Introduction to Cortex XSOAR - Administrator Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Cortex XSOAR
Creation date
Last date published
Administrator Guide

Learn about Cortex XSOAR’s features and navigation

Cortex XSOAR is the industry’s first extended security orchestration and automation platform that simplifies security operations by unifying automation, case management, real-time collaboration and threat intel management.

Cortex XSOAR ingests aggregated alerts and indicators of compromise (IOCs) from detection sources, such as security information and event management (SIEM) solutions, network security tools, threat intelligence feeds, and mailboxes, before executing automatable, process-driven playbooks to enrich and respond to these incidents. These playbooks coordinate across technologies, security teams, and external users for centralized data visibility and action.

Cortex XSOAR is built on the Cortex Platform, which offers:

  • Improved performance, scalability, and reliability.

  • Centralized user management.

  • An enhanced user experience that is unified with the broader Cortex portfolio.

  • Simplified deployment and on-boarding across the Cortex portfolio.

  • Built-in Git Repository for sharing data between development and production instances.

Cortex XSOAR for Cloud enjoys cloud-native architecture that supports ongoing growth needs, along with Cortex's global cloud presence, regulatory compliance and extended certifications. The Cortex Cloud Platform runs on Google Cloud Platform (GCP) and is available from many cloud locations globally.

With a Threat Intel Management license, Cortex XSOAR provides a Threat Intelligence Platform with actionable threat data from Unit 42. You can identify and discover new Malware families or campaigns and create and disseminate strategic intelligence reports.

This guide is split into the following sections:

  • Introduction to Cortex XSOAR

    If you are new to Cortex XSOAR, become familiar with the terms and concepts used, the CLI, Markdown, etc. The Navigation Cheat Sheet is a good place to start, as it summarizes the UI and many of the common settings.

  • Getting Started

    This helps you get up and running, including how to activate the Cortex XSOAR tenant, set up SSO, add roles, add engines, a dev/prod environment, etc.

  • Customize and Configure Cortex XSOAR

    After you have set up the tenant, you can start to customize Cortex XSOAR. Indicators and incidents can have custom types, fields, and layouts. You can set up integrations to ingest incidents, enrich indicators, and more. Dashboards and reports enable you to organize and present the most relevant information. You can customize out-of-the-box playbooks or build your own to match the workflows and integrations relevant for your organization.

  • Day to Day Tasks in Cortex XSOAR

    This section provides you with the nuts and bolts of every day tasks in Cortex XSOAR - managing incidents, extracting and enriching indicators, and investigating and remediating security threats.

  • Reference

    In this section you can see the server configurations used in Cortex XSOAR, together with details about management of audit logs, and keyboard shortcuts.