Use the War Room in an investigation - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2025-01-26
Category
Administrator Guide
Abstract

Use the War Room for real-time investigation into an incident, to filter war room entries, and to disable indicator notifications.

The War Room contains an audit trail of all automatic or manual actions that take place in an incident/alert. A War Room is where you can review and interact with your incident/alert. Cortex XSIAM provides machine learning insights to suggest the most effective analysts and command-sets. Each incident/alert has a unique War Room.

war-room-overview.png

Within Cortex XSIAM, real-time investigation is facilitated through the War Room, which is powered by ChatOps. In the War Room you can take the following actions:

  • Run real-time security actions through the CLI, without switching consoles

  • Run security playbooks, scripts, and commands

  • Collaborate and execute remote actions across integrated products

  • Capture incident context from different sources.

  • Document all actions in one source.

  • Converse with others for joint investigations.

Note

The incident War Room is usually used for communication capabilities, but unlike the Alert War Room, it does not include playbook specific entries. The incident War Room enables you to investigate an entire incident, not just an alert.

Every Incident has a War Room, but every user has access, subject to permissions, to a private War Room called the Playground.

The Playground

The Playground is a non-production environment where you can safely develop and test data, such as scripts, APIs, and commands. It is an investigation area that is not connected to a live (active) investigation.

To access the Playground, do one of the following:

  • Go to Incident ResponseAutomationPlayground

  • In any browser, type https://<tenant>.<region>.paloaltonetworks.com/playground

The War Room

When you open the War Room, you can see all the actions taken on an incident, such as commands and notes in several formats such as Markdown, and HTML. When Markdown, HTML, or geographical information is received, the content is displayed in the relevant format.

To view specific data entries, you can filter entries by selecting the relevant checkbox, such as:

  • Chats: Shows communication between team members.

  • Notes: Any entries marked as notes.

  • Files: Anything uploaded to the War Room in a playbook, script, or by the analyst

  • Alert History: Any alert field or SLA Timer field that was modified

  • Commands and playbook tasks: Any actions taken by playbook tasks or run manually by the analyst

  • Tags: Any tags added to the investigation.

Note

Cortex XSIAM does not index notes and chats.

In each War Room entry, you can take the following actions:

Action

Description

Mark as note

Marks the entry as a note, which can help you understand why certain action was taken and assist future decisions.

You can also add a note by doing the following:

  • Upload a file to the War Room by selecting Mark as Note.

  • If the Alert Overview tab includes a NOTES section, add it to the section.

  • In a playbook task (Advanced tab)

    Tasks can be automatically added from script outputs as notes.

  • In the CLI by running the !markAsNote entryIDs=<ID of the war room entry> command.

    In the relevant War Room entry, click Copy to CLI to retrieve the ID of the War Room entry.

When marked as a note, it is highlighted, so you can easily find them in the War Room or the Alert Overview tab.

View artifact in new tab

Opens a new tab for the artifact.

Detach from task

Removes a task from the artifact.

Attach to a task

Adds a task to the artifact.

Add tags

Add any relevant tags to use that help you find relevant information.

Copy to CLI

  • ID: Entry IDs are used to uniquely identify War Room entries and take the format <ENTRY_IDENTIFER>@<INCIDENT_ID>, for example, 54925dc3-a972-4489-8bef-793331fa6c77@1. Many out-of-the-box commands and scripts use entry IDs arguments to pass in files as inputs.

  • URL: Copy the URL which is a direct link to the War Room entry

To find the entry ID or URL of an entry in the War Room, click on the vertical ellipsis icon at the upper right of the entry, then copy the value.

Run Commands in the War Room CLI

Cortex XSIAM enables you to run system commands, integration commands, and scripts from an integrated command line interface (CLI), which enables you to make comments in your incident (in plain text or Markdown) and to execute automation scripts, system commands, and integration commands. This gives SOC teams the power to execute automations ad-hoc to support their investigations or make notes as they investigate incidents.

In the CLI, you can run various commands, by typing the following:

Action

Description

!

Runs integration commands, scripts, and built-in commands, such as adding evidence and assigning an analyst.

You can find relevant commands, scripts, and arguments with the CLI’s auto-complete feature. This also includes fuzzy searching to help you find relevant commands based on keywords. If you type the exclamation mark (!) and start typing, autocomplete populates with options that might suit your needs. For example, if you want to work with tasks, type !task, and all commands and scripts that include the task in their name will display.

Tip

You can use the up/down arrow buttons in the CLI to do a reverse history search for previous commands with the same prefix.