Set up Your Use Case with the Deployment Wizard - Administrator Guide - 6.8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide
Product
Cortex XSOAR
Version
6.8
Creation date
2022-09-28
Last date published
2024-04-08
End_of_Life
EoL
Category
Administrator Guide
Abstract

The Deployment Wizard guides you step-by-step to quickly adopt your use case.

The Deployment Wizard significantly reduces the time required to set up your use case.

It guides you through the process of setting up your content pack for your specific use case, including:

  • Configuring the fetching integration.

  • Configuring the main playbook.

  • Configuring any supporting integrations.

Note

To access the Deployment Wizard for the first time, you need to first install your content pack in Marketplace. The Deployment Wizard tab appears in Marketplace after the content pack installation is complete.

Currently, only the Malware Investigation and Response content pack supports the Deployment Wizard.

Prerequisites

Before installing your content pack, you need to install the content packs containing relevant supporting integrations.

For example, for the Malware Investigation and Response content pack, you need one or more incident fetching content packs. You can also optionally install sandbox, messaging, case management, and data enrichment and threat intelligence content packs.

  1. In Marketplace, select the content pack for your use case (for example, Malware Investigation and Response) and click Install.

    The Select Content Packs window opens, where you select the items to include for the pack (for the mandatory items you must select at least one). These items are automatically added to the cart.

    Note

    If an item is already installed, it will automatically be checked off and grayed out.

    deployment-wizard-select-content-packs.png

  2. Click Continue.

  3. Click Install to install the content pack.

  4. When the content pack finishes installing, click Refresh content.

    The DEPLOYMENT WIZARD tab appears.

    Note

    After you start running your use case you can return to this tab and make changes to the configurations, for example to the credentials or to the playbooks used.

  5. If this is the first time you are installing the content pack, a small popup window appears next to the DEPLOYMENT WIZARD tab where you click Let’s Start to start the wizard.

    deployment-wizard-Lets-Start.png

    Otherwise, click the DEPLOYMENT WIZARD tab.

    The tab opens showing the use case deployment flow.

  6. Step 1: Fetching Integration - click the displayed fetching integration. You have the option to update it or to create a new instance. The integration will stay disabled until you complete all steps of the wizard.

    deployment-wizard-fetching-integration.png

    Note

    For Malware if the Palo Alto Networks Cortex XDR - Investigation and Response integration is installed it appears as the default fetching integration.

    If CrowdStrike Falcon is installed (and not Palo Alto Networks Cortex XDR - Investigation and Response), it will appear as the default fetching integration. Otherwise, Microsoft Defender for Endpoint will appear (if it is installed).

    Note

    Refreshing the page can resolve issues when running the wizard.

    To update an existing integration: select Update existing instance and click Next. If more than one integration instance exists, choose the one you want to update.

    deployment-wizard-update-instance.png

    To create a new instance: Select New instance and click Next.

    A list of What needs to be done guides you through the required fetching integration instance settings configurations. Scroll down to see the complete list. Parameters that have default settings already in place can be left as-is.

    deployment-wizard-configure-fetching-integration.png

    After you save your settings, the wizard initiates a test connection. If the connection succeeds, the Fetching Integration step turns green and moves to the next step (Set Playbook).

    deployment-wizard-fetching-test-success.png

    If the connection fails, the step turns red and hovering over it displays a message indicating the reason for connection failure.

  7. Step 2: Set Playbook - select Configure Playbook & Parameters.

    The Setup Malware playbook pane opens showing the recommended primary playbook for the incident type you selected when configuring the fetching integration.

    The playbook configuration includes all the input parameters to configure that will change the playbook behavior, for example whether to use sandbox detonation or whether to perform isolation response. You can open the playbook by clicking the link on the bottom.

    deployment-wizard-configure-playbook-3.png

    Note

    If you choose a different playbook from the default and the incident type is a system type, it will be detached as part of assigning a new playbook.

  8. Click Done.

  9. Step 3: Supporting Integrations - configure any installed supporting integrations in the content pack.

    If a supporting integration is already installed and connected, it appears with a green check. Otherwise, click the integration to configure it.

    deployment-wizard-supporting-integrations.png

    Note

    After you save the settings, the integration instance is automatically enabled.

  10. Step 4: What’s Next - select Turn on Use Case.

    Note

    Your instance is disabled until you finish the wizard. Clicking Turn on Use Case starts the fetching process and runs the playbooks and automations.

    deployment-wizard-turn-on-use-case.png