API Reference

CortexSim

Detection simulation engine for Palo Alto Networks Cortex

Scenarios Planes Detections MITRE techniques Tactics

HTTP API surface — every endpoint SimCore exposes.

Conventions

Base URL: http://localhost:8888
Content type: application/json on every request and response
Errors: {"error": "...", "code": "...", "detail": "..."} — never plain-text
Auth: not required in development; X-API-Key header in production builds

Browse the live OpenAPI docs at /docs.

Scenarios

Method	Path	Purpose
`GET`	`/api/scenarios`	List all loaded scenarios. Filter by `?plane=EDR&status=active`.
`GET`	`/api/scenarios/{id}`	Single scenario, full body.
`POST`	`/api/scenarios/reload`	Re-read `scenarios/` from disk. Validates Pydantic.

Runs

Method	Path	Purpose
`POST`	`/api/runs`	Create a run. Body: `{scenario_id, mode: "pull"\|"push", agent_id?}`
`GET`	`/api/runs`	List runs. Filter by `?status=&scenario_id=&since=`.
`GET`	`/api/runs/{id}`	Single run + nested results.
`GET`	`/api/runs/{id}/report`	POV report. `?format=markdown` (default), `navigator`, `csv`.
`GET`	`/api/runs/{id}/bundle`	Download push bundle. Only valid for `mode: push`.

Results

Method	Path	Purpose
`GET`	`/api/results/{id}`	Single Result row.
`PUT`	`/api/results/{id}/validate`	Mark as observed. Body: `{observed_at: ISO8601}`. Computes MTTD.
`PUT`	`/api/results/{id}/reject`	Mark as miss (explicit, with reason).

MITRE coverage

Method	Path	Purpose
`GET`	`/api/mitre/coverage`	Aggregate technique coverage across scenarios. `?days=30&format=navigator\|json`.
`GET`	`/api/mitre/heatmap`	UI heatmap data (tactic × technique → scenario count).

Agents (pull mode)

Method	Path	Purpose
`POST`	`/api/agents/register`	Agent registers on boot.
`GET`	`/api/agent/tasks?agent_id=X`	Agent polls for tasks. Returns a task envelope or `204`.
`POST`	`/api/agent/results`	Agent reports step output.

IaC generator

Method	Path	Purpose
`GET`	`/api/infra/modules`	List available IaC modules. Filter by `?provider=aws`.
`POST`	`/api/infra/generate`	Generate a Terraform bundle. Body: `{provider, modules: [], parameters: {}}`.
`GET`	`/api/infra/bundles`	List previously generated bundles.
`GET`	`/api/infra/bundles/{id}/download`	Download bundle as `.tar.gz`.

EAL simulator

Method	Path	Purpose
`POST`	`/api/eal/launch`	Launch an EAL campaign (LLM egress / browser / agentic / network).
`GET`	`/api/eal/campaigns/{id}`	Campaign status + step results.
`GET`	`/api/eal/plugins`	List available EAL plugins.

Phase 9 will add /api/xsiam/* for tenant integration. See XSIAM-Integration.

_{CortexSim — Detection simulation engine for Palo Alto Networks Cortex · regenerated from scenarios/}

CortexSim

Detection planes

Plane-EDR — Cortex XDR Agent
Plane-CDR — Cortex Cloud
Plane-NDR — Network Analytics
Plane-AI_ACCESS — AI Access Security
Plane-AIRS — AI Runtime Security
Plane-BROWSER — Prisma Browser
Plane-KOI — Agentic Endpoint
Plane-ANALYTICS — Multi-plane Stitching

Coverage

Roadmap

XSIAM-Integration (Phase 9)

API Reference

CortexSim

Conventions

Scenarios

Runs

Results

MITRE coverage

Agents (pull mode)

IaC generator

EAL simulator

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

CortexSim

Detection planes

Coverage

Roadmap

Clone this wiki locally