Create a template to facilitate the seamless setup of CSP data in Cortex. Define the scope and specify the scan mode. For full control of the setup, you can use the advanced settings. Based on the onboarding settings, Cortex generates an authentication template to establish trust to the CSP and grant permissions to Cortex. Cortex XSIAM creates an instance in pending state. The API returns a link to download the template from the Cortex tenant.
Note: If the template execution in the CSP fails, there is currently no manual execution of the template by API. You must perform manual execution in the UI.
For scope modifications, the parameters are CSP-specific. For AWS, use accounts, for GCP, use projects, and for Azure, use subscriptions.
Required license: In Cortex XSIAM Premium, Cortex XSIAM Enterprise, or Cortex XSIAM NG SIEM, requires the Cortex Cloud Posture Management add-on. In Cortex XSIAM Enterprise Plus, requires the Data Collection add-on.
Authorization
String
required
{api_key}
{api_key}
UCoWpG4rkNzgCp2dsh8m02iVpZsskwKHz7N1tErPcUV3Wmf59Gc9kytmgOv0pDWoem3PBlORyRIPiir4OcYdWUOWAM3JyTgoCxQf4nQoTlKmFRKz9Bj5vIjluw66p9WP
x-xdr-auth-id
String
required
{api_key_id}
{api_key_id}
241
curl -X 'POST'
-H
'Accept: application/json'
-H
'Content-Type: application/json'
-H
'Authorization: UCoWpG4rkNzgCp2dsh8m02iVpZsskwKHz7N1tErPcUV3Wmf59Gc9kytmgOv0pDWoem3PBlORyRIPiir4OcYdWUOWAM3JyTgoCxQf4nQoTlKmFRKz9Bj5vIjluw66p9WP '
-H
'x-xdr-auth-id: 241'
'https://api-yourfqdn/public_api/v1/cloud_onboarding/create_instance_template'
-d
'{
"request_data" : {
"scope" : "ORGANIZATION",
"scan_mode" : "MANAGED",
"cloud_provider" : "AWS",
"instance_name" : "My AWS Instance",
"custom_resources_tags" : [ {
"key" : "environment",
"value" : "production"
} ],
"collection_configuration" : {
"audit_logs" : {
"enabled" : true
}
},
"scope_modifications" : {
"accounts" : {
"enabled" : true,
"type" : "INCLUDE",
"account_ids" : [ "123456789012" ]
},
"regions" : {
"enabled" : true,
"type" : "INCLUDE",
"regions" : [ "us-east-1", "us-west-2" ]
}
},
"additional_capabilities" : {
"xsiam_analytics" : true,
"data_security_posture_management" : true,
"registry_scanning" : true,
"registry_scanning_options" : {
"type" : "ECR"
},
"serverless_scanning" : true,
"agentless_disk_scanning" : true
}
}
}'
import http.client
conn = http.client.HTTPSConnection("api-yourfqdn")
payload = "{\"request_data\":{\"scope\":\"ORGANIZATION\",\"scan_mode\":\"MANAGED\",\"cloud_provider\":\"AWS\",\"instance_name\":\"My AWS Instance\",\"custom_resources_tags\":[{\"key\":\"environment\",\"value\":\"production\"}],\"collection_configuration\":{\"audit_logs\":{\"enabled\":true}},\"scope_modifications\":{\"accounts\":{\"enabled\":true,\"type\":\"INCLUDE\",\"account_ids\":[\"123456789012\"]},\"regions\":{\"enabled\":true,\"type\":\"INCLUDE\",\"regions\":[\"us-east-1\",\"us-west-2\"]}},\"additional_capabilities\":{\"xsiam_analytics\":true,\"data_security_posture_management\":true,\"registry_scanning\":true,\"registry_scanning_options\":{\"type\":\"ECR\"},\"serverless_scanning\":true,\"agentless_disk_scanning\":true}}}"
headers = {
'Authorization': "UCoWpG4rkNzgCp2dsh8m02iVpZsskwKHz7N1tErPcUV3Wmf59Gc9kytmgOv0pDWoem3PBlORyRIPiir4OcYdWUOWAM3JyTgoCxQf4nQoTlKmFRKz9Bj5vIjluw66p9WP ",
'x-xdr-auth-id': "241",
'content-type': "application/json"
}
conn.request("POST", "/public_api/v1/cloud_onboarding/create_instance_template", payload, headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))require 'uri'
require 'net/http'
require 'openssl'
url = URI("https://api-yourfqdn/public_api/v1/cloud_onboarding/create_instance_template")
http = Net::HTTP.new(url.host, url.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
request = Net::HTTP::Post.new(url)
request["Authorization"] = 'UCoWpG4rkNzgCp2dsh8m02iVpZsskwKHz7N1tErPcUV3Wmf59Gc9kytmgOv0pDWoem3PBlORyRIPiir4OcYdWUOWAM3JyTgoCxQf4nQoTlKmFRKz9Bj5vIjluw66p9WP '
request["x-xdr-auth-id"] = '241'
request["content-type"] = 'application/json'
request.body = "{\"request_data\":{\"scope\":\"ORGANIZATION\",\"scan_mode\":\"MANAGED\",\"cloud_provider\":\"AWS\",\"instance_name\":\"My AWS Instance\",\"custom_resources_tags\":[{\"key\":\"environment\",\"value\":\"production\"}],\"collection_configuration\":{\"audit_logs\":{\"enabled\":true}},\"scope_modifications\":{\"accounts\":{\"enabled\":true,\"type\":\"INCLUDE\",\"account_ids\":[\"123456789012\"]},\"regions\":{\"enabled\":true,\"type\":\"INCLUDE\",\"regions\":[\"us-east-1\",\"us-west-2\"]}},\"additional_capabilities\":{\"xsiam_analytics\":true,\"data_security_posture_management\":true,\"registry_scanning\":true,\"registry_scanning_options\":{\"type\":\"ECR\"},\"serverless_scanning\":true,\"agentless_disk_scanning\":true}}}"
response = http.request(request)
puts response.read_bodyconst data = JSON.stringify({
"request_data": {
"scope": "ORGANIZATION",
"scan_mode": "MANAGED",
"cloud_provider": "AWS",
"instance_name": "My AWS Instance",
"custom_resources_tags": [
{
"key": "environment",
"value": "production"
}
],
"collection_configuration": {
"audit_logs": {
"enabled": true
}
},
"scope_modifications": {
"accounts": {
"enabled": true,
"type": "INCLUDE",
"account_ids": [
"123456789012"
]
},
"regions": {
"enabled": true,
"type": "INCLUDE",
"regions": [
"us-east-1",
"us-west-2"
]
}
},
"additional_capabilities": {
"xsiam_analytics": true,
"data_security_posture_management": true,
"registry_scanning": true,
"registry_scanning_options": {
"type": "ECR"
},
"serverless_scanning": true,
"agentless_disk_scanning": true
}
}
});
const xhr = new XMLHttpRequest();
xhr.withCredentials = true;
xhr.addEventListener("readystatechange", function () {
if (this.readyState === this.DONE) {
console.log(this.responseText);
}
});
xhr.open("POST", "https://api-yourfqdn/public_api/v1/cloud_onboarding/create_instance_template");
xhr.setRequestHeader("Authorization", "UCoWpG4rkNzgCp2dsh8m02iVpZsskwKHz7N1tErPcUV3Wmf59Gc9kytmgOv0pDWoem3PBlORyRIPiir4OcYdWUOWAM3JyTgoCxQf4nQoTlKmFRKz9Bj5vIjluw66p9WP ");
xhr.setRequestHeader("x-xdr-auth-id", "241");
xhr.setRequestHeader("content-type", "application/json");
xhr.send(data);HttpResponse<String> response = Unirest.post("https://api-yourfqdn/public_api/v1/cloud_onboarding/create_instance_template")
.header("Authorization", "UCoWpG4rkNzgCp2dsh8m02iVpZsskwKHz7N1tErPcUV3Wmf59Gc9kytmgOv0pDWoem3PBlORyRIPiir4OcYdWUOWAM3JyTgoCxQf4nQoTlKmFRKz9Bj5vIjluw66p9WP ")
.header("x-xdr-auth-id", "241")
.header("content-type", "application/json")
.body("{\"request_data\":{\"scope\":\"ORGANIZATION\",\"scan_mode\":\"MANAGED\",\"cloud_provider\":\"AWS\",\"instance_name\":\"My AWS Instance\",\"custom_resources_tags\":[{\"key\":\"environment\",\"value\":\"production\"}],\"collection_configuration\":{\"audit_logs\":{\"enabled\":true}},\"scope_modifications\":{\"accounts\":{\"enabled\":true,\"type\":\"INCLUDE\",\"account_ids\":[\"123456789012\"]},\"regions\":{\"enabled\":true,\"type\":\"INCLUDE\",\"regions\":[\"us-east-1\",\"us-west-2\"]}},\"additional_capabilities\":{\"xsiam_analytics\":true,\"data_security_posture_management\":true,\"registry_scanning\":true,\"registry_scanning_options\":{\"type\":\"ECR\"},\"serverless_scanning\":true,\"agentless_disk_scanning\":true}}}")
.asString();import Foundation
let headers = [
"Authorization": "UCoWpG4rkNzgCp2dsh8m02iVpZsskwKHz7N1tErPcUV3Wmf59Gc9kytmgOv0pDWoem3PBlORyRIPiir4OcYdWUOWAM3JyTgoCxQf4nQoTlKmFRKz9Bj5vIjluw66p9WP ",
"x-xdr-auth-id": "241",
"content-type": "application/json"
]
let parameters = ["request_data": [
"scope": "ORGANIZATION",
"scan_mode": "MANAGED",
"cloud_provider": "AWS",
"instance_name": "My AWS Instance",
"custom_resources_tags": [
[
"key": "environment",
"value": "production"
]
],
"collection_configuration": ["audit_logs": ["enabled": true]],
"scope_modifications": [
"accounts": [
"enabled": true,
"type": "INCLUDE",
"account_ids": ["123456789012"]
],
"regions": [
"enabled": true,
"type": "INCLUDE",
"regions": ["us-east-1", "us-west-2"]
]
],
"additional_capabilities": [
"xsiam_analytics": true,
"data_security_posture_management": true,
"registry_scanning": true,
"registry_scanning_options": ["type": "ECR"],
"serverless_scanning": true,
"agentless_disk_scanning": true
]
]] as [String : Any]
let postData = JSONSerialization.data(withJSONObject: parameters, options: [])
let request = NSMutableURLRequest(url: NSURL(string: "https://api-yourfqdn/public_api/v1/cloud_onboarding/create_instance_template")! as URL,
cachePolicy: .useProtocolCachePolicy,
timeoutInterval: 10.0)
request.httpMethod = "POST"
request.allHTTPHeaderFields = headers
request.httpBody = postData as Data
let session = URLSession.shared
let dataTask = session.dataTask(with: request as URLRequest, completionHandler: { (data, response, error) -> Void in
if (error != nil) {
print(error)
} else {
let httpResponse = response as? HTTPURLResponse
print(httpResponse)
}
})
dataTask.resume()<?php
$curl = curl_init();
curl_setopt_array($curl, [
CURLOPT_URL => "https://api-yourfqdn/public_api/v1/cloud_onboarding/create_instance_template",
CURLOPT_RETURNTRANSFER => true,
CURLOPT_ENCODING => "",
CURLOPT_MAXREDIRS => 10,
CURLOPT_TIMEOUT => 30,
CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
CURLOPT_CUSTOMREQUEST => "POST",
CURLOPT_POSTFIELDS => "{\"request_data\":{\"scope\":\"ORGANIZATION\",\"scan_mode\":\"MANAGED\",\"cloud_provider\":\"AWS\",\"instance_name\":\"My AWS Instance\",\"custom_resources_tags\":[{\"key\":\"environment\",\"value\":\"production\"}],\"collection_configuration\":{\"audit_logs\":{\"enabled\":true}},\"scope_modifications\":{\"accounts\":{\"enabled\":true,\"type\":\"INCLUDE\",\"account_ids\":[\"123456789012\"]},\"regions\":{\"enabled\":true,\"type\":\"INCLUDE\",\"regions\":[\"us-east-1\",\"us-west-2\"]}},\"additional_capabilities\":{\"xsiam_analytics\":true,\"data_security_posture_management\":true,\"registry_scanning\":true,\"registry_scanning_options\":{\"type\":\"ECR\"},\"serverless_scanning\":true,\"agentless_disk_scanning\":true}}}",
CURLOPT_HTTPHEADER => [
"Authorization: UCoWpG4rkNzgCp2dsh8m02iVpZsskwKHz7N1tErPcUV3Wmf59Gc9kytmgOv0pDWoem3PBlORyRIPiir4OcYdWUOWAM3JyTgoCxQf4nQoTlKmFRKz9Bj5vIjluw66p9WP ",
"content-type: application/json",
"x-xdr-auth-id: 241"
],
]);
$response = curl_exec($curl);
$err = curl_error($curl);
curl_close($curl);
if ($err) {
echo "cURL Error #:" . $err;
} else {
echo $response;
}CURL *hnd = curl_easy_init();
curl_easy_setopt(hnd, CURLOPT_CUSTOMREQUEST, "POST");
curl_easy_setopt(hnd, CURLOPT_URL, "https://api-yourfqdn/public_api/v1/cloud_onboarding/create_instance_template");
struct curl_slist *headers = NULL;
headers = curl_slist_append(headers, "Authorization: UCoWpG4rkNzgCp2dsh8m02iVpZsskwKHz7N1tErPcUV3Wmf59Gc9kytmgOv0pDWoem3PBlORyRIPiir4OcYdWUOWAM3JyTgoCxQf4nQoTlKmFRKz9Bj5vIjluw66p9WP ");
headers = curl_slist_append(headers, "x-xdr-auth-id: 241");
headers = curl_slist_append(headers, "content-type: application/json");
curl_easy_setopt(hnd, CURLOPT_HTTPHEADER, headers);
curl_easy_setopt(hnd, CURLOPT_POSTFIELDS, "{\"request_data\":{\"scope\":\"ORGANIZATION\",\"scan_mode\":\"MANAGED\",\"cloud_provider\":\"AWS\",\"instance_name\":\"My AWS Instance\",\"custom_resources_tags\":[{\"key\":\"environment\",\"value\":\"production\"}],\"collection_configuration\":{\"audit_logs\":{\"enabled\":true}},\"scope_modifications\":{\"accounts\":{\"enabled\":true,\"type\":\"INCLUDE\",\"account_ids\":[\"123456789012\"]},\"regions\":{\"enabled\":true,\"type\":\"INCLUDE\",\"regions\":[\"us-east-1\",\"us-west-2\"]}},\"additional_capabilities\":{\"xsiam_analytics\":true,\"data_security_posture_management\":true,\"registry_scanning\":true,\"registry_scanning_options\":{\"type\":\"ECR\"},\"serverless_scanning\":true,\"agentless_disk_scanning\":true}}}");
CURLcode ret = curl_easy_perform(hnd);var client = new RestClient("https://api-yourfqdn/public_api/v1/cloud_onboarding/create_instance_template");
var request = new RestRequest(Method.POST);
request.AddHeader("Authorization", "UCoWpG4rkNzgCp2dsh8m02iVpZsskwKHz7N1tErPcUV3Wmf59Gc9kytmgOv0pDWoem3PBlORyRIPiir4OcYdWUOWAM3JyTgoCxQf4nQoTlKmFRKz9Bj5vIjluw66p9WP ");
request.AddHeader("x-xdr-auth-id", "241");
request.AddHeader("content-type", "application/json");
request.AddParameter("application/json", "{\"request_data\":{\"scope\":\"ORGANIZATION\",\"scan_mode\":\"MANAGED\",\"cloud_provider\":\"AWS\",\"instance_name\":\"My AWS Instance\",\"custom_resources_tags\":[{\"key\":\"environment\",\"value\":\"production\"}],\"collection_configuration\":{\"audit_logs\":{\"enabled\":true}},\"scope_modifications\":{\"accounts\":{\"enabled\":true,\"type\":\"INCLUDE\",\"account_ids\":[\"123456789012\"]},\"regions\":{\"enabled\":true,\"type\":\"INCLUDE\",\"regions\":[\"us-east-1\",\"us-west-2\"]}},\"additional_capabilities\":{\"xsiam_analytics\":true,\"data_security_posture_management\":true,\"registry_scanning\":true,\"registry_scanning_options\":{\"type\":\"ECR\"},\"serverless_scanning\":true,\"agentless_disk_scanning\":true}}}", ParameterType.RequestBody);
IRestResponse response = client.Execute(request);request_dataobject
scopestring (Enum)requiredDefine the scope for this cloud instance. Valid values include:
ORGANIZATION: Use this to indicate an AWS organization, GCP organization, or Azure tenant.ACCOUNT_GROUP: Use this to indicate an AWS account group, GCP folder, or Azure management group.ACCOUNT: Use this to indicate an AWS account, GCP project, or Azure subscription.
Define the scope for this cloud instance. Valid values include:
ORGANIZATION: Use this to indicate an AWS organization, GCP organization, or Azure tenant.ACCOUNT_GROUP: Use this to indicate an AWS account group, GCP folder, or Azure management group.ACCOUNT: Use this to indicate an AWS account, GCP project, or Azure subscription.
scan_modestring (Enum)requiredDefine the scan mode. Valid values include:
MANAGED: (Recommended) Security scanning is performed in the Cortex cloud environment.OUTPOST: Security scanning is performed on infrastructure deployed to a cloud account owned by you.
**Note: ** Scanning with an outpost may require additional CSP permissions and may incur additional CSP costs.
Define the scan mode. Valid values include:
MANAGED: (Recommended) Security scanning is performed in the Cortex cloud environment.OUTPOST: Security scanning is performed on infrastructure deployed to a cloud account owned by you.
**Note: ** Scanning with an outpost may require additional CSP permissions and may incur additional CSP costs.
scan_env_idstringWhen the scan mode is OUTPOST, you must include the scan_env_id field with the outpost ID as the value.
To obtain the outpost ID, call /public_api/v1/cloud_onboarding/get_outposts. The value of outpost_id in the response is the outpost ID.
When the scan mode is OUTPOST, you must include the scan_env_id field with the outpost ID as the value.
To obtain the outpost ID, call /public_api/v1/cloud_onboarding/get_outposts. The value of outpost_id in the response is the outpost ID.
account_detailsobjectaccount_details is required for onboarding Azure and is not used for onboarding AWS or GCP.
account_details is required for onboarding Azure and is not used for onboarding AWS or GCP.
organization_idstringAzure tenant ID
Azure tenant ID
instance_namestringrequired
cloud_providerstring (Enum)requiredThe cloud service provider. Valid values include:
AWSAZUREGCPOCIALIBABA_CLOUD
The cloud service provider. Valid values include:
AWSAZUREGCPOCIALIBABA_CLOUD
custom_resources_tagsarrayrequired
keystringThe key of the custom resource tag.
The key of the custom resource tag.
valuestringThe value of the custom resource tag.
The value of the custom resource tag.
collection_configurationobjectrequired
audit_logsobjectTo maximize security coverage, include collection of logs. This may require additional cloud service provider permissions.
For detailed information on the permissions required, see Cloud service provider permissions.
To maximize security coverage, include collection of logs. This may require additional cloud service provider permissions. For detailed information on the permissions required, see Cloud service provider permissions.
enabledbooleanrequiredWhether to enable audit log collection. If this is false, then the other fields in this object should not be used.
Whether to enable audit log collection. If this is false, then the other fields in this object should not be used.
collection_methodobject (Enum)Indicates whether to use automated or custom log collection.
Note: collection_method is only relevant for AWS or OCI. For OCI, the value of collection_method must be CUSTOM and you must include custom_collectors with the details of the existing buckets. In AWS, if collection_method is CUSTOM, you need to update the bucket information when you manually upload the template to AWS CloudFormation.
Indicates whether to use automated or custom log collection.
Note: collection_method is only relevant for AWS or OCI. For OCI, the value of collection_method must be CUSTOM and you must include custom_collectors with the details of the existing buckets. In AWS, if collection_method is CUSTOM, you need to update the bucket information when you manually upload the template to AWS CloudFormation.
data_eventsbooleanThe data_events field is only relevant when cloud_provider is AWS and collection_method is AUTOMATED. Currently supports AWS Lambda and Amazon S3.
The data_events field is only relevant when cloud_provider is AWS and collection_method is AUTOMATED. Currently supports AWS Lambda and Amazon S3.
custom_collectorsarrayA list of OCI bucket configurations for collecting logs.
Note: This is only relevant for OCI when collection_method is CUSTOM.
A list of OCI bucket configurations for collecting logs.
Note: This is only relevant for OCI when collection_method is CUSTOM.
regionstringThe geographic region where the collection bucket is located.
The geographic region where the collection bucket is located.
bucket_namestringThe name of the storage bucket where the log collection data will be collected and stored.
The name of the storage bucket where the log collection data will be collected and stored.
compartment_ocidstringThe unique OCID (Oracle Cloud Identifier) of the compartment that owns the specified bucket.
The unique OCID (Oracle Cloud Identifier) of the compartment that owns the specified bucket.
scope_modificationsobjectrequired
accountsobject
enabledbooleanWhether to enable (true) or disable (false) this scope modification.
Whether to enable (true) or disable (false) this scope modification.
typestringDefine whether the account IDs/project IDs/subscription IDs specified should be included in the scope or excluded from the scope. Valid values include:
INCLUDEEXCLUDE
Define whether the account IDs/project IDs/subscription IDs specified should be included in the scope or excluded from the scope. Valid values include:
INCLUDEEXCLUDE
account_idsarray[string]The list of account IDs to include or exclude (for AWS).
The list of account IDs to include or exclude (for AWS).
project_idsarray[string]The list of account IDs to include or exclude (for GCP).
The list of account IDs to include or exclude (for GCP).
subscription_idsarray[string]The list of account IDs to include or exclude (for Azure).
The list of account IDs to include or exclude (for Azure).
compartment_idsarray[string]The list of compartment IDs to include or exclude (for OCI).
The list of compartment IDs to include or exclude (for OCI).
projectsobject
enabledbooleanWhether to enable (true) or disable (false) this scope modification.
Whether to enable (true) or disable (false) this scope modification.
typestringDefine whether the account IDs/project IDs/subscription IDs specified should be included in the scope or excluded from the scope. Valid values include:
INCLUDEEXCLUDE
Define whether the account IDs/project IDs/subscription IDs specified should be included in the scope or excluded from the scope. Valid values include:
INCLUDEEXCLUDE
account_idsarray[string]The list of account IDs to include or exclude (for AWS).
The list of account IDs to include or exclude (for AWS).
project_idsarray[string]The list of account IDs to include or exclude (for GCP).
The list of account IDs to include or exclude (for GCP).
subscription_idsarray[string]The list of account IDs to include or exclude (for Azure).
The list of account IDs to include or exclude (for Azure).
compartment_idsarray[string]The list of compartment IDs to include or exclude (for OCI).
The list of compartment IDs to include or exclude (for OCI).
subscriptionsobject
enabledbooleanWhether to enable (true) or disable (false) this scope modification.
Whether to enable (true) or disable (false) this scope modification.
typestringDefine whether the account IDs/project IDs/subscription IDs specified should be included in the scope or excluded from the scope. Valid values include:
INCLUDEEXCLUDE
Define whether the account IDs/project IDs/subscription IDs specified should be included in the scope or excluded from the scope. Valid values include:
INCLUDEEXCLUDE
account_idsarray[string]The list of account IDs to include or exclude (for AWS).
The list of account IDs to include or exclude (for AWS).
project_idsarray[string]The list of account IDs to include or exclude (for GCP).
The list of account IDs to include or exclude (for GCP).
subscription_idsarray[string]The list of account IDs to include or exclude (for Azure).
The list of account IDs to include or exclude (for Azure).
compartment_idsarray[string]The list of compartment IDs to include or exclude (for OCI).
The list of compartment IDs to include or exclude (for OCI).
regionsobject
enabledbooleanFlag to enable or disable region configuration
Flag to enable or disable region configuration
typestringType of region configuration (e.g., INCLUDE, EXCLUDE)
Type of region configuration (e.g., INCLUDE, EXCLUDE)
regionsarray[string]List of regions to include or exclude
List of regions to include or exclude
compartmentsobject
enabledbooleanWhether to enable (true) or disable (false) this scope modification.
Whether to enable (true) or disable (false) this scope modification.
typestringDefine whether the account IDs/project IDs/subscription IDs specified should be included in the scope or excluded from the scope. Valid values include:
INCLUDEEXCLUDE
Define whether the account IDs/project IDs/subscription IDs specified should be included in the scope or excluded from the scope. Valid values include:
INCLUDEEXCLUDE
account_idsarray[string]The list of account IDs to include or exclude (for AWS).
The list of account IDs to include or exclude (for AWS).
project_idsarray[string]The list of account IDs to include or exclude (for GCP).
The list of account IDs to include or exclude (for GCP).
subscription_idsarray[string]The list of account IDs to include or exclude (for Azure).
The list of account IDs to include or exclude (for Azure).
compartment_idsarray[string]The list of compartment IDs to include or exclude (for OCI).
The list of compartment IDs to include or exclude (for OCI).
additional_capabilitiesobjectDefine which security capabilities you want to benefit from.
Note: Adding security capability typically requires additional cloud provider permissions. For detailed information on the permissions required, see Cloud service provider permissions.
Define which security capabilities you want to benefit from.
Note: Adding security capability typically requires additional cloud provider permissions. For detailed information on the permissions required, see Cloud service provider permissions.
xsiam_analyticsbooleanrequiredWhether to enable XSIAM analytics to analyze your endpoint data to develop a baseline and raise Analytics and Analytics BIOC alerts when anomalies and malicious behaviors are detected.
Whether to enable XSIAM analytics to analyze your endpoint data to develop a baseline and raise Analytics and Analytics BIOC alerts when anomalies and malicious behaviors are detected.
data_security_posture_managementbooleanrequiredWhether to enable data security posture management, an agentless data security scanner that discovers, classifies, protects, and governs sensitive data.
Whether to enable data security posture management, an agentless data security scanner that discovers, classifies, protects, and governs sensitive data.
registry_scanningbooleanrequiredWhether to enable registry scanning, a container registry scanner that scans registry images for vulnerabilities, malware, and secrets.
Whether to enable registry scanning, a container registry scanner that scans registry images for vulnerabilities, malware, and secrets.
registry_scanning_optionsobject
typestringType of registry scanning.
Type of registry scanning.
last_daysintegerNumber of days to scan back.
Number of days to scan back.
serverless_scanningbooleanrequiredWhether to enable serverless scanning to detect and remediate vulnerabilities within serverless functions during the development lifecycle. Seamless integration into CI/CD pipelines enables automated security scans for a continuously secure pre-production environment.
Whether to enable serverless scanning to detect and remediate vulnerabilities within serverless functions during the development lifecycle. Seamless integration into CI/CD pipelines enables automated security scans for a continuously secure pre-production environment.
agentless_disk_scanningbooleanrequiredWhether to enable agentless disk scanning to remotely detect and remediate vulnerabilities during the development lifecycle.
Whether to enable agentless disk scanning to remotely detect and remediate vulnerabilities during the development lifecycle.
kubernetes_securitybooleanWhether to enable Kubernetes security.
Whether to enable Kubernetes security.
automationbooleanWhether to enable automation.
Whether to enable automation.
automation_log_levelobject (Enum)Automation log level
Automation log level
cloud_partitionobject (Enum)Whether the CSP environment is COMMERCIAL or GOV:
COMMERCIAL: (Default) Standard cloud deployment typically used for private and public sector organizations that do not require isolated government-specific infrastructure.GOV: Government cloud environments for compatibility with FedRAMP-certified tenants.
Whether the CSP environment is COMMERCIAL or GOV:
COMMERCIAL: (Default) Standard cloud deployment typically used for private and public sector organizations that do not require isolated government-specific infrastructure.GOV: Government cloud environments for compatibility with FedRAMP-certified tenants.
gcp_workspaceobjectGCP Workspace configuration (GCP only).
GCP Workspace configuration (GCP only).
customer_idsarray[string]
enabledboolean
{
"request_data": {
"scope": "ACCOUNT",
"scan_mode": "MANAGED",
"instance_name": "AWS 1 Instance",
"scope_modifications": {
"regions": {
"enabled": true,
"type": "EXCLUDE",
"regions": [
"us-east-1"
]
}
},
"additional_capabilities": {
"xsiam_analytics": false,
"data_security_posture_management": true,
"registry_scanning": false,
"serverless_scanning": true,
"agentless_disk_scanning": true
},
"custom_resources_tags": [
{
"key": "managed_by",
"value": "paloaltonetworks"
}
],
"collection_configuration": {
"audit_logs": {
"enabled": true,
"collection_method": "AUTOMATED"
}
},
"cloud_provider": "AWS",
"cloud_partition": "COMMERCIAL"
}
}{
"request_data": {
"scope": "ACCOUNT",
"instance_name": "test-oci-instance-01",
"scan_mode": "OUTPOST",
"scan_env_id": "acafb912391c44f59a01b6512317abf9",
"cloud_provider": "OCI",
"scope_modifications": {
"regions": {
"enabled": true,
"type": "INCLUDE",
"regions": [
"us-phoenix-1",
"us-ashburn-1"
]
}
},
"additional_capabilities": {
"xsiam_analytics": false,
"data_security_posture_management": true,
"registry_scanning": false,
"serverless_scanning": false,
"agentless_disk_scanning": true
},
"custom_resources_tags": [
{
"key": "managed_by",
"value": "paloaltonetworks"
}
],
"collection_configuration": {
"audit_logs": {
"enabled": true,
"collection_method": "CUSTOM",
"custom_collectors": [
{
"region": "us-phoenix-1",
"bucket_name": "prod-audit-logs-bucket",
"compartment_ocid": "ocid1.compartment.oc1..xxxxxxxxxxxxxx"
},
{
"region": "us-ashburn-1",
"bucket_name": "dr-audit-logs-bucket",
"compartment_ocid": "ocid1.compartment.oc1..yyyyyyyyyyyyyy"
}
]
}
}
}
}Successful Response
replyobjectThe main payload of the response, containing instance information data. It includes a link to download the template file from your tenant.
If you use automated upload (only for AWS), the link will take you directly to AWS CloudFormation to create the stack.
Otherwise, download the template and upload it in your CSP and follow the instructions to manually upload the template:
The main payload of the response, containing instance information data. It includes a link to download the template file from your tenant. If you use automated upload (only for AWS), the link will take you directly to AWS CloudFormation to create the stack. Otherwise, download the template and upload it in your CSP and follow the instructions to manually upload the template:
{
"reply": {
"automated": {
"link": "string",
"tracking_guid": "string"
},
"manual": {
"TF/ARM": "string"
}
}
}Invalid Client Request Error
replyobject
err_codestringError code
Error code
err_msgstringError message
Error message
err_extrastringExtra information about the error
Extra information about the error
{
"reply": {
"err_code": "example",
"err_msg": "example",
"err_extra": "example"
}
}Internal Server Error
replyobject
err_codestringError code
Error code
err_msgstringError message
Error message
err_extrastringExtra information about the error
Extra information about the error
{
"reply": {
"err_code": "example",
"err_msg": "example",
"err_extra": "example"
}
}