Palo Alto Networks · Capability

Palo Alto Networks Incident Response

Unified incident response capability for SOC analysts — investigate incidents, triage alerts, manage endpoints, execute response playbooks, and assess attack surface exposure across Cortex XDR, XSIAM, XSOAR, and Xpanse.

Run with Naftiko Palo Alto NetworksIncident ResponseSOCSecurity OperationsDetection And Response

What You Can Do

GET

List incidents — List XDR incidents.

/v1/incidents

POST

Create incident — Create an incident in XSOAR.

/v1/incidents

POST

Search incidents — Search XDR incidents with filters.

/v1/incidents/search

GET

Get incident details — Get incident details from XDR.

/v1/incidents/{incident_id}

PUT

Update incident — Update an XDR incident.

/v1/incidents/{incident_id}

POST

Search xsiam incidents — Search XSIAM incidents with filters.

/v1/xsiam-incidents/search

POST

Search xdr alerts — Search XDR alerts with filters.

/v1/alerts/search

POST

Search xsiam alerts — Search XSIAM alerts with filters.

/v1/xsiam-alerts/search

POST

Search endpoints — List XDR endpoints with filters.

/v1/endpoints/search

POST

Isolate endpoints — Isolate endpoints.

/v1/endpoints/isolate

POST

Unisolate endpoints — Unisolate endpoints.

/v1/endpoints/unisolate

POST

Scan endpoints — Initiate a scan on endpoints.

/v1/endpoints/scan

POST

Search xsiam endpoints — List XSIAM endpoints with filters.

/v1/xsiam-endpoints/search

POST

Run script — Run a script on endpoints.

/v1/scripts/run

POST

Get script results — Get script execution results.

/v1/scripts/results

POST

Start xql query — Start an XQL query on XDR.

/v1/queries

POST

Get xql query results — Get XQL query results from XDR.

/v1/queries/results

POST

Start xsiam xql query — Start an XQL query on XSIAM.

/v1/xsiam-queries

POST

Get xsiam xql query results — Get XQL query results from XSIAM.

/v1/xsiam-queries/results

POST

Search exposed assets — Get internet-exposed assets from Xpanse.

/v1/attack-surface/assets/search

POST

Get asset details — Get internet exposure details for specific assets from Xpanse.

/v1/attack-surface/assets/{asset_id}

POST

Search xpanse incidents — Search Xpanse incidents with filters.

/v1/attack-surface/incidents/search

PUT

Update xpanse incident — Update an Xpanse incident.

/v1/attack-surface/incidents/{incident_id}

POST

Search attack surface rules — Get attack surface rules from Xpanse.

/v1/attack-surface/rules/search

PUT

Update attack surface rule — Update an attack surface rule in Xpanse.

/v1/attack-surface/rules/{rule_id}

POST

Search services — Get exposed services from Xpanse.

/v1/attack-surface/services/search

POST

Search ip ranges — Get owned IP ranges from Xpanse.

/v1/attack-surface/ip-ranges/search

POST

Create investigation — Create a new investigation in XSOAR.

/v1/investigations

GET

Get investigation — Retrieve a specific investigation by ID from XSOAR.

/v1/investigations/{investigation_id}

POST

Add entry — Add an entry to an investigation in XSOAR.

/v1/investigations/entries

GET

List playbooks — List available playbooks in XSOAR.

/v1/playbooks

POST

Run playbook — Run a playbook on an investigation in XSOAR.

/v1/playbooks/run

GET

Search integrations — Search for available integrations in XSOAR.

/v1/integrations

POST

Search integration instances — Search for integration instances in XSOAR.

/v1/integrations/instances/search

POST

Search xsiam assets — List XSIAM assets with filters.

/v1/xsiam-assets/search

POST

Configure datasource — Configure a datasource for XSIAM ingestion.

/v1/xsiam-datasources

POST

Get xdr audit logs — Get audit management logs from XDR.

/v1/audit-logs/xdr

POST

Get xpanse audit logs — Get audit management logs from Xpanse.

/v1/audit-logs/xpanse

POST

Get xsiam management logs — Get management logs from XSIAM.

/v1/audit-logs/xsiam

MCP Tools

xdr-list-incidents

List XDR incidents with optional filters, pagination, and sorting.

read-only idempotent

xdr-get-incident-details

Get extra data for a specific XDR incident.

read-only idempotent

xdr-update-incident

Update an XDR incident.

idempotent

xsiam-list-incidents

List XSIAM incidents with optional filters and pagination.

read-only idempotent

xsoar-create-incident

Create a new incident in Cortex XSOAR.

xsoar-search-incidents

Search incidents with filters in Cortex XSOAR.

read-only idempotent

xsoar-get-incident

Retrieve a specific incident by ID from Cortex XSOAR.

read-only idempotent

xsoar-update-incident

Update an existing incident in Cortex XSOAR.

xdr-list-alerts

List XDR alerts with optional filters, pagination, and sorting.

read-only idempotent

xsiam-list-alerts

List XSIAM alerts with optional filters and pagination.

read-only idempotent

xdr-list-endpoints

List XDR endpoints with optional filters, pagination, and sorting.

read-only idempotent

xdr-isolate-endpoints

Isolate endpoints from the network via XDR.

xdr-unisolate-endpoints

Unisolate endpoints and restore network connectivity via XDR.

xdr-scan-endpoints

Initiate a scan on endpoints via XDR.

xsiam-list-endpoints

List XSIAM endpoints with optional filters.

read-only idempotent

xdr-run-script

Run a script on endpoints via XDR.

xdr-get-script-results

Get script execution results from XDR.

read-only idempotent

xdr-start-xql-query

Start an XQL query on XDR.

xdr-get-xql-results

Get XQL query results from XDR.

read-only idempotent

xsiam-start-xql-query

Start an XQL query on XSIAM.

xsiam-get-xql-results

Get XQL query results from XSIAM.

read-only idempotent

xpanse-list-exposed-assets

Get internet-exposed assets from Xpanse.

read-only idempotent

xpanse-get-asset-details

Get internet exposure details for specific assets from Xpanse.

read-only idempotent

xpanse-list-incidents

Get Xpanse incidents.

read-only idempotent

xpanse-update-incident

Update an Xpanse incident.

idempotent

xpanse-list-attack-surface-rules

Get attack surface rules from Xpanse.

read-only idempotent

xpanse-update-attack-surface-rule

Update an attack surface rule in Xpanse.

idempotent

xpanse-list-services

Get exposed services from Xpanse.

read-only idempotent

xpanse-list-ip-ranges

Get owned IP ranges from Xpanse.

read-only idempotent

xsoar-create-investigation

Create a new investigation in Cortex XSOAR.

xsoar-get-investigation

Retrieve a specific investigation by ID from Cortex XSOAR.

read-only idempotent

xsoar-add-entry

Add an entry to an investigation in Cortex XSOAR.

xsoar-list-playbooks

List available playbooks in Cortex XSOAR.

read-only idempotent

xsoar-run-playbook

Run a playbook on an investigation in Cortex XSOAR.

xsoar-search-integrations

Search for available integrations in Cortex XSOAR.

read-only idempotent

xsoar-search-integration-instances

Search for integration instances in Cortex XSOAR.

read-only idempotent

xsiam-list-assets

List XSIAM assets with optional filters.

read-only idempotent

xsiam-configure-datasource

Configure a datasource for XSIAM ingestion.

xdr-get-audit-logs

Get audit management logs from XDR.

read-only idempotent

xpanse-get-audit-logs

Get audit management logs from Xpanse.

read-only idempotent

xsiam-get-management-logs

Get management logs from XSIAM.

read-only idempotent

Who This Is For

👤

SOC Analyst

Investigates security incidents, triages alerts, and coordinates response actions.

👤

Incident Responder

Executes containment, eradication, and recovery actions during security incidents.

👤

Threat Hunter

Proactively searches for threats and IOCs across telemetry data.

APIs Used

cortex-xdr cortex-xsiam cortex-xsoar cortex-xpanse