War Room Overview - Administrator Guide - 6.10 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Product
Cortex XSOAR
Version
6.10
Creation date
2022-10-13
Last date published
2024-03-28
End_of_Life
EoL
Category
Administrator Guide
Abstract

Use the Cortex XSOAR War Room for real-time investigation into an incident, to filter war room entries, and to disable indicator notifications.

Within Cortex XSOAR, real-time investigation is facilitated through the War Room, which is powered by ChatOps and helps analysts to do the following:

  • Run real-time security actions through the CLI, without switching consoles.

  • Run security playbooks, scripts and commands.

  • Collaborate and execute remote actions across integrated products.

  • Capture incident context from different sources.

  • Document all actions in one source.

  • Converse with others for joint investigations.

Cortex XSOAR also provides machine learning insights to suggest the most effective analysts and command-sets. Each incident has a unique War Room.

Note

To access the War Room: If you have an Admin role, clicking Playground on the sidebar opens the Playground - War Room tab. If you have another role, typing any command in the CLI at the bottom of the page opens this tab.

When you open the War Room, you can see a number of entries such as commands, notes, evidence, tasks, etc., in several formats such as Markdown, HTML and so on. When Markdown, HTML or geographical information is received the content is displayed in the relevant format.

war_room.png

You can do the following actions for each artifact entry.

Action

Description

Edit

You can edit, format or delete your own entries. If an entry has been changed, a History link will appear where you can view all changes to the entry.

Mark as Evidence

Opens the Mark as evidence window where you specify the evidence details to be saved in the Evidence Board. The Evidence Board stores key artifacts for current and future analysis. You can add evidence in Case Info tab, the Evidence Board, or the War Room.

Mark as note

Marks the incident as note. Notes can help the analyst understand why certain action was taken and assists future decisions. You can add them also in the Case Info tab.

View artifact in new tab

Opens a new tab for the artifact.

Detach from task

Removes a task from the artifact.

Attach to a task

Adds a task to the artifact.

Download artifact

Downloads an artifact according to the entry type, such txt files for text, json for a JSON entry, etc.

Add tags

Add any relevant tags to use, which helps you find relevant information.

You can run various commands in the CLI, by typing the following:

  • !: Integration commands, automations, and built-in commands. For example, add evidence, assign an analyst, etc.

  • /: System commands/operations. For example, add notes, close an investigation, etc.

  • @: User tagging. Send notifications to administrators, teams, analysts, etc.

You can edit incidents, create a report, add child incidents, and so on, as described in Incident Actions.

Filter Entities

You can filter entries by clicking filter.png . You can add any filter by selecting the checkbox or click filter_no.png to remove that action. The filter menu contains three types of War Room entities by which you can filter:

  • Actions

  • Tags

  • From

Use the And/Or toggles between the Actions, Tags and From sections.

  • And: Use to combine two or more filters.

  • Or: When one item is found it shows relevant entries.

You can save the filter by clicking Add. You can also retrieve Saved filters. To share a saved filter, click the share icon for the saved filter in the dropdown. You can share the filter with all roles or with specific roles.

Entry IDs

Entry IDs are used to uniquely identify War Room entries in Cortex XSOAR. Entry IDs take the format <ENTRY_IDENTIFER>@<INCIDENT_ID>, for example, 54925dc3-a972-4489-8bef-793331fa6c77@1. Many out-of-the-box commands and scripts use entry IDs arguments to pass in files as inputs. To find the entry ID of an entry in the War Room, click on the vertical ellipsis icon at the upper right of the entry, then copy the ID value.

entryid.png
Indicator Notifications

You can disable War Room notifications for related indicators. Go to SettingsAboutTroubleshooting and add the following server configuration:

Key

Value

create.related.indicators.entry

false

Note

Cortex XSOAR does not index notes, chats, and pinned as evidence entries. If you want to index these entries, see War Room Indexing.