Using Cortex XSOAR, you can set up integrations with your security products, security services and any other component that make up your security operations environments. You can then ingest events from these integrations and transform them into incidents in Cortex XSOAR.
After the incidents are created, you can run playbooks on these incidents to enrich them with information from other products and services, which helps optimize investigation and response. You can also use scripts to determine if an incident requires further investigation or can be closed based on the findings. This enables your analysts to focus on the minority of incidents that require further investigation.
Understanding the stages of the incident lifecycle will help you design your use case, including the requirements for customizing or building your own playbook.
The following is an example of an incident lifecycle flow.
Plan the incident process per incident type (full-automated, manual, or hybrid).
Analyze the SOCs current workflows and categorize the incident types you expect to handle.
Define how incidents will be classified (assigned to an incident type) in Cortex XSOAR.
Classification is the way to determine what incidents are going to be included in this flow.
Pre-processing: Apply scripts to incidents before they are ingested to eliminate false positives and duplicate incidents. This keeps a clean set of active incidents for analysts to concentrate on.
Run playbooks to analyze the incidents.
Define analyst intervention in the incident (in the playbook with communication tasks, ad-hoc tasks, and manual tasks, and also in the dashboards).
Display data in Cortex XSOAR for analysts to view.
This involves how the incident data is going to be presented (mapping), and how the incident details are presented to the analyst in layouts and dashboards.
Remediate the investigation, including post-processing and closing incidents.Post Processing for Incidents
These are actions to take when the incident is over (for example, close incident and force or encourage the analyst to specify a close reason).