Evidence Handling - Administrator Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Product
Cortex XSOAR
Version
8
Creation date
2024-09-18
Last date published
2024-11-28
Category
Administrator Guide
Solution
Cloud
Retire_Doc
Retiring
Link_to_new_Doc
/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation
Abstract

Add evidence to the evidence board to assist with your investigation. Mark any entity as evidence in the War Room by adding tags.

You can view or designate any entity as evidence which enables you to reconstruct attack chains and piece together key pieces of verification for root cause discovery.

In the War Room you can mark any entity as evidence by clicking the flag next to each entry. You can view the evidence in the War Room or open the evidence entry from the Evidence Board. When adding evidence you need to add a description which should contain enough details that can be used for future reference. Adding a tag helps you to find the evidence by searching for the tag. You can also add an occurrence date and time.

Custom Evidence Fields

To create custom evidence fields, go to Settings & InfoSettingsObject SetupIncidentsEvidence FieldsNew Field. When you mark entities as evidence in the War Room, you have the option to enter data for your custom evidence fields.

Evidence Board

The Evidence board stores key artifacts for current and future analysis. You can view and manage evidence entities that were detected in the War Room and designated as Evidence.

You can search for evidence and select the date range when the evidence occurred.

Use the toggle button toggle-evidence.png to switch between Table View or Summary View. In the Table View, you can remove, export, or show evidence in the War Room. In the Summary View you can remove or edit the evidence.