Alert investigation view - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2025-02-13
Category
Administrator Guide
Abstract

Investigate an alert to view more detailed information and take any action as required.

You can investigate an alert to gain more information about the cause of the alert, and take any actions required. Hover over an alert and select Investigate to open the alert investigation panel. The following tabs are common to most alerts:

Tab

Description

Alert Overview

A summary of the alert, such as alert details, outstanding tasks, and indicators. Some fields are informational and some are editable. Includes the following sections (depending on the layout):

  • ALERT DETAILS: A summary of the alert, such as type, severity, and when the alert occurred. Update these fields as required.

  • COMMAND AND TASK RESULTS: Lists any manual commands and playbook task results.

  • WORK PLAN: When you click on the section, you can view or take action on the following:

    • Playbook tasks: When a playbook runs, any outstanding tasks appear. You can take various actions here or in the Work Plan tab.

    • To-Do Tasks: An ad-hoc item that is not attached to the Work Plan. Create tasks for users to complete as part of an investigation. These are like a To-Do list that you keep in an investigation on an ad-hoc basis rather than the Work Plan which follows a pre-defined process. You can view or create To-Do tasks.

  • NOTES: Helps you understand specific actions taken, and allow you to view conversations between analysts to see how they arrived at a certain decision. You can see the thought process behind identifying key evidence and identifying similar incidents.

  • MALICIOUS OR SUSPICIOUS INDICATORS: A list of any malicious or suspicious indicators. If you have the Threat Intel add-on you can pivot to the Indicators page, where you can take further action on the indicator.

Technical Information

Displays an overview of the information collected about the investigation, such as indicators, email information, URL screenshots, etc. When you run a playbook, the sections are automatically completed.

Investigation Tools

Enables you to take action on the alert, such as converting a JSON file to CSV and check if the IP address is in CIDR.

War Room

A comprehensive collection of all investigation actions, artifacts, and collaboration. It is a chronological journal of the alert investigation. Each incident has a unique War Room. For information, see Use the War Room in an investigation.

Work Plan

A visual representation of the running playbook that is assigned to the incident. For more information, see Use the Work Plan in an investigation.