XSIAM Command Center - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2025-02-06
Category
Administrator Guide
Abstract

See a dynamic overview of the current status of your tenant and your security operations processes on the XSIAM Command Center.

The XSIAM Command Center dashboard provides a dynamic overview of your security operations processes, and supports drilldowns to additional dashboards and dedicated pages. The dashboard gives a visualization of the current status of your tenant and its activity during the selected time frame. Click on any element to drill down to dashboards or pages displaying data that is filtered by your selection. Unless you have specified an alternative dashboard, this is the default dashboard in Cortex XSIAM.

The XSIAM Command Center includes incoming data, incidents and alerts, and key performance indicators. The following table describes each of these sections:

Section

Details

Incoming data

  • Number of connected Cortex XDR agent endpoints providing EDR data.

  • Data source instances grouped by integration and ordered by ingestion volume. Integrations shown in red indicate there is currently an error.

Click on any of these items to explore your Data Inventory. Breakdowns of data ingestion by data source including ingestion rates, trends, and prevented events are displayed.

Incidents and alerts

  • The number of alerts opened during the time frame.

  • The number of incidents that were created in response to the alerts.

    Incidents are split into manual incidents and automated incidents where automated incidents contain at least one playbook. You can also see the number of resolved incidents and open incidents broken down by severity.

Click on any of the incident metrics to open the Incident Overview showing a breakdown of your incidents. You can also click on the concentric circle to see a live feed of XSIAM activity on the Dynamic View.

Key performance indicators

  • The amount of data and events ingested during the time frame and the ingestion rate.

  • The number of currently open incidents broken down by severity. This number represents all open incidents on the system, and is not time frame specific.

  • The number of attacks prevented by Cortex XSIAM during the time frame.

Click on the key performance indicators to drilldown to dedicated pages for further investigation.

The trend percentages for the key performance indicators are calculated by comparing the totals from the current time frame with the totals of the previous time frame. An arrow indicates whether the rates are rising or falling in comparison to the previous time frame's total.

From the XSIAM Command Center, you can drill down to the following dashboards:

The Data Inventory provides a dynamic view of the data sources that are ingesting data into Cortex XSIAM. You can see breakdowns of data ingestion by data source, ingestion rates, trends, and prevented events.

You can access the dashboard from the XSIAM Command Center by clicking a data source, the number of Endpoints or VM Brokers/XDRCs. The Data Inventory includes incoming data sources and key performance indicators. The following table describes each of these sections:

Section

Details

Data sources

Data sources are broken down into categories. Depending on the selected data source, the dashboard opens the relevant category. You can expand a category to see details of individual data sources and hover over a data source to see more details. You can also click on a data source to link to a drill down view, filtered by your selection:

  • Connected endpoints

  • PANW integrations

  • 3rd party data sources

Key performance indicators

  • Event Ingestion and Data Ingestion display the amount of data and events ingested during the time frame and the ingestion rate.

    The trend percentages for the key performance indicators are calculated by comparing the totals from the current time frame with the totals of the previous time frame. An arrow indicates whether the rates are rising or falling in comparison to the previous time frame's total.

  • Health Alerts displays the number of collection errors that occurred in the time frame. Collection errors occur when integration instances that fetch data have an error status.

Click on the key performance indicators to drilldown to dedicated pages for further investigation.

The Dynamic View provides an overview of Cortex XSIAM activity in real-time. You can see the data sources that are sending data to Cortex XSIAM, data sources with connection errors, playbooks being triggered, and the alerts and incidents being created.

To access the Dynamic View click on the concentric circle in the XSIAM Command Center. The Dynamic View includes the concentric circle, the live feed, and the key performance indicators. The following table describes each of these sections:

Section

Details

Concentric circle

Shows an animation of Cortex XSIAM activity in real-time. Icons represent alerts and incidents. Data sources are displayed on the outside of the circle, and are color coordinated to represent their connection status. The center of the circle displays statistics about open incidents, automatically resolved incidents, and manually resolved incidents.

Click on any of the elements to drilldown to dedicated pages for further investigation.

Live feed

Reports the following types of activity on the tenant:

  • An alert is added to an incident.

  • An incident is created, resolved, or reopened.

  • A playbook is triggered.

  • A data source ingested data.

  • A data source is in error status.

Click on any of the live feed elements to link to dedicated pages that can assist you with your investigation.

Key performance indicators

Displays information about data ingested during the time frame, and the number of open incidents. The ingestion rate trend percentage is calculated by comparing the ingestion total of the current time frame with the ingestion total of the previous time frame. An arrow indicates whether the rates are rising or falling in comparison to the previous time frame's total.

Click on the key performance indicators to drilldown to dedicated pages for further investigation.

The Incidents Overview provides a breakdown of your incidents, including MITRE ATT&CK tactic details, automation suggestions, and top resolving assignees. You can click different elements on the dashboard to link to dedicated pages for further investigation.

You can access the Incidents Overview from the XSIAM Command Center by clicking on any of the incidents metrics. The Incidents Overview displays the following information:

Section

Details

Automation suggestions

Displays the number of incidents that could have been automated, and the number of playbook recommendations.

Resolved incidents

Displays the number of resolved incidents in the time frame, and provides a breakdown of top resolving assignees.

Open incidents

Displays a breakdown of open incidents by severity, and details of the MITRE ATT&CK tactics identified in the incidents.

Key performance indicators

Displays information about data ingested during the time frame, and the number of assets affected by the incidents. The ingestion rate trend percentage is calculated by comparing the ingestion total of the current time frame with the ingestion total of the previous time frame. An arrow indicates whether the rates are rising or falling in comparison to the previous time frame's total.