Dbot Suggestions: Quick View Window - Administrator Guide - 6.11 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Product
Cortex XSOAR
Version
6.11
Creation date
2022-12-12
Last date published
2024-03-28
Category
Administrator Guide
Abstract

The Cortex XSOAR Quick View window displays information for an incident or an indicator, each of which has DBot suggested indicators.

The Quick View window displays information for the entity selected on the canvas, either an incident or an indicator, each of which have DBot suggested indicators.

You can highlight entities on the canvas to show visually how the incident progressed.

Searches performed in the Quick View pane are client-side searches.

indicators_canvas.png

Incident Quick View

You can view basic information, such as type, severity, time line information labels, and indicators. The indicators that DBot suggests to add to the canvas for this incident are determined according to the following factors (in this order):

  1. Indicators with a malicious verdict from the current (selected) incident.

  2. The malicious ratio, which is the ratio between the indicators that appear in incidents with a malicious verdict, compared to the total number of incidents in Cortex XSOAR.

Indicator Quick View

You can view source information, hashes, known history, comments and do certain actions such as run scripts, delete, exclude and so on.

The indicators that DBot suggests to add to the canvas for the selected indicator are determined according to the following factors (according to this order):

  1. Relations between all canvas investigation contexts. For example, if a hostname and IP address are associated with the same endpoint, the context key is suggested as an indicator.

  2. An ssdeep with 50% or higher similarity.

You can Edit Dbot Incident and Indicator Suggestions in the Quick View window.