Use the War Room for real-time investigation into an incident, to filter war room entries, and to disable indicator notifications.
The War Room contains an audit trail of all automatic or manual actions that take place in an incident/alert. A War Room is where you can review and interact with your incident/alert. Cortex XSIAM provides machine learning insights to suggest the most effective analysts and command-sets. Each incident/alert has a unique War Room.
Within Cortex XSIAM, real-time investigation is facilitated through the War Room, which is powered by ChatOps. In the War Room you can take the following actions:
Run real-time security actions through the CLI, without switching consoles
Run security playbooks, scripts, and commands
Collaborate and execute remote actions across integrated products
Capture incident context from different sources.
Document all actions in one source.
Converse with others for joint investigations.
Note
The incident War Room is usually used for communication capabilities, but unlike the Alert War Room, it does not include playbook specific entries. The incident War Room enables you to investigate an entire incident, not just an alert.
Every Incident has a War Room, but every user has access, subject to permissions, to a private War Room called the Playground.
The Playground is a non-production environment where you can safely develop and test data, such as scripts, APIs, and commands. It is an investigation area that is not connected to a live (active) investigation.
To access the Playground, do one of the following:
Go to
→ →In any browser, type
https://<tenant>.<region>.paloaltonetworks.com/playground
When you open the War Room, you can see all the actions taken on an incident, such as commands and notes in several formats such as Markdown, and HTML. When Markdown, HTML, or geographical information is received, the content is displayed in the relevant format.
To view specific data entries, you can filter entries by selecting the relevant checkbox, such as:
Chats: Shows communication between team members.
Notes: Any entries marked as notes.
Files: Anything uploaded to the War Room in a playbook, script, or by the analyst
Alert History: Any alert field or SLA Timer field that was modified
Commands and playbook tasks: Any actions taken by playbook tasks or run manually by the analyst
Tags: Any tags added to the investigation.
Note
Cortex XSIAM does not index notes and chats.
In each War Room entry, you can take the following actions:
Action | Description |
---|---|
Mark as note | Marks the entry as a note, which can help you understand why certain action was taken and assist future decisions. You can also add a note by doing the following:
When marked as a note, it is highlighted, so you can easily find them in the War Room or the Alert Overview tab. |
View artifact in new tab | Opens a new tab for the artifact. |
Detach from task | Removes a task from the artifact. |
Attach to a task | Adds a task to the artifact. |
Add tags | Add any relevant tags to use that help you find relevant information. |
Copy to CLI |
To find the entry ID or URL of an entry in the War Room, click on the vertical ellipsis icon at the upper right of the entry, then copy the value. |
Run Commands in the War Room CLI
Cortex XSIAM enables you to run system commands, integration commands, and scripts from an integrated command line interface (CLI), which enables you to make comments in your incident (in plain text or Markdown) and to execute automation scripts, system commands, and integration commands. This gives SOC teams the power to execute automations ad-hoc to support their investigations or make notes as they investigate incidents.
In the CLI, you can run various commands, by typing the following:
Action | Description |
---|---|
| Runs integration commands, scripts, and built-in commands, such as adding evidence and assigning an analyst. |
You can find relevant commands, scripts, and arguments with the CLI’s auto-complete feature. This also includes fuzzy searching to help you find relevant commands based on keywords. If you type the exclamation mark (!) and start typing, autocomplete populates with options that might suit your needs. For example, if you want to work with tasks, type !task
, and all commands and scripts that include the task
in their name will display.
Tip
You can use the up/down arrow buttons in the CLI to do a reverse history search for previous commands with the same prefix.