Integration commands in the CLI - Run integration commands in the CLI. - Administrator Guide - 8.7 - Cortex XSOAR - Cortex - Security Operations

The command line interface (CLI) enables you to run system commands, integration commands, scripts, and more from the CLI. The CLI auto-complete feature allows you to find relevant commands, scripts, and arguments.

Cortex XSOAR uses the following commands:

Go to Settings & Info → Settings+Integrations → Instances, under each integration, you can view a list of commands.

You can run the CLI commands on any page where the CLI appears or in an incident. If run on a page not in an incident, the results are returned to the Playground. The Playground is a non-production environment where you can safely develop and test automation scripts, APIs, commands, and more. It is an investigation area that is not connected to a live (active) investigation.

In the following example, set up the Palo Alto Networks Cortex XDR - Investigation and Response integration instance. To retrieve Cortex XDR incidents, for the last year, sort by time in ascending order and limit to 5 incidents type the following in the CLI:

!xdr-get-incidents limit = 5 since_creation_time="1 year" sort_by_creation_time=asc

In the Playground, you can see the list of incidents in a markdown table.

To see the incidents in a JSON format, select Side Panels → Context Data. Each incident contains information obtained from the Cortex XDR endpoint that can be used in subsequent commands. You can search for a field such as incident_id. To get more information about the incident_id:1, copy the data, by clicking the incident_id in the context sata.

To retrieve additional data from incident _id:

!xdr-get-incident-extra-data incident_id ${value copied from context data}

For example !xdr-get-incident-extra-data incident_id ${PaloAltoNetworksXDR.Incident.[0].incident.id}

You can then see additional information.