Quick Launcher - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-10-10
Category
Administrator Guide
Abstract

The Quick Launcher provides a quick, in-context shortcut that you can use to search for information, perform common investigation tasks, or initiate actions.

The Quick Launcher provides a quick, in-context shortcut that you can use to search for information, perform common investigation tasks, or initiate response actions from any place in Cortex XSIAM. The tasks that you can perform with the Quick Launcher include:

  • Search for host, username, IP address, domain, filename, filepath, timestamp to easily launch the artifact and assets views.

    Note

    For hosts, Cortex XSIAM displays results for exact matches but supports the use of wildcard (*) which changes the search to return matches that contain the specified text. For example, a search of compy-7* will return any hosts beginning with compy-7 such as compy-7000, compy-7abc, and so forth.

  • Search the Asset Inventory for a specific asset name or IP address. In addition, the following actions are available when searching for Asset Inventory data.

    • Change search to <host name of asset> to display additional actions related to that host. This option is only relevant when searching for an IP address that is connected to an asset.

    • Open in Asset Inventory is a pivot available when the host name of an asset is selected.

  • Begin Go To mode. Enter forward slash (/) followed by your search string to filter and navigate to Cortex XSIAM pages. For example, / rules searches for all pages that include rules and allows you to navigate to those pages. Select Esc to exit Go To mode.

  • Add a processes by SHA256 hash to the allow list or block list

  • Add domains or IP addresses to the EDL block list

  • Create a new IOC for an IP address, domain, hash, filename, or filepath

  • Isolate an endpoint

  • Open a terminal to a given endpoint

  • Initiate a malware scan on an endpoint

You can open the Quick Launcher by clicking the Quick Launcher icon located in the top navigation bar, or from the application menus, or by using the default keyboard shortcut: Ctrl-Shift+X on Windows or CMD+Shift+X on macOS. To change the default keyboard shortcut, select Settings ConfigurationsGeneralServer SettingsKeyboard Shortcuts. The shortcut value must be a keyboard letter, A through Z, and cannot be the same as the Artifact and Asset Views defined shortcut.

You can also prepopulate searches in Quick Launcher by selecting text in the app or selecting a node in the Causality or Timeline Views.