null,
"agent_version": "8.0.1.44",
"agent_ip_addresses_v6": null,
"agent_device_domain": null,
"agent_fqdn": "Matthewharding's iPhone 14 Pro",
"agent_os_type": "iOS",
"agent_os_sub_type": "16.4.1",
"agent_data_collection_status": null,
"mac": null,
"is_pcap": false,
"alert_type": "Unclassified",
"resolution_status": "STATUS_010_NEW",
"resolution_comment": null,
"dynamic_fields": null,
"tags": [
"DS:PANW/XDR Agent"
],
"malicious_urls": null,
"events": [
{
"agent_install_type": "STANDARD",
"agent_host_boot_time": null,
"event_sub_type": null,
"module_id": "Incoming call or message reported as spam",
"association_strength": 50,
"dst_association_strength": null,
"story_id": null,
"event_id": null,
"event_type": null,
"event_timestamp": 1683342667518,
"actor_process_instance_id": null,
"actor_process_image_path": null,
"actor_process_image_name": null,
"actor_process_command_line": null,
"actor_process_signature_status": "N/A",
"actor_process_signature_vendor": null,
"actor_process_image_sha256": null,
"actor_process_image_md5": null,
"actor_process_causality_id": null,
"actor_causality_id": null,
"actor_process_os_pid": null,
"actor_thread_thread_id": null,
"causality_actor_process_image_name": null,
"causality_actor_process_command_line": null,
"causality_actor_process_image_path": null,
"causality_actor_process_signature_vendor": null,
"causality_actor_process_signature_status": "N/A",
"causality_actor_causality_id": null,
"causality_actor_process_execution_time": null,
"causality_actor_process_image_md5": null,
"causality_actor_process_image_sha256": null,
"action_file_path": null,
"action_file_name": null,
"action_file_md5": null,
"action_file_sha256": null,
"action_file_macro_sha256": null,
"action_registry_data": null,
"action_registry_key_name": null,
"action_registry_value_name": null,
"action_registry_full_key": null,
"action_local_ip": null,
"action_local_ip_v6": null,
"action_local_port": null,
"action_remote_ip": null,
"action_remote_ip_v6": null,
"action_remote_port": null,
"action_external_hostname": null,
"action_country": "UNKNOWN",
"action_process_instance_id": null,
"action_process_causality_id": null,
"action_process_image_name": null,
"action_process_image_sha256": null,
"action_process_image_command_line": null,
"action_process_signature_status": "N/A",
"action_process_signature_vendor": null,
"os_actor_effective_username": null,
"os_actor_process_instance_id": null,
"os_actor_process_image_path": null,
"os_actor_process_image_name": null,
"os_actor_process_command_line": null,
"os_actor_process_signature_status": "N/A",
"os_actor_process_signature_vendor": null,
"os_actor_process_image_sha256": null,
"os_actor_process_causality_id": null,
"os_actor_causality_id": null,
"os_actor_process_os_pid": null,
"os_actor_thread_thread_id": null,
"fw_app_id": null,
"fw_interface_from": null,
"fw_interface_to": null,
"fw_rule": null,
"fw_rule_id": null,
"fw_device_name": null,
"fw_serial_number": null,
"fw_url_domain": null,
"fw_email_subject": null,
"fw_email_sender": null,
"fw_email_recipient": null,
"fw_app_subcategory": null,
"fw_app_category": null,
"fw_app_technology": null,
"fw_vsys": null,
"fw_xff": null,
"fw_misc": null,
"fw_is_phishing": "N/A",
"dst_agent_id": null,
"dst_causality_actor_process_execution_time": null,
"dns_query_name": null,
"dst_action_external_hostname": null,
"dst_action_country": null,
"dst_action_external_port": null,
"contains_featured_host": "NO",
"contains_featured_user": "NO",
"contains_featured_ip": "NO",
"image_name": null,
"container_id": null,
"cluster_name": null,
"referenced_resource": null,
"operation_name": null,
"identity_sub_type": null,
"identity_type": null,
"project": null,
"cloud_provider": null,
"resource_type": null,
"resource_sub_type": null,
"user_agent": null,
"user_name": "matthewharding"
}
],
"alert_id": "179151",
"detection_timestamp": 1683342667518,
"name": "Incoming call or message reported as spam",
"category": "Spam",
"endpoint_id": "36c16cd205934e2fbf1bc874a1479b03",
"description": "A number was reported by the user as spam",
"host_ip": null,
"host_name": "Matthewharding's iPhone 14 Pro",
"mac_addresses": null,
"source": "XDR Agent",
"action": "REPORTED",
"action_pretty": "Detected (Reported)",
"original_tags": [
"DS:PANW/XDR Agent"
]
}
]
}
}
Push Indicators
Example:
API Endpoint:
POST public_api/v1/indicators/insert_json
Method: Post
Parameter: None
API Request Endpoint:
{
"request_data": [
{
"severity": "MEDIUM",
"comment": "\\Device\\HarddiskVolume2\\Windows\\System32\\mavinject.exe",
"vendors": [
{
"vendor_name": "Netskope Cloud Exchange"
}
],
"expiration_date": 1704215925000,
"indicator": "7562cf3c1237df992a6b8885b5ad5eaf1b5c40840bbe0d1ce09c2d61b5a12c44",
"type": "HASH"
}
],
"validate": true
}
Performance Matrix
Below is the performance reading conducted for fetching and sharing 100K IOCs in each plugin lifecycle on a Large CE instance with the below specifications.
| Stack details | Size: Large RAM: 32 GB CPU: 16 Cores |
| Indicators fetched from Palo Alto Networks Cortex XDR | ~10K per minute |
| Indicators shared to Palo Alto Networks Cortex XDR | ~16K per minute |
User Agent
The user agent added for this plugin is in the following format:
netskope-ce-<CE VERSION>-<MODULE NAME>-<PLUGIN NAME>-v<PLUGIN VERSION>
Example
netskope-ce-4.2.0-cte-palo-alto-networks-cortex-xdr-v1.0.0
Workflow
- Get an API Key from the Palo Alto Networks Cortex XDR platform.
- Configure the Palo Alto Networks Cortex XDR plugin.
- Add a Business Rule.
- Configure Sharing for Netskope and the Palo Alto Networks Cortex XDR.
- Validate the Palo Alto Networks Cortex XDR plugin.
Click play to watch a video.
Get your Palo Alto Networks Cortex XDR API Key
- Go to your Palo Alto Networks Cortex XDR platform and log in with your credentials.
- On the Bottom left navigation bar, hover over Settings and select Configurations Settings.
- Click API Keys, then click New Key.
- Enter the following information:
- Security Level: Select Security Level from Advanced/Standard.
- Role: Create a Custom Role with (Detections (View/Edit)/Alerts & Incidents (View)).
- Enable Expiration Date: Check the box with API Key to set the expire date.
- Click Save.
- Copy the API Key, as it will not be accessible after the window is closed.
Configure the Palo Alto Networks Cortex XDR Plugin
- Go to Settings > Plugins, search for and select the CTE Palo Alto Networks Cortex XDR box to configure the plugin.
- Enter these values:
- Configuration Name: Unique name for the configuration.
- Sync Interval: Leave the default.
- Aging Criteria: Expiry time of the plugin in days. (Default: 90)
- Override Reputation: Set a value to override the reputation of indicators received from this configuration.
- Enable SSL Validation: Enable SSL Certificate validation.
- Use System Proxy: Enable if a proxy is required for communication.
- Click Next.
- Enter these values:
- Base URL: Base URL for Palo Alto Networks Cortex XDR API Endpoints.
- API ID: API ID of Palo Alto Networks Cortex XDR API.
- API Key: Secret Key of Palo Alto Networks Cortex XDR API.
- Authentication Method: Type of Authentication you choose while creating the API Token from Palo Alto Networks Cortex XDR.
- Enable Polling: If you want to pull indicator from Palo Alto Networks Cortex XDR.
- Type of Threat data to Pull: SHA256/MD5.
- Severity: If you want to pull any specific Severity data.
- Enable Tagging: Enable/Disable tagging functionality.
- Initial Range: Number of days to pull the data for the initial run.
- Click Save.
Add a Business Rule for Palo Alto Networks Cortex XDR
To share indicators from Netskope CE to Palo Alto Networks Cortex XDR and Palo Alto Networks Cortex XDR’s indicators to Netskope or any Third-party plugin you need a have a business rule that will filter out the indicators that you need to share. To configure a business rule follow the below steps:
- Go to Threat Exchange > Business Rule and click Create New Rule.
- Add your required filter for the IoCs you want to share and click Save.
Configuring Sharing for Netskope and Palo Alto Networks Cortex XDR
Palo Alto Networks Cortex XDR plugin supports the sharing of URLs(IPv4, Domain), MD5, and SHA256 types of IOCs. The plugin has a Create IOCs action that will create indicators. To share IoCs with Palo Alto Networks Cortex XDR, follow these steps:
- Go to Threat Exchange > Sharing and click Add Sharing Configuration.
- Select your Source Configuration (Netskope), the Business Rule, and Destination Configuration (Palo Alto Networks Cortex XDR), and for Target, enter Create IOCs.
- Click Save.
- Create another Sharing Configuration to share Palo Alto Networks Cortex XDR IoCs with Netskope. Select Palo Alto Networks Cortex XDR as the Source, and Netskope as the Destination.
- Click Save.
Validate the Palo Alto Networks Cortex XDR Plugin
Validate the Pull
- SHA256,MD5 are pulled from INCIDENT RESPONSE > Incidents, from the Palo Alto Networks Cortex XDR plugin.
- Click Alerts & Insights, and then click any alert to expand it to find the SHA256 and MD5 values that will be pulled.
- Based on your plugin configuration, Indicators will pull from the Palo Alto Networks Cortex XDR plugin to Netskope CE.
- Go to Threat Exchange > Threat IoCs and search for IoCs pulled from the Palo Alto Networks Cortex XDR plugin.
Validate the Push
- To verify pushed IoCs in Palo Alto Networks Cortex XDR, go to Palo Alto Networks Cortex XDR Platform > DETECTION RULES > IOC.
- IoCs pushed from Netskope have been VENDORS as Netskope Cloud Exchange.
- To validate the pushed indicator in Threat Exchange, go to Threat IoCs and search for IoCs that are shared with Palo Alto Networks Cortex XDR.
Note: The Palo Alto Networks Cortex XDR platform can accommodate up to 4 million IOCs. Once this limit is reached, any newly ingested indicators will be discarded. Reference Link
Troubleshooting
Receiving the 400 Client Error in logs while executing the plugin life cycle.
While saving the plugin if plugin is no able to save with valid creds 401. 
If you are receiving the above-mentioned error in log while configuring the plugin check the authentication method in Palo Alto Networks Cortex XDR
- Log in to Cortex XDR Platform.
- Click Setting > Configurations.
- Click API Keys.
- Check the Security Level and Authentication Method in Plugin (both should be the same).
When Receiving 403 permission while pulling or pushing IoCs
If you receive 403 permission while pulling or pushing IoCs check the roles on Palo Alto Networks Cortex XDR.
- Log in to Cortex XDR Platform.
- Go to Setting > Configurations > Roles.
- Check the roles.
- Expand INCIDENT RESPONSE.
Alerts & Incidents should have View Permission.
- Expand DETECTION & Threat INTEL.
Rules should have View/Edit Permission.
When not able to fetch IoCs from Palo Alto Networks Cortex XDR
If you are not able to fetch IoCs from Palo Alto Cortex to Netskope Threat Exchange.
- Log in to Palo Alto Networks Cortex XDR.
- Click Incident Response > Incidents.
- Check the Alerts are present while clicking on any Incident > Alerts & Insights.
