Investigate an alert to view more detailed information and take any action as required.
You can investigate an alert to gain more information about the cause of the alert, and take any actions required. Hover over an alert and select Investigate to open the alert investigation panel. On the panel you can see the following tabs:
Displays the main alert information and lists outstanding tasks in the Work Plan.
Displays an overview of the information collected about the investigation, such as indicators, email information, URL screenshots, etc. When you run a playbook, the sections are automatically completed. If a field does not appear you need to ensure that that integration is correctly mapped to the field. For more information, see Classification and mapping.
Provides links to take actions on the alert.
Within Cortex XSIAM, real-time investigation is facilitated through the War Room, which is powered by ChatOps. In the War Room you can take the following actions:
Run real-time security actions through the CLI, without switching consoles.
Run security playbooks, scripts, and commands.
Collaborate and execute remote actions across integrated products.
Capture incident context from different sources.
Document all actions in one source.
Converse with others for joint investigations.
The War Room logs entries such as commands, notes, evidence, and tasks. When Markdown, HTML or geographical information is received, the content is displayed in the relevant format. Click the more option icon next to a entry to see the available actions.
You can also run commands in the CLI by typing !
for integration commands, running automations and built-in commands. Add @
to send a notification to administrators, teams, analysts, etc.
Note
Cortex XSIAM does not index notes, chats, and pinned as evidence entries.
Displays a visual representation of the running playbook that is assigned to the alert. Playbooks enable you to automate many of your security processes, including handling your investigations and managing your tickets. Work Plans enable you to monitor and manage a Playbook workflow, and add new tasks to tailor the playbook to a specific investigation.
When running a playbook, select Follow to see progress in real-time. In the Work Plan, you can do the following:
View playbook inputs and outputs.
Set up a playbook to run automatically or manually.
Rerun the playbook, zoom in and out, and export to a PNG format.
View, create, and edit playbook tasks for each required step.
Tasks are tasks for users to complete as part of an investigation, which are split according to the following:
Playbook tasks: View, assign an owner, complete, and set a due date for playbook tasks that require attention.
To Do Tasks: Create tasks for users to complete as part of an investigation. A playbook can finish running and an alert can be closed even if the incident contains open To-Do tasks. Alternatively, you can create To Do tasks in the War Room.
For more information about adding tasks to a Work Plan, see Add ad-hoc tasks to a Work Plan as part of your investigation.
When you create a task, add a name, automation, and description. The name and description should be meaningful so that the task corresponds to the data that you are collecting. For each task you can do the following:
Designate tasks as complete either manually, or by running a script.
Assign an owner for a task.
Set a due date for the task.
Add comments and completed notes, as required.