Alert Investigation - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Cortex XSIAM
Creation date
Last date published
Administrator Guide

Investigate an alert to view more detailed information and take any action as required.

Alerts can be generated from the following:

  • Rules that you set up, such as BIOC, IOC, Correlation rules, etc.

  • Agents

  • Firewalls

  • Analytics

  • Integrations

Integrations enable you to ingest events, such as phishing emails, SIEM events, from third party security and management vendors, etc. You may need to configure the integrations to determine how events are classified as events. For example, for email integrations, you might want to classify items based on the subject field, but for SIEM events, you want to  classify by event type.

Investigate the alert to view more detailed information, such as the  playbook information and take any action as required.  When selecting Investigate, you see the following tabs:

  • Investigation

    The Investigation tab displays an overview of the information collected about the investigation, such as indicators, email information, URL screenshots, etc. When you run a playbook, the sections are automatically completed. If a field does not appear you need to ensure that that integration is correctly mapped to the field. For more information, see Classification and Mapping.

  • Work Plan

    The Work Plan is a visual representation of the running playbook that is assigned to the alert. Playbooks enable you to automate many of your security processes, including handling your investigations and managing your tickets. Work Plans enable you to monitor and manage a Playbook workflow, and add new tasks to tailor the playbook to a specific investigation.

    When running a playbook, select Follow to see in real-time. In the Work Plan, you can do the following:

    • View Playbook inputs and outputs.

    • View, create, and edit a playbook task for each required step. For more information about adding tasks to a Work Plan, see Add ad-hoc tasks to a Work Plan.

      Tasks are tasks for users to complete as part of an investigation, which are split according to the following:

      • Playbook tasks: View, assign an owner, complete, and set a due date for playbook tasks that require attention.

      • To Do Tasks: Create tasks for users to complete as part of an investigation.  A playbook can finish running and an alert can be closed even if the incident contains open To-Do tasks. Alternatively, you can create To Do tasks in the War Room.

      When you create a task, add a name, automation, and description. The name and description should be meaningful so that the task corresponds to the data that you are collecting. For each task you can do the following:

      • Designate tasks as complete either manually, or by running a script.

      • Assign an owner for a task.

      • Set a due date for the task.

      • Add comments and completed notes, as required.

    • Set up a playbook to run automatically or manually. For more information, seePlaybook development.

    • Rerun the playbook, zoom in and out, and export to a PNG format.

    The color coding and symbols in the Work Plan, help you to troubleshoot errors or respond to manual steps.

  • War Room

    Within Cortex XSIAM, real-time investigation is facilitated through the War Room, which is powered by ChatOps and helps analysts to do the following:

    • Run real-time security actions through the CLI, without switching consoles.

    • Run security playbooks, scripts, and commands.

    • Collaborate and execute remote actions across integrated products.

    • Capture incident context from different sources.

    • Document all actions in one source.

    • Converse with others for joint investigations.

    When you open the War Room, you can see a number of entries such as commands, notes, evidence, tasks, etc, in several formats such as Markdown, HTML and so on. When Markdown, HTML or geographical information is received the content is displayed in the relevant format. You can take the following actions:

    • Mark as note: Marks the information as note. Notes can help the analyst understand why certain action was taken, and assists future decisions.

    • View artifact in a new tab: Opens a new tab for the artifact.

    • Detach from task: Removes a task for the artifact.

    • Download artifact: Downloads an artifact according to the entry type, such .txt files for text, json for a JSON entry, etc.

    • Add tags: Add any relevant tags to use, which helps you find relevant information.

    • Run various commands in the CLI by typing ! for integration commands, running automations and built-in commands. Add @ to send a notification to administrators, teams, analysts, etc. For example, you can Run Indicator Extraction in the CLI.

    Filter Entities

    You can add any filter by selecting the checkbox. The following are the types of War Room entities by which you can filter:

    • Chats

    • Notes

    • Files

    • Alert History

    • Commands and playbook tasks

    • Tags


    • Cortex XSIAM does not index notes, chats, and pinned as evidence entries.

    • The incident War Room is usually used for communication capabilities, but unlike the Alert War Room, it does not include playbook specific entries. The incident War Room enables you to investigate an entire incident, not just an alert.