Evidence Handling - Administrator Guide - 6.9 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Product
Cortex XSOAR
Version
6.9
Creation date
2022-09-29
Last date published
2024-10-07
End_of_Life
EoL
Category
Administrator Guide
Abstract

Add evidence to the evidence board to assist with your investigation. Mark any entity as evidence in the Cortex XSOAR War Room.

You can view or designate any entity as evidence which enables you to reconstruct attack chains and piece together key pieces of verification for root cause discovery.

In the War Room you can mark any entity as evidence by clicking the flag next to each entry. You can view the evidence in the War Room or open the evidence entry from the Evidence Board. When adding evidence you need to add a description which should contain enough details that can be used for future reference. Adding a tag helps you to find the evidence by searching for the tag. You can also add an occurrence date and time.

Custom Evidence Fields

To create custom evidence fields, go to SettingsObjects SetupIncidentsEvidence FieldsNew Field. When you mark entities as evidence in the War Room, you have the option to enter data for your custom evidence fields.

Evidence Board

The Evidence board stores key artifacts for current and future analysis. You can view and manage evidence entities that were detected in the War Room and designated as Evidence.

You can search for evidence and select the date range when the evidence occurred.

Evidence can be viewed in Table View or Summary View. In the Table View, you can remove, export, or show in the War Room. In the Summary View you can remove or edit the evidence.