New to Cortex XSOAR? Whether you are an analyst, engineer, or administrator, this guide will familiarize you with commonly used features. This guide provides an overview, with links to more detailed documentation and resources.
Cortex XSOAR UI Components
The main menu for Cortex XSOAR includes (in order of importance to a new user):
Dashboards and reports
We recommend familiarizing yourself with the settings options. You may not see all of the tabs in the screenshot, as some may not apply to your deployment. Also, the screenshot omits some specialized and legacy features, so your instance may have tabs that do not appear in the screenshot.
What You Can Do
Integrations - Instances
Set up your Cortex XSOAR instance to communicate with third-party tools.
Integrations are key to unlocking the power of Cortex XSOAR. Set up the tools in your environment to communicate with each other, correlate data, and orchestrate your response actions.
Integrations - Pre-Process Rules
Create rules to take actions, such as automatically dropping or closing new incidents matching certain conditions as they are ingested by Cortex XSOAR.
Drop or close low value or unactionable incidents to save Cortex XSOAR’s resources for incidents of interest and reduce noise.
Integrations - Engines
Create, view, and manage Cortex XSOAR engines, which are servers used for proxying and load balancing.
Use engines as a proxy to allow communication between a remote network and your Cortex XSOAR server. For example, communication between an internal network segment that cannot connect to the Internet and your hosted Cortex XSOAR instance. You can also use engines to distribute processing load across servers.
Integrations - API Keys
Generate Demisto REST API keys. You can also access the API documentation from this page.
To directly access the API documentation, go to: https://<SERVER>/api
The Demisto REST API enables you to automate activities for Cortex XSOAR, including batch creating, deleting, and closing incidents, batch editing indicators, managing users, and much more.
Integrations - Credentials
Securely store credentials for use with integration instances.
Store credentials that may be used with multiple integration instances. If the credential changes, you only need to edit the credential in one place in Cortex XSOAR and the change will carry over to all instances using the credential.
Manage Cortex XSOAR objects including:
Configure the properties of Cortex XSOAR objects:
Users and Roles - Users
View, manage, and invite new Cortex XSOAR users.
Share the power of Cortex XSOAR with additional members of your team.
Users and Roles - Invites
View current and expired Cortex XSOAR invites.
Check whether users have accepted their invites and get invite URLs to copy and send to users, if Cortex XSOAR has not yet been configured to send emails.
Users and Roles - Roles
View, create, edit, and delete Cortex XSOAR roles.
Control access and permission levels (none, read only, or read/write) to different sections of the Cortex XSOAR platform based on roles, one or more of which can be assigned to each user.
Users and Roles - Integration Permissions
Manage permissions to use integrations.
Restrict integration usage (on an integration, instance, or command level) to certain roles. For example, only allow administrators to run
Users and Roles - Audit Trail
View and export a historical audit trail of user actions taken in Cortex XSOAR.
Audit user activities. For example, check which IP a user logged in from or which user last edited an integration instance.
Users and Roles - Password Policy
Set a password policy and account lockout behavior.
Enforce a minimum password strength requirement and determine what to do if there are repeated failed login attempts.
Advanced - Exclusion List
Set indicators to be ignored by Cortex XSOAR. Excluded indicators are not created in the indicators database and are not enriched.
Conserve API queries and reduce load on the system by excluding your organization’s own indicators including URLs, domains, IPs, and email addresses. This also reduces clutter, as indicators that commonly appear in incidents and are not meaningful will not be displayed.
Advanced - Lists
Save freeform text data that can be read and updated by playbooks and automations.
Lists function as global variables in Cortex XSOAR, and are useful when data needs to be accessed or updated across multiple incidents. For example, a list can be used to store a mapping of usernames to email addresses to perform lookups.
Advanced - Content Repository
Configure Cortex XSOAR remote repository.
Manage Cortex XSOAR content between development system(s) and a production system using a centralized remote content repository. Push content from dev to the repository, and then install content from the repository to prod.
Advanced - ML Models
View and manage Cortex XSOAR machine learning models.
Use machine learning to predict results in Cortex XSOAR. For example, you can train a model on your phishing incident data and use it to predict the classification (for example, Spam, Legitimate, or Malicious) of new phishing incidents.
Advanced - Backups
Back up your Cortex XSOAR data. Note that when using Cortex XSOAR with Elasticsearch, automated backups and Live Backup are not available through the UI. See disaster recovery for Elasticsearch.
Local Changes - Items
Relevant if using the remote repository feature. Review content item changes on dev and push to remote repository.
Push content items to the remote repository so they are available for installation on prod.
Local Changes - Packs
Relevant if using the remote repository feature. Review content pack (installed from the Marketplace) changes on dev and push to remote repository.
Push content packs to the remote repository so they are available for installation on prod.
About - Version
View your Cortex XSOAR version.
You may need to know your Cortex XSOAR version when contacting support, determining which version of the documentation to consult, etc.
About - License
Upload your license and view license details.
Upload the correct license (dev or prod) provided by Cortex XSOAR to ensure you have full access to the Cortex XSOAR feature set.
About - Troubleshooting
Download a log bundle, set server configurations, configure the display timestamp format and timezone, enable/disable telemetry, download your server certificate, configure a server login message, add a logo, and import/export custom content.
The troubleshooting page includes important Cortex XSOAR components. You can download logs or modify server configurations as needed when working with support. The custom content import and export feature enables you to transfer data between Cortex XSOAR servers.
About - System Diagnostics
Review health warnings for your instance and learn how to remediate them.
Address warnings to align with best practices and optimize the performance of your Cortex XSOAR instance.
User settings can be accessed by clicking the pencil icon next to your user name at the bottom of the side menu.
What You Can Do
Change account details including name, email, phone number, password, and profile picture.
Manage your account. Share your contact details with your team. Set yourself as active or away.
Change account preferences including default landing page, light/dark mode, timestamp format, and display timezone.
Customize your display to suit your preferences.
Configure Cortex XSOAR to send you notifications via your preferred communication method(s), including email, mobile, and Slack.
Get notified of Cortex XSOAR events of interest to you, such as being assigned an incident. Disable unwanted notifications.
The Cortex XSOAR Marketplace provides access to hundreds of integrations that extend the functionality of Cortex XSOAR and allow communication with third-party services.
What You Can Do
The central location for searching and installing Cortex XSOAR content, including playbooks, integrations, automations, and more.
Install out-of-the-box automation solutions released by Cortex XSOAR or contributed by other Cortex XSOAR users. Find third-party products to integrate with and get new use case ideas.
Installed Content Packs
View and manage your installed Cortex XSOAR content packs.
Stay up to date with the latest content packs. Update, downgrade, or uninstall content packs.
Contribute Cortex XSOAR content that you have created, including playbooks, integrations, automations, and more.
You can contribute your content back to the community.
The Deployment Wizard significantly reduces the time required to set up your use case. It guides you through the process of setting up your content pack for your specific use case,
You can set up your content pack for your specific use case, including configuring:
On the Incidents page, you can search for and interact with incidents that have been ingested from third-party integrations or manually created in Cortex XSOAR.
Incidents enable you to organize your investigation and response work. Each incident is a self documenting IR workbench where you can view incident details in a custom layout, run automations and playbooks on the incident, create notes, tag evidence items, and more.
The playground functions as a test environment that is not associated with any specific incident. Within the playground, you can run automations, commands, and playbooks, as well as debug custom content.
On the Playbooks page, you can browse, create, and customize Cortex XSOAR playbooks, which are workflows that link together ordered response steps including automations, manual tasks, and communication tasks.
Playbooks enable you to standardize and orchestrate your IR processes. A playbook helps ensure users follow a consistent response process, automates mundane response tasks, ties together your different IR tools, and gathers all relevant incident context and enrichment data in one centralized place.
You can copy/paste tasks from one playbook to another by using keyboard shortcuts.
Dashboards & Reports
Dashboards include visualized data, including Cortex XSOAR incident, indicator, and system data, displayed for a rolling, relative timeframe. Dashboards enable you to track metrics, analyze trends that appear in your Cortex XSOAR data, and identify areas of concern. Dashboards can be customized with widgets that focus on the data points most relevant to your organization.
Reports also contain visualized data, but can be run for a specific time frame and automatically sent via email to internal or external stakeholders.
Jobs allow you to schedule playbooks to run on a recurring basis, either at a specific time or triggered by new indicators ingested from a feed integration. With jobs, you can automate actions you would normally take on a recurring basis, such as compiling malicious indicators and sending them to the SOC for verification before they are blocked.
The Threat Intel page displays a table or summary view of all indicators. If you do not have a TIM license, the page is called Indicators.
Most Threat Intel features are available only with a Cortex XSOAR Threat Intel Management (TIM) license.
* = Features available only with a TIM license.
What You Can Do
Indicators database. Search for, review, and interact with indicators including IPs, domains, URLs, hashes, and more.
Research threats and correlate indicators of compromise across multiple incidents. Track indicator properties such as their verdict and add tags to apply your own indicator classification and grouping logic.
Sample Analysis *
View detailed file sample analysis results from PANW WildFire.
Conduct in-depth research and analysis of file sample behaviors and characteristics based on WildFire’s sandboxed detonation of the file.
Sessions & Submissions *
For users of PANW firewalls, WildFire, Cortex XDR, Prisma SaaS, and/or Prisma Access, search and view firewall session and file sample submission data from these products.
Correlate file hashes observed in firewall sessions or submitted through other PANW products with hashes in Cortex XSOAR.
Threat Intel Reports *
Build and share rich threat intelligence reports.
Share threat intelligence reports with stakeholders either within or outside of Cortex XSOAR.