Notebooks - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-09-12
Category
Administrator Guide
Abstract

Leverage the data collected by Cortex XSIAM using Jupyter Notebooks' data analysis and visualization capabilities within your existing security infrastructure.

Cortex XSIAM Notebooks enable you to analyze and visualize the extensive data collected by Cortex XSIAM. Using Jupyter tools, you can build machine learning models to visualize clusters, identify anomalies, and then feed your findings back into the Cortex XSIAM environment to generate security insights.

You can write Python code, run all or parts of it, and create visualizations of the data sanitation that show the results of the algorithms you ran.

  • Create customized analytics and bring your own machine learning models into Cortex XSIAM.

  • Utilize existing public resources.

  • Visualize analytics using existing libraries and applications.

  • Document, automate, and reuse hunting processes.

  • Use the existing data manipulation and visualization tools to identify patterns, anomalies, and trends in the data.

  • Automate the custom investigation process and make it available as part of an incident with actions like creating alerts and adding a comment to an incident.

Danger

Cortex XSIAM Notebooks usage requires the following.

  • Cortex XSIAM Enterprise or Cortex XSIAM Enterprise Plus.

  • Apps and XQL RBAC permissions.

    • To use Notebooks, you must have the View/Edit permissions in SettingsConfigurationsAcces ManagementRolesAppsJupyter.

    • To configure Notebooks, you must have the View/Edit permissions in SettingsConfigurationsAcces ManagementRolesConfigurationsApps.

    • To work in Notebooks, you must have the Application Service Account role.

      When you create a Notebooks instance, the API key is assigned the App Service Account role by default. You can change the API key or the role to match your activities.

  • A daily minimum of 1000 compute units. After activation, 1000 units are deducted every day at 00:00 UTC.

    XQL and BQ queries performed in Cortex XSIAM Notebooks are calculated similarly to Compute Unit usage of XQL queries originating from public APIs.

Every notebook you create is preconfigured with Cortex SDK access that enables you to query the data using Cortex Query Language.

Note

  • You can only add one instance of Notebooks.

  • Cortex XSIAM Notebooks has access to approved sites on the internet when embedded in Cortex XSIAM.

  • The Notebooks instance includes restart options.

Create a Notebook inside Cortex XSIAM.

  1. Select SettingsConfigurationsIntegrationsApps.

  2. Click the menu to the right of Notebooks and +Create Instance.

  3. Specify an Instance Name and Add Instance.

    Cortex XSIAM displays a notification that the instance is being prepared, which may take time. When completed, the instance is available in the navigation menu under Apps.

To edit the Notebooks instance, from SettingsConfigurationsIntegrationsApps, hover over the instance and select the edit icon. You can change the name of the instance, create a new API key, or select an API key from the list.

Installing or uninstalling some plug-ins and packages require the Notebooks server to refresh the web page. For these actions, go to FileShut Down and then refresh the page.

To start working in your Notebooks instance, select it in the navigation menu under Apps.