feat: add cortex_xdr adapter for Palo Alto Cortex XDR REST API

[maximelb]

Summary

• Adds a new cortex_xdr adapter that pulls incidents and alerts from the Palo Alto Cortex XDR REST API.
• Supports both standard and advanced API key authentication (the advanced mode hashes api_key + nonce + timestamp_ms with SHA-256 and adds x-xdr-nonce / x-xdr-timestamp headers, per Palo Alto's spec).
• One fetch goroutine per data type, paginated via search_from / search_to (100/page), sorted ascending on creation_time so a per-stream high-water mark advances monotonically and avoids re-shipping. 429s retry once after 60s; 10 consecutive failures stop the adapter.

Configuration

key	required	default	notes
api_key_id	yes	–	numeric key id from the Cortex XDR console
api_key	yes	–	the API key value
api_url	yes	–	full base URL, e.g. https://api-<tenant>.xdr.us.paloaltonetworks.com
auth_type	no	advanced	advanced or standard
data_types	no	incidents,alerts	comma-separated subset of incidents, alerts
start_time	no	now-1h	RFC3339
time_between_requests	no	1m	duration between poll cycles

Endpoints called:

• POST /public_api/v1/incidents/get_incidents/
• POST /public_api/v1/alerts/get_alerts_multi_events/

Test plan

• go build ./containers/general succeeds locally (verified)
• Configure with a real Cortex XDR tenant + advanced API key and confirm incidents/alerts flow into LimaCharlie
• Confirm standard API key works
• Confirm data_types=incidents and data_types=alerts each work in isolation
• Confirm pagination by seeding >100 events in the time window
• Confirm 429 backoff against a rate-limited tenant

🤖 Generated with Claude Code