The information in this tutorial is intended for Cortex XSOAR (SOC) engineers or architects. The goal of this tutorial is to explain how a Cortex XSOAR architect should design the platform and incident life cycle so that SOC analysts can easily identify and digest critical incident data and quickly and confidently make decisions.
The tutorial walks you step-by-step through designing the incident life cycle, starting with configuring your Cortex XSOAR instance through ingesting, processing, and creating the right configuration for investigating, and closing security events. The tutorial uses QRadar as the SIEM, but the general flows are applicable to any SIEM and other data sources.
By the end of this tutorial, you will have configured your integration and set up a basic flow, as well as started to ingest incidents from the SIEM to Cortex XSOAR.
As you progress through configuring Cortex XSOAR, always have the analyst journey in mind. Your end goal is to make the SOC efficient, which means creating flows that require the analyst to spend the least amount of time on each incident, and ensuring they have all the tools and data to make accurate and confident decisions.
By the time an analyst picks up an incident for investigation, a series of actions will already have been taken on the incident, most of which you as the architect will design. Designing flows for an analyst in Cortex XSOAR is a balance between gathering and processing as much relevant data as possible while only displaying the data and suggesting actions that analysts require for resolving incidents.
Your goal should be to automate as much of the process as possible and leave the analyst to make accurate and confident decisions when needed.
This tutorial includes the following topics:
Incident Lifecycle
Architect Flow
Analyst Flow
Prerequisites
Set up Your IBM QRadar Integration Instance
Run a Playbook
Analyze Incident Data