Run integration commands in the CLI.
The command line interface (CLI) enables you to run system commands, integration commands, scripts, and more from the CLI. The CLI auto-complete feature allows you to find relevant commands, scripts, and arguments.
Cortex XSOAR uses the following commands:
System commands: These commands are not specific to an integration. System commands are entered in the CLI using a "
/
". For example,/clear_playground
.External commands: These commands are specific to an integration and perform actions relating to a specific integration, using "
!
". For example,!xdr-get-alerts
.
Go to
→ + → , under each integration, you can view a list of commands.Note
Integration commands are only available when the integration instance is enabled. Some commands depend on a successful connection between Cortex XSOAR and third-party integrations.
You can run the CLI commands on any page where the CLI appears or in an incident. If run on a page not in an incident, the results are returned to the Playground. The Playground is a non-production environment where you can safely develop and test automation scripts, APIs, commands, and more. It is an investigation area that is not connected to a live (active) investigation.
In the following example, set up the Palo Alto Networks Cortex XDR - Investigation and Response integration instance. To retrieve Cortex XDR incidents, for the last year, sort by time in ascending order and limit to 5 incidents type the following in the CLI:
!xdr-get-incidents limit = 5 since_creation_time="1 year" sort_by_creation_time=asc
In the Playground, you can see the list of incidents in a markdown table.
To see the incidents in a JSON format, select incident_id
. To get more information about the incident_id:1
, copy the data, by clicking the incident_id
in the context sata.
To retrieve additional data from incident _id
:
!xdr-get-incident-extra-data incident_id ${value copied from context data}
For example !xdr-get-incident-extra-data incident_id ${PaloAltoNetworksXDR.Incident.[0].incident.id}
You can then see additional information.
Tip
If you want to delete context in the Playground, type !DeleteContext all=yes
. To clear the playground, at the top of the page, click Clear playground.
To erase a playground and create a new one, run the /playground_create
command.