Navigation Cheat Sheet - Administrator Guide - 6.9 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Product
Cortex XSOAR
Version
6.9
Creation date
2022-09-29
Last date published
2024-03-28
End_of_Life
EoL
Category
Administrator Guide
Abstract

Learn about commonly used features of Cortex XSOAR.

New to Cortex XSOAR? Whether you are an analyst, engineer, or administrator, this guide will familiarize you with commonly used features. This guide provides an overview, with links to more detailed documentation and resources.

Cortex XSOAR UI Components

gs-side-menu.png

The main menu for Cortex XSOAR includes (in order of importance to a new user):

  • Settings

  • User Settings

  • Marketplace

  • Incidents

  • Playground

  • Playbooks

  • Automation

  • Dashboards and reports

  • Jobs

  • Threat Intel

Settings

We recommend familiarizing yourself with the settings options. You may not see all of the tabs in the screenshot, as some may not apply to your deployment. Also, the screenshot omits some specialized and legacy features, so your instance may have tabs that do not appear in the screenshot.

Menu Item

Description

What You Can Do

Integrations - Instances

Set up your Cortex XSOAR instance to communicate with third-party tools.

Integrations are key to unlocking the power of Cortex XSOAR. Set up the tools in your environment to communicate with each other, correlate data, and orchestrate your response actions.

Integrations - Pre-Process Rules

Create rules to take actions, such as automatically dropping or closing new incidents matching certain conditions as they are ingested by Cortex XSOAR.

Drop or close low value or unactionable incidents to save Cortex XSOAR’s resources for incidents of interest and reduce noise.

Integrations - Engines

Create, view, and manage Cortex XSOAR engines, which are servers used for proxying and load balancing.

Use engines as a proxy to allow communication between a remote network and your Cortex XSOAR server. For example, communication between an internal network segment that cannot connect to the Internet and your hosted Cortex XSOAR instance. You can also use engines to distribute processing load across servers.

Integrations - API Keys

Generate Core REST API keys. You can also access the API documentation from this page.

Note

To directly access the API documentation, go to: https://<SERVER>/api

The Core REST API enables you to automate activities for Cortex XSOAR, including batch creating, deleting, and closing incidents, batch editing indicators, managing users, and much more.

Integrations - Credentials

Securely store credentials for use with integration instances.

Store credentials that may be used with multiple integration instances. If the credential changes, you only need to edit the credential in one place in Cortex XSOAR and the change will carry over to all instances using the credential.

Objects Setup

Manage Cortex XSOAR objects including:

Configure the properties of Cortex XSOAR objects:

  • Edit a type to set its layout (and playbook, for incidents).

  • Edit a classifier to determine how ingested objects (for example, incidents) are classified into incident types.

  • Add new fields to make them available to add to a mapper or layout.

  • Edit a mapper to control the values mapped to fields.

Users and Roles - Users

View, manage, and invite new Cortex XSOAR users.

Share the power of Cortex XSOAR with additional members of your team.

Users and Roles - Invites

View current and expired Cortex XSOAR invites.

Check whether users have accepted their invites and get invite URLs to copy and send to users, if Cortex XSOAR has not yet been configured to send emails.

Users and Roles - Roles

View, create, edit, and delete Cortex XSOAR roles.

Control access and permission levels (none, read only, or read/write) to different sections of the Cortex XSOAR platform based on roles, one or more of which can be assigned to each user.

Users and Roles - Integration Permissions

Manage permissions to use integrations.

Restrict integration usage (on an integration, instance, or command level) to certain roles. For example, only allow administrators to run ad-disable-account to prevent abuse or accidental execution of this command by unprivileged users.

Users and Roles - Audit Trail

View and export a historical audit trail of user actions taken in Cortex XSOAR.

Audit user activities. For example, check which IP a user logged in from or which user last edited an integration instance.

Users and Roles - Password Policy

Set a password policy and account lockout behavior.

Enforce a minimum password strength requirement and determine what to do if there are repeated failed login attempts.

Advanced - Exclusion List

Set indicators to be ignored by Cortex XSOAR. Excluded indicators are not created in the indicators database and are not enriched.

Conserve API queries and reduce load on the system by excluding your organization’s own indicators including URLs, domains, IPs, and email addresses. This also reduces clutter, as indicators that commonly appear in incidents and are not meaningful will not be displayed.

Advanced - Lists

Save freeform text data that can be read and updated by playbooks and automations.

Lists function as global variables in Cortex XSOAR, and are useful when data needs to be accessed or updated across multiple incidents. For example, a list can be used to store a mapping of usernames to email addresses to perform lookups.

Advanced - Content Repository

Configure Cortex XSOAR remote repository.

Manage Cortex XSOAR content between development system(s) and a production system using a centralized remote content repository. Push content from dev to the repository, and then install content from the repository to prod.

Advanced - ML Models

View and manage Cortex XSOAR machine learning models.

Use machine learning to predict results in Cortex XSOAR. For example, you can train a model on your phishing incident data and use it to predict the classification (for example, Spam, Legitimate, or Malicious) of new phishing incidents.

Advanced - Backups

Configure automated backups of your XSOAR database or Live Backup for disaster recovery.

Back up your Cortex XSOAR data. Note that when using Cortex XSOAR with Elasticsearch, automated backups and Live Backup are not available through the UI. See disaster recovery for Elasticsearch.

Local Changes - Items

Relevant if using the remote repository feature. Review content item changes on dev and push to remote repository.

Push content items to the remote repository so they are available for installation on prod.

Local Changes - Packs

Relevant if using the remote repository feature. Review content pack (installed from the Marketplace) changes on dev and push to remote repository.

Push content packs to the remote repository so they are available for installation on prod.

About - Version

View your Cortex XSOAR version.

You may need to know your Cortex XSOAR version when contacting support, determining which version of the documentation to consult, etc.

About - License

Upload your license and view license details.

Upload the correct license (dev or prod) provided by Cortex XSOAR to ensure you have full access to the Cortex XSOAR feature set.

About - Troubleshooting

Download a log bundle, set server configurations, configure the display timestamp format and timezone, enable/disable telemetry, download your server certificate, configure a server login message, add a logo, and import/export custom content.

The troubleshooting page includes important Cortex XSOAR components. You can download logs or modify server configurations as needed when working with support. The custom content import and export feature enables you to transfer data between Cortex XSOAR servers.

About - System Diagnostics

Review health warnings for your instance and learn how to remediate them.

Address warnings to align with best practices and optimize the performance of your Cortex XSOAR instance.

User Settings

User settings can be accessed by clicking the pencil icon next to your user name at the bottom of the side menu.

gs-user-settings.png

Menu Item

Description

What You Can Do

Details

Change account details including name, email, phone number, password, and profile picture.

Manage your account. Share your contact details with your team. Set yourself as active or away.

Preferences

Change account preferences including default landing page, light/dark mode, timestamp format, and display timezone.

Customize your display to suit your preferences.

Notifications

Configure Cortex XSOAR to send you notifications via your preferred communication method(s), including email, mobile, and Slack.

Get notified of Cortex XSOAR events of interest to you, such as being assigned an incident. Disable unwanted notifications.

Marketplace

The Cortex XSOAR Marketplace provides access to hundreds of integrations that extend the functionality of Cortex XSOAR and allow communication with third-party services.

Menu Item

Description

What You Can Do

Browse

The central location for searching and installing Cortex XSOAR content, including playbooks, integrations, automations, and more.

Install out-of-the-box automation solutions released by Cortex XSOAR or contributed by other Cortex XSOAR users. Find third-party products to integrate with and get new use case ideas.

Installed Content Packs

View and manage your installed Cortex XSOAR content packs.

Stay up to date with the latest content packs. Update, downgrade, or uninstall content packs.

Contributions

Contribute Cortex XSOAR content that you have created, including playbooks, integrations, automations, and more.

You can contribute your content back to the community.

Deployment Wizard

The Deployment Wizard significantly reduces the time required to set up your use case. It guides you through the process of setting up your content pack for your specific use case,

You can set up your content pack for your specific use case, including configuring:

  • The fetching integration.

  • The main playbook and its input parameters.

  • Any supporting integrations.

Incidents

On the Incidents page, you can search for and interact with incidents that have been ingested from third-party integrations or manually created in Cortex XSOAR.

Incidents enable you to organize your investigation and response work. Each incident is a self documenting IR workbench where you can view incident details in a custom layout, run automations and playbooks on the incident, create notes, tag evidence items, and more.

Playground

The playground functions as a test environment that is not associated with any specific incident. Within the playground, you can run automations, commands, and playbooks, as well as debug custom content.

Playbooks

On the Playbooks page, you can browse, create, and customize Cortex XSOAR playbooks, which are workflows that link together ordered response steps including automations, manual tasks, and communication tasks.

Playbooks enable you to standardize and orchestrate your IR processes. A playbook helps ensure users follow a consistent response process, automates mundane response tasks, ties together your different IR tools, and gathers all relevant incident context and enrichment data in one centralized place.

Note

You can copy/paste tasks from one playbook to another by using keyboard shortcuts.

Automation

On the Automation page, you can browse, create, and customize Python, PowerShell, and JavaScript scripts for use in Cortex XSOAR. View the code for out-of-the-box scripts in order to troubleshoot, better understand, or build upon them. You can create custom scripts to extend Cortex XSOAR’s functionality to achieve your automation goals.

Dashboards & Reports

Dashboards include visualized data, including Cortex XSOAR incident, indicator, and system data, displayed for a rolling, relative timeframe. Dashboards enable you to track metrics, analyze trends that appear in your Cortex XSOAR data, and identify areas of concern. Dashboards can be customized with widgets that focus on the data points most relevant to your organization.

Reports also contain visualized data, but can be run for a specific time frame and automatically sent via email to internal or external stakeholders.

Jobs

Jobs allow you to schedule playbooks to run on a recurring basis, either at a specific time or triggered by new indicators ingested from a feed integration. With jobs, you can automate actions you would normally take on a recurring basis, such as compiling malicious indicators and sending them to the SOC for verification before they are blocked.

Threat Intel

Note

The Threat Intel page displays a table or summary view of all indicators. If you do not have a TIM license, the page is called Indicators.

Most Threat Intel features are available only with a Cortex XSOAR Threat Intel Management (TIM) license.

* = Features available only with a TIM license.

Menu Item

Description

What You Can Do

XSOAR Indicators

Indicators database. Search for, review, and interact with indicators including IPs, domains, URLs, hashes, and more.

Research threats and correlate indicators of compromise across multiple incidents. Track indicator properties such as their verdict and add tags to apply your own indicator classification and grouping logic.

Sample Analysis *

View detailed file sample analysis results from PANW WildFire.

Conduct in-depth research and analysis of file sample behaviors and characteristics based on WildFire’s sandboxed detonation of the file.

Sessions & Submissions *

For users of PANW firewalls, WildFire, Cortex XDR, Prisma SaaS, and/or Prisma Access, search and view firewall session and file sample submission data from these products.

Correlate file hashes observed in firewall sessions or submitted through other PANW products with hashes in Cortex XSOAR.

Threat Intel Reports *

Build and share rich threat intelligence reports.

Share threat intelligence reports with stakeholders either within or outside of Cortex XSOAR.