Integration commands in the CLI - Administrator Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Cloud Documentation

Product
Cortex XSOAR
Version
8
Creation date
2024-03-07
Last date published
2024-11-28
Category
Administrator Guide
Solution
Cloud
Abstract

Run integration commands in the CLI.

The command line interface (CLI) enables you to run system commands, integration commands, scripts, and more from the CLI. The CLI auto-complete feature allows you to find relevant commands, scripts, and arguments.

Cortex XSOAR uses the following commands:

  • System commands: These commands are not specific to an integration. System commands are entered in the CLI using a "/". For example, /clear_playground.

  • External commands: These commands are specific to an integration and perform actions relating to a specific integration, using "!". For example, !xdr-get-alerts.

Go to Settings & InfoSettings+IntegrationsInstances, under each integration, you can view a list of commands.

Note

Integration commands are only available when the integration instance is enabled. Some commands depend on a successful connection between Cortex XSOAR and third-party integrations.

You can run the CLI commands on any page where the CLI appears or in an incident. If run on a page not in an incident, the results are returned to the Playground. The Playground is a non-production environment where you can safely develop and test automation scripts, APIs, commands, and more. It is an investigation area that is not connected to a live (active) investigation.

In the following example, set up the Palo Alto Networks Cortex XDR - Investigation and Response integration instance. To retrieve Cortex XDR incidents, for the last year, sort by time in ascending order and limit to 5 incidents type the following in the CLI:

!xdr-get-incidents limit = 5 since_creation_time="1 year" sort_by_creation_time=asc

In the Playground, you can see the list of incidents in a markdown table.

To see the incidents in a JSON format, select Side PanelsContext Data. Each incident contains information obtained from the Cortex XDR endpoint that can be used in subsequent commands. You can search for a field such as incident_id. To get more information about the incident_id:1, copy the data, by clicking the incident_id in the context sata.

cli-contextdata.png

To retrieve additional data from incident _id:

!xdr-get-incident-extra-data incident_id ${value copied from context data}

For example !xdr-get-incident-extra-data incident_id ${PaloAltoNetworksXDR.Incident.[0].incident.id}

You can then see additional information.

cli-contextdata2.png

Tip

If you want to delete context in the Playground, type !DeleteContext all=yes. To clear the playground, at the top of the page, click Clear playground.

To erase a playground and create a new one, run the /playground_create command.