[FR] Add Palo Alto Cortex XDR responder

[joeslazaro-cdw]

Feature description Add a responder to isolate, unisolate, and scan endpoints by their endpoint name or IP address

Describe the solution you'd like I am writing the responder and will submit a pull request.

Additional context Related API documents

• https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-api/cortex-xdr-apis/response-actions/isolate-endpoints
• https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-api/cortex-xdr-apis/response-actions/unisolate-endpoints
• https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-api/cortex-xdr-apis/response-actions/scan-endpoints
• https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-api/cortex-xdr-apis/response-actions/get-action-status

[EUmbach]

I was just getting ready to do the same thing. Have you seen the Cortex XDR Python Client?

[joeslazaro-cdw]

@SecGIA I did see it after I had already figured out how to use the few API endpoints that I needed for scanning and isolating endpoints. Also, the cortex-xdr-client doesn't currently support advanced security API keys, which require "x-xdr-timestamp" and "x-xdr-nonce" headers to be generated dynamically for each request.

The ideal thing to do would probably be to submit a PR to the cortex-xdr-client project to add support for advanced API keys, but I was in a hurry to get something working. The code should be mostly done except for a bug when running unisolate, but I have put this aside for now.

You can see my latest code here: https://github.com/joeslazaro-cdw/Cortex-Analyzers/tree/jl/pa-cortex-xdr-responder/responders/PaloAltoCortexXDR

If you need more of the functionality from the Python lib than I would be using, then you're welcome to build your own version of the responder and submit it on this issue.