Build
security

using the most advanced cybersecurity data platform


What is Cortex?
An open, continuous security platform to integrate rich context from cloud, endpoint and network data with global threat intelligence into every enterprise product, delivering better together experiences.
Learn More
Why Develop on Cortex?
Increase your speed to market by avoiding the deployment of cloud, endpoint and network agents at your customers. Expand your value prop with threat intel in your product. Access 60,000+ customers worldwide.
Learn More
Cortex Use Cases
Learn about use cases that our customers are looking for. Or create new scenarios that change how enterprises will see your product.
Learn More
Start Developing on Cortex

Quickly get started developing your own applications on Cortex.

Why Develop on Cortex?

Build on what’s happening in your cloud, endpoint & network.

Sample Queries and Responses

Rule Usage

Find firewall policy rule usage by apps, threats, sessions, urls, and bytes.

query = {
    "query": "SELECT SUM(bytes) AS 'bytes', SUM(sessions) AS 'sessions', SUM(nthreats)"
    "AS 'nthreats', SUM(ncontent) AS 'ncontent', SUM(nurlcount) AS 'nurlcount',"
    "PAN_CARDINALITY(app,128) AS 'nunique-of-apps', _rule AS '1' FROM panw.trsum GROUP BY" 
    "_rule AS 'rule' WITH MISSING AS 'default' AND LIMIT 100 ORDER BY SUM(bytes) AS"
    "'sortby' DESC LIMIT 0",
    "startTime": 1554390184,
    "endTime": 1554908584,
    "maxWaitTime": 0
}
q = ls.query(json=query)
[
    {
      "queryId": "ddc3e88b-6195-4622-94a5-c769401f743d",
      "sequenceNo": 0,
      "queryStatus": "JOB_FINISHED",
      "clientParameters": {},
      "result": {
        "esResult": {
          "took": 0,
          "hits": {
            "total": 0,
            "maxScore": 0,
            "hits": []
          },
          "from": 0,
          "size": 0,
          "completed": true,
          "response": {
            "resultType": "elasticsearch",
            "result": {
              "took": 7340,
              "timed_out": false,
              "_shards": {
                "total": 1,
                "successful": 1,
                "skipped": 0,
                "failed": 0
              },
              "hits": {
                "total": 5113300,
                "max_score": 0,
                "hits": []
              },
              "aggregations": {
                "1": {
                  "doc_count_error_upper_bound": 0,
                  "sum_other_doc_count": 0,
                  "buckets": [
                    {
                      "key": "taplog",
                      "doc_count": 5084386,
                      "sessions": {
                        "value": 3257777
                      },
                      "ncontent": {
                        "value": 0
                      },
                      "nurlcount": {
                        "value": 1681086
                      },
                      "bytes": {
                        "value": 212740773402
                      },
                      "nunique-of-apps": {
                        "value": 90,
                        "internal_value": {
                          "registers": "50000000A600010000040001841690008009803F8C0A800E8001800C801484058C0480088013800680039C0B840780008004800980118809840480008088028001840580018405840A8815841C800090028C1590128011800D808400880F800C842780008409940E880484048C028022840780840D80019412800281008008840388108402800080118000800490028403800C84802680078012800080038404841C8840488C08811D8400840480038000"
                        }
                      },
                      "nthreats": {
                        "value": 1770866
                      }
                    },
                    {
                      "key": "allow-inbound-rdp",
                      "doc_count": 10379,
                      "sessions": {
                        "value": 124265
                      },
                      "ncontent": {
                        "value": 0
                      },
                      "nurlcount": {
                        "value": 0
                      },
                      "bytes": {
                        "value": 477394867
                      },
                      "nunique-of-apps": {
                        "value": 2,
                        "internal_value": {
                          "registers": "5000000008000100000400415080406B804240"
                        }
                      },
                      "nthreats": {
                        "value": 0
                      }
                    },
                    {
                      "key": "allow-outgoing",
                      "doc_count": 7342,
                      "sessions": {
                        "value": 105808
                      },
                      "ncontent": {
                        "value": 598
                      },
                      "nurlcount": {
                        "value": 76447
                      },
                      "bytes": {
                        "value": 150421960
                      },
                      "nunique-of-apps": {
                        "value": 11,
                        "internal_value": {
                          "registers": "500000001C000100000400409780188C40738019841E84168440DC8035801B80268440B0904078"
                        }
                      },
                      "nthreats": {
                        "value": 128624
                      }
                    },
                    {
                      "key": "RDP 3389 Inbound",
                      "doc_count": 8094,
                      "sessions": {
                        "value": 41889
                      },
                      "ncontent": {
                        "value": 0
                      },
                      "nurlcount": {
                        "value": 0
                      },
                      "bytes": {
                        "value": 141296503
                      },
                      "nunique-of-apps": {
                        "value": 1,
                        "internal_value": {
                          "registers": "500000000500010000040041508042AD"
                        }
                      },
                      "nthreats": {
                        "value": 0
                      }
                    },
                    {
                      "key": "Allow all outbound",
                      "doc_count": 348,
                      "sessions": {
                        "value": 1936
                      },
                      "ncontent": {
                        "value": 0
                      },
                      "nurlcount": {
                        "value": 25
                      },
                      "bytes": {
                        "value": 14006234
                      },
                      "nunique-of-apps": {
                        "value": 4,
                        "internal_value": {
                          "registers": "500000000E00010000040040B780406D804051844130804152"
                        }
                      },
                      "nthreats": {
                        "value": 0
                      }
                    },
                    {
                      "key": "allow-dva-ssh-http",
                      "doc_count": 1597,
                      "sessions": {
                        "value": 1610
                      },
                      "ncontent": {
                        "value": 0
                      },
                      "nurlcount": {
                        "value": 944
                      },
                      "bytes": {
                        "value": 7531721
                      },
                      "nunique-of-apps": {
                        "value": 3,
                        "internal_value": {
                          "registers": "500000000A00010000040041BD80118040858041A6"
                        }
                      },
                      "nthreats": {
                        "value": 17
                      }
                    },
                    {
                      "key": "intrazone-default",
                      "doc_count": 930,
                      "sessions": {
                        "value": 3773
                      },
                      "ncontent": {
                        "value": 0
                      },
                      "nurlcount": {
                        "value": 64
                      },
                      "bytes": {
                        "value": 2997190
                      },
                      "nunique-of-apps": {
                        "value": 28,
                        "internal_value": {
                          "registers": "500000003E00010000040001840684298025802E80078021800690229C2080188816804053802D8C0080404088319023801CA40D800E801580228002840280404284405F884074840B"
                        }
                      },
                      "nthreats": {
                        "value": 0
                      }
                    },
                    {
                      "key": "SSH 221 inbound",
                      "doc_count": 53,
                      "sessions": {
                        "value": 541
                      },
                      "ncontent": {
                        "value": 0
                      },
                      "nurlcount": {
                        "value": 0
                      },
                      "bytes": {
                        "value": 2736104
                      },
                      "nunique-of-apps": {
                        "value": 1,
                        "internal_value": {
                          "registers": "500000000500010000040041D080422D"
                        }
                      },
                      "nthreats": {
                        "value": 0
                      }
                    },
                    {
                      "key": "Allow Inbound Web",
                      "doc_count": 150,
                      "sessions": {
                        "value": 76
                      },
                      "ncontent": {
                        "value": 0
                      },
                      "nurlcount": {
                        "value": 511
                      },
                      "bytes": {
                        "value": 1031478
                      },
                      "nunique-of-apps": {
                        "value": 2,
                        "internal_value": {
                          "registers": "500000000800010000040041BD8040988041A6"
                        }
                      },
                      "nthreats": {
                        "value": 514
                      }
                    },
                    {
                      "key": "Allow all ping",
                      "doc_count": 21,
                      "sessions": {
                        "value": 28
                      },
                      "ncontent": {
                        "value": 0
                      },
                      "nurlcount": {
                        "value": 0
                      },
                      "bytes": {
                        "value": 1734
                      },
                      "nunique-of-apps": {
                        "value": 1,
                        "internal_value": {
                          "registers": "500000000500010000040042329041CB"
                        }
                      },
                      "nthreats": {
                        "value": 0
                      }
                    }
                  ]
                },
                "sessions": {
                  "value": 3537703
                },
                "ncontent": {
                  "value": 598
                },
                "nurlcount": {
                  "value": 1759077
                },
                "bytes": {
                  "value": 213538191193
                },
                "nunique-of-apps": {
                  "value": 110,
                  "internal_value": {
                    "registers": "50000000CB000100000400018406840E90008009800C8025800A8C0A800E8001800380078001801184058C04800690008013800680039C0B84078000800480028005801188058002840480008088028001840584018405840380058808840B84098411800090028C1590108C008011800D808400880F800A88008427800084049003940E880484048C02801CA40484078084078004800194128002810080088403880C80028402800080118000800490028403800C84800D841780078012800080038404841C8807903F8C08811D8400840480038000"
                  }
                },
                "nthreats": {
                  "value": 1900021
                }
              }
            },
            "progressInfo": {
              "byTime": {
                "actualStart": 1554908605621,
                "timeRange": 0,
                "totalCompleted": 0,
                "totalRealTime": 0,
                "totalRunTime": 0,
                "lastInterval": 0,
                "lastRealTime": 0,
                "lastRunTime": 0
              }
            }
          },
          "timed_out": false
        },
        "esQuery": {
          "table": [
            "panw.trsum"
          ],
          "query": {
            "aggregations": {
              "1": {
                "terms": {
                  "field": "rule",
                  "order": {
                    "bytes": "desc"
                  },
                  "missing": "default",
                  "size": "100"
                },
                "aggregations": {
                  "bytes": {
                    "sum": {
                      "field": "bytes"
                    }
                  },
                  "sessions": {
                    "sum": {
                      "field": "sessions"
                    }
                  },
                  "nthreats": {
                    "sum": {
                      "field": "nthreats"
                    }
                  },
                  "ncontent": {
                    "sum": {
                      "field": "ncontent"
                    }
                  },
                  "nurlcount": {
                    "sum": {
                      "field": "nurlcount"
                    }
                  },
                  "nunique-of-apps": {
                    "pancardinality": {
                      "field": "app",
                      "precision_threshold": 128
                    }
                  }
                }
              },
              "bytes": {
                "sum": {
                  "field": "bytes"
                }
              },
              "sessions": {
                "sum": {
                  "field": "sessions"
                }
              },
              "nthreats": {
                "sum": {
                  "field": "nthreats"
                }
              },
              "ncontent": {
                "sum": {
                  "field": "ncontent"
                }
              },
              "nurlcount": {
                "sum": {
                  "field": "nurlcount"
                }
              },
              "nunique-of-apps": {
                "pancardinality": {
                  "field": "app",
                  "precision_threshold": 128
                }
              }
            },
            "_source": [
              "rule"
            ],
            "size": 0
          },
          "selections": [
            {
              "column": "bytes",
              "alias": "bytes",
              "function": "SUM",
              "params": [
                "bytes"
              ],
              "isESFunction": true
            },
            {
              "column": "sessions",
              "alias": "sessions",
              "function": "SUM",
              "params": [
                "sessions"
              ],
              "isESFunction": true
            },
            {
              "column": "nthreats",
              "alias": "nthreats",
              "function": "SUM",
              "params": [
                "nthreats"
              ],
              "isESFunction": true
            },
            {
              "column": "ncontent",
              "alias": "ncontent",
              "function": "SUM",
              "params": [
                "ncontent"
              ],
              "isESFunction": true
            },
            {
              "column": "nurlcount",
              "alias": "nurlcount",
              "function": "SUM",
              "params": [
                "nurlcount"
              ],
              "isESFunction": true
            },
            {
              "column": "app",
              "alias": "nunique-of-apps",
              "function": "pancardinality",
              "params": [
                "app",
                128
              ],
              "isESFunction": true
            },
            {
              "column": "rule",
              "alias": "1"
            }
          ],
          "params": {}
        }
      }
    }
  ]

Destination Regions

Sort unique destination regions by bytes transferred.

query = {
    "query": "SELECT SUM(bytes) AS 'bytes' FROM panw.trsum GROUP BY"
    "_dstloc AS 'dstloc' WITH MISSING AS 'default' ORDER"
    "BY SUM(bytes) AS 'sortby' DESC LIMIT 0",
    "startTime": 1554404895,
    "endTime": 1554923295,
    "maxWaitTime": 0
}

q = ls.query(query)
[
    {
      "queryId": "6cdd2f0f-3f3e-4af7-aca3-1302e90a527f",
      "sequenceNo": 0,
      "queryStatus": "JOB_FINISHED",
      "clientParameters": {},
      "result": {
        "esResult": {
          "took": 0,
          "hits": {
            "total": 0,
            "maxScore": 0,
            "hits": []
          },
          "from": 0,
          "size": 0,
          "completed": true,
          "response": {
            "resultType": "elasticsearch",
            "result": {
              "took": 863,
              "timed_out": false,
              "_shards": {
                "total": 1,
                "successful": 1,
                "skipped": 0,
                "failed": 0
              },
              "hits": {
                "total": 4704330,
                "max_score": 0,
                "hits": []
              },
              "aggregations": {
                "dstloc": {
                  "doc_count_error_upper_bound": -1,
                  "sum_other_doc_count": 1838050,
                  "buckets": [
                    {
                      "key": "US",
                      "doc_count": 1963591,
                      "bytes": {
                        "value": 55908580585
                      }
                    },
                    {
                      "key": "CN",
                      "doc_count": 255667,
                      "bytes": {
                        "value": 24053263831
                      }
                    },
                    {
                      "key": "AE",
                      "doc_count": 8624,
                      "bytes": {
                        "value": 19112613351
                      }
                    },
                    {
                      "key": "CA",
                      "doc_count": 148916,
                      "bytes": {
                        "value": 14749243304
                      }
                    },
                    {
                      "key": "BG",
                      "doc_count": 27753,
                      "bytes": {
                        "value": 10723975397
                      }
                    },
                    {
                      "key": "LA",
                      "doc_count": 7009,
                      "bytes": {
                        "value": 7272086218
                      }
                    },
                    {
                      "key": "TW",
                      "doc_count": 61809,
                      "bytes": {
                        "value": 5780123131
                      }
                    },
                    {
                      "key": "BR",
                      "doc_count": 70900,
                      "bytes": {
                        "value": 5258387401
                      }
                    },
                    {
                      "key": "GB",
                      "doc_count": 198000,
                      "bytes": {
                        "value": 4230341094
                      }
                    },
                    {
                      "key": "JP",
                      "doc_count": 124011,
                      "bytes": {
                        "value": 3192344602
                      }
                    }
                  ]
                },
                "bytes": {
                  "value": 196224368306
                }
              }
            },
            "progressInfo": {
              "byTime": {
                "actualStart": 1554923298892,
                "timeRange": 0,
                "totalCompleted": 0,
                "totalRealTime": 0,
                "totalRunTime": 0,
                "lastInterval": 0,
                "lastRealTime": 0,
                "lastRunTime": 0
              }
            }
          },
          "timed_out": false
        },
        "esQuery": {
          "table": [
            "panw.trsum"
          ],
          "query": {
            "aggregations": {
              "dstloc": {
                "terms": {
                  "field": "dstloc",
                  "order": {
                    "bytes": "desc"
                  },
                  "missing": "default"
                },
                "aggregations": {
                  "bytes": {
                    "sum": {
                      "field": "bytes"
                    }
                  }
                }
              },
              "bytes": {
                "sum": {
                  "field": "bytes"
                }
              }
            },
            "size": 0
          },
          "selections": [
            {
              "column": "bytes",
              "alias": "bytes",
              "function": "SUM",
              "params": [
                "bytes"
              ],
              "isESFunction": true
            }
          ],
          "params": {}
        }
      }
    }
  ]

Sign up today!

© 2019 Palo Alto Networks, Inc. All rights reserved.