Use the Interface - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Product
Cortex XSIAM
Creation date
2024-07-16
Last date published
2024-10-15
Category
Administrator Guide
Abstract

Learn more about monitoring and managing your network security in the management console interface.

Cortex XSIAM provides an easy-to-use interface that you can access from the hub. By default, Cortex XSIAM displays the Predefined Dashboards when you log in. If desired, you can change the default dashboard or Build a Custom Dashboard that displays when you log in.

Note

Each SAML login session is valid for 8 hours.

Depending on your license and assigned role, you can explore the following areas in the app.

Interface

Description

Dashboard & Reports

From the Dashboard & Reports menu, you can view and manage your dashboards and reports from the dashboard and incidents table, and view alert exclusions.

  • Dashboard—Provides dashboards that you can use to view high-level statistics about your agents and incidents.

  • Reports—View all the reports that Cortex XSIAM administrators have run.

  • Customize—Create and manage a new dashboard and reports.

    • Dashboards Manager—Add new dashboards with customized widgets to surface the statistics that matter to you most.

    • Reports Templates—Build reports using pre-defined templates, or customize a report. Reports can be generated on-demand scheduled.

    • Widget Library—Search, view, edit, and create widgets based on predefined widgets and user-created custom widgets.

Incident Response

From the Incident Response menu, you can view, manage, investigate and take action on all incidents.

  • Incidents—Investigate and manage your incidents.

  • Investigation

    • Query Builder—Build complex queries to investigate, identify connections, and expose the root cause of alerts from your data sources.

    • Query Center—View and manage the results of all simple and complex queries created from the Query Builder.

    • Scheduled Queries—View and manage all scheduled and reoccurring queries created from the Query Builder.

    • Forensics—Streamline your incident response, data collection, threat hunting, and analyses of your endpoint data to find the source and scope of an attack.

    • Host Inventory

  • Response

    • Action Center—Provides a central location from which you can track the progress of all investigation, response, and maintenance actions performed on your endpoints.

    • Live Terminal—Initiate a remote connection to an endpoint enabling you to remotely manage, investigate, and perform response actions on the endpoint.

    • EDL—Add malicious domains and IP addresses to an external dynamic list enforceable on your Palo Alto Networks firewall.

  • Incident Configuration—Create a starring configuration that automatically categorizes and starts incidents when a related alert contains specific attributes that you define as important.

Detection

From the Detection menu, you can define specific rules for which you want Cortex XSIAM to raise alerts.

  • Detection Rules

    • IOC—Identify specific hashes, IP addresses, domains, file names, and paths that indicate a threat.

    • BIOC—Identify a specific network, process, file, or registry activity that indicates a threat.

    • Correlations—Analyze correlations of multi-events from multiple sources.

    • Exceptions—Define exception criteria for an IOC or BIOC rule.

Assets

From the Assets menu, you can define your network parameters and view a list of all the assets in your network.

  • Network Configuration—Define your internal IP address ranges and domain names to identify and track your network assets.

  • Vulnerability Assessment—Identify and quantify the security vulnerabilities on an endpoint.

  • Asset Scores—Investigate user and host activities, and detect compromised accounts and malicious devices using the Cortex XSIAM calculated User and Host Scores.

  • Asset Inventory—Provides a central location from which you can view and investigate information relating to assets in your network.

  • Cloud Inventory—Provides a unified, normalized asset inventory for cloud assets in Google Cloud Platform, Microsoft Azure, and Amazon Web Services.

Endpoints

From the Endpoints menu, you can manage your registered endpoints and configure the policy.

  • All Endpoints—View and manage endpoints that have registered with your Cortex XSIAM instance.

  • Endpoint Groups—Create endpoint groups to which you can perform actions and assign the policy.

  • Agent Installations—Create packages of the Cortex XSIAM agent software for deployment to your endpoints.

  • Policy Management—Configure your endpoint security profiles and assign them to your endpoints.

  • Host Firewall—Control communications on your endpoints by applying sets of rules that allow or block internal and external traffic.

  • Device Control Violations—Monitor all instances where end users attempted to connect restricted USB-connected devices and Cortex XDR blocked them on the endpoint.

  • Disk Encryption Visibility—View and manage endpoints that were encrypted using BitLocker.

Managed Services

The Managed Threat Hunting service augments your security by providing 24/7, year-round monitoring by Palo Alto Networks threat researchers and Unit 42 experts.

Quick Launcher

Open an in-context shortcut that you can use to search for information, perform common investigation tasks, or initiate response actions from any place in the Cortex XSIAM console.

Settings

From the Settings menu, you can view information about your Cortex XSIAM license, review logs of actions initiated by Cortex XSIAM analysts, and configure Cortex XSIAM settings, integrations with other apps and services, and access management.

Tenant Navigator

View and switch to tenants to which you have access divided per CSP account. You can also navigate directly to the Cortex Gateway.

Notifications

View Cortex XSIAM notifications.

User

From the User, see who is logged into Cortex XSIAM . Right-click and select:

  • About to view additional version and tenant ID information.

  • What’s New to view selected new features available for your license type.

  • Log Out to terminate the connection with your Cortex XSIAM Management Console.