PDF Version:

CortexXDR-CustomTemplateConfigurationGuide.pdf

Summary

Step by Step Instructions

· Authorization type : Custom Token Auth

· How to get API Credentials : https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR-REST-API/Cortex-XDR-API-Overview

· API doc reference : https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR-REST-API/Get-all-Incidents

· API Endpoint : https://<put_your_account_reference_here>.paloaltonetworks.com/public_api/v1/incidents/get_incidents'

1. App Info

App Info:

App Name: Custom Cortex XDR Incidents App

App Description (Optional) : NA

AlienApp Category : Application

Vendor (Optional) : Cortex XDR by Palo Alto Networks

Device Type (Optional) : Alarm

Complete the dialogues as shown above. These details don’t impact the function of the app and can be set up as you see fit.

2. API Credentials

API Credentials:

Auth Type : API Key Auth

Event URL : https://api.verkada.com/core/v1/audit_log

Header Name: Authentication

Header Value: <type_you_api_key_here>

Request Method : POST

· In the headers you have to enter the below value

Accept: application/json

Content-Type: application/json

x-xdr-auth-id: 62

· In the body you have to enter the below value

    "request_data": {

      "sort": {

        "field": "creation_time",

        "keyword": "asc"

},

      "filters": [

          "field": "creation_time",

          "operator": "gte",

          "value": 1744675200000

(Start Time example is 1704047400)
Use the details above to populate the dialogues. Include the Header Name and Header Value from your Verkada Access configuration.

3. API Config

API Config:

Pagination Type : Next URK

Next URL Response Path : dummy_value

Next Cursor Param Name : page_token

Events Response Path(Optional) : reply.incidents

Timestamp Filter Param Name : creation_date

Timestamp Filter Param Value : 174813431000

Timestamp Filter Param Format : Timestamp (UNIX Epoch Time)

Latest Event Timestamp Response Path : creation_date

Latest Event Timestamp Response Format : Timestamp (UNIX Epoch Time)

· In the Params you have to enter the below value

Accept: application/json

Content-Type: application/json

x-xdr-auth-id: 62

· Body payload to set in the body

    "request_data": {

      "sort": {

        "field": "creation_time",

        "keyword": "asc"

},

      "filters": [

          "field": "$TIMESTAMPFILTERPARAMNAME",

          "operator": "gte",

          "value": $TIMESTAMPFILTERPARAMVALUE

4. Mapping

Raw Log Data

   "incident_id": "544",

   "incident_name": null,

   "creation_time": 1745055785000,

   "modification_time": 1745080427000,

   "detection_time": null,

   "status": "new",

   "severity": "medium",

   "description": "3 'TBW-Windows Events (query based)' alerts detected by XDR BIOC on host scada-dc-3  involving user nt authority\\system",

   "assigned_user_mail": null,

   "assigned_user_pretty_name": null,

   "alert_count": 3,

   "low_severity_alert_count": 0,

   "med_severity_alert_count": 3,

   "high_severity_alert_count": 0,

   "critical_severity_alert_count": 0,

   "user_count": 1,

   "host_count": 1,

   "notes": null,

   "resolve_comment": null,

   "resolved_timestamp": null,

   "manual_severity": null,

   "manual_description": null,

   "xdr_url": "https://tampabaywater.xdr.us.paloaltonetworks.com/incident-view?caseId=544",

   "starred": false,

   "starred_manually": false,

   "hosts": [

      "scada-dc-3:a1e49e978482426aa78b6a76facc7fba"

],

   "users": [

      "nt authority\\system"

],

   "incident_sources": [

      "XDR BIOC"

],

   "rule_based_score": null,

   "predicted_score": 80,

   "manual_score": null,

   "aggregated_score": 80,

   "wildfire_hits": 0,

   "alerts_grouping_status": "Enabled",

   "mitre_tactics_ids_and_names": null,

   "mitre_techniques_ids_and_names": null,

   "alert_categories": [

      "Credential Access"

],

   "original_tags": [

      "EG:PROD-Environment",

      "DS:PANW/XDR Agent"

],

   "tags": [

      "DS:PANW/XDR Agent",

      "EG:PROD-Environment"

Fields Mapping

   "name": "Cortex XDR by Palo Alto Networks",

   "device": "Cortex XDR by Palo Alto Networks",

   "type": "JSON",

   "appFormat": "JSON",

   "vendor": "Palo Alto Networks",

   "deviceType": "Alarm",

   "version": "0.4",

   "highlight_fields": "event_name,event_description,status,event_severity,tag",

   "hints": [],

   "tags": {

      "reputation_score": {

         "matches": [

            "map('$.predicted_score')"

},

      "user_resource": {

         "matches": [

            "map('$.users[0]')"

},

      "status": {

         "matches": [

            "map('$.status')"

},

      "event_description": {

         "matches": [

            "map('$.description')"

},

      "event_description_url": {

         "matches": [

            "map('$.xdr_url')"

},

      "event_severity": {

         "matches": [

            "map('$.severity')"

},

      "tag": {

         "matches": [

            "map('$.tags[0]')",

            "map('$.tags[1]')"

},

      "destination_asset_id": {

         "matches": [

            "map('$.hosts[0]')"

},

      "source_asset_id": {

         "matches": [

            "map('$.incident_sources[0]')"

},

      "event_name": {

         "matches": [

            "map('$.alert_categories[0]')"

Use the table above as a guide - the left hand side is the new log data, and the right hand side represents which USM key to drag it onto. Use the search bars above both sides to find the exact matches. Once finished, click “next”.

5. Summary Fields

Select which fields you would like in the summary. See above as an example. This step is completely at your discretion and doesn’t impact app operations. All log details will be available in “Event Details”.

6. Preview

“Save and Close” to finalize app.