Navigation Cheat Sheet - Administrator Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Cortex XSOAR
Creation date
Last date published
Administrator Guide

Learn about commonly used features of Cortex XSOAR.

The main menu for Cortex XSOAR includes:

My Incidents

Includes your favorites, incidents you own, and incidents you have participated in.

Dashboards & Reports


Create, edit, and share dashboards and reports. Explore visualized data, track metrics, and analyze trends.

Dashboards include visualized data, including Cortex XSOAR incident, indicator, and system data, displayed for a rolling, relative timeframe. Dashboards enable you to track metrics, analyze trends that appear in your Cortex XSOAR data, and identify areas of concern. Dashboards can be customized with widgets that focus on the data points most relevant to your organization.

Reports also contain visualized data, but can be run for a specific timeframe and automatically sent via email to internal or external stakeholders.


On the Incidents page, you can search for and interact with incidents that have been ingested from third-party integrations or manually created in Cortex XSOAR.

Incidents enable you to organize your investigation and response work. Each incident is a self documenting IR workbench where you can view incident details in a custom layout, run scripts and playbooks on the incident, create notes, tag evidence items, and more.

Threat Intel (Indicators)


The Threat Intel page displays a table or summary view of all indicators. If you do not have a TIM license, the page is titled Indicators. Most Threat Intel features are available only with a Cortex XSOAR Threat Intel Management (TIM) license.

* = Features available only with a TIM license.

Menu Item


What You Can Do


Indicators database. Search, review, and interact with indicators including IPs, domains, URLs, hashes, and more.

Research threats and correlate indicators of compromise across multiple incidents. Track indicator properties such as their verdict and add tags to apply your own indicator classification and grouping logic.

Sample Analysis *

View detailed file sample analysis results from PANW WildFire.

Conduct in-depth research and analysis of file sample behaviors and characteristics based on WildFire’s sandboxed detonation of the file.

Sessions & Submissions *

For users of PANW firewalls, WildFire, Cortex XDR, Prisma SaaS, and/or Prisma Access, search and view firewall session and file sample submission data from these products.

Correlate file hashes observed in firewall sessions or submitted through other PANW products with hashes in Cortex XSOAR.

Threat Intel Reports *

Build and share rich threat intelligence reports.

Share threat intelligence reports with stakeholders either within or outside of Cortex XSOAR.


In the Playbooks page, you can browse, create, and customize Cortex XSOAR playbooks, which are workflows that link together ordered response steps including scripts, manual tasks, and communication tasks.

Playbooks enable you to standardize and orchestrate your IR processes. A playbook helps ensure users follow a consistent response process, automates mundane response tasks, ties together your different IR tools, and gathers all relevant incident context and enrichment data in one centralized place.


You can copy/paste tasks from one playbook to another by using Keyboard Shortcuts.


On the Scripts page, you can browse, create, and customize Python, PowerShell, and JavaScript scripts for use in Cortex XSOAR. View the code for out-of-the-box scripts in order to troubleshoot, better understand, or build upon them. You can create custom scripts to extend Cortex XSOAR’s functionality to achieve your automation goals.


Jobs allow you to schedule playbooks to run on a recurring basis, either at a specific time or triggered by new indicators ingested from a feed integration. With jobs, you can automate actions you would normally take on a recurring basis, such as compiling malicious indicators and sending them to the SOC for verification before they are blocked.


The Cortex XSOAR Marketplace provides access to hundreds of integrations that extend the functionality of Cortex XSOAR and allow communication with third party services.

Menu Item


What You Can Do


The central location for searching and installing Cortex XSOAR content, including playbooks, integrations, scripts, etc.

Install out-of-the-box automation solutions released by Cortex XSOAR or contributed by other Cortex XSOAR users. Find third-party products to integrate with and get new use case ideas.

Installed Content Packs

View and manage your installed Cortex XSOAR content packs.

Stay up to date with the latest content packs. Update, downgrade, or uninstall content packs.


Contribute Cortex XSOAR content that you have created, including playbooks, integrations, scripts, and more.

You can contribute your content back to the community.

Deployment Wizard

The Deployment Wizard significantly reduces the time required to set up your use case. It guides you through the process of setting up your content pack for your specific use case,

You can set up your content pack for your specific use case, including configuring:

  • The fetching integration.

  • The main playbook and its input parameters.

  • Any supporting integrations.

Settings & Info

You can also change the display to day or light mode.

Menu Item


Cortex Gateway

The Cortex Gateway allows you to activate new tenants and view and manage existing tenants and tenants available for activation that are allocated to your Customer Support Portal (CSP) account.

Cortex XSOAR License

View information about the licenses, expiry dates, and the number of licensed and active users.

Management Audit Logs

View and export a historical audit trail of user actions taken in Cortex XSOAR.


Access the detailed Settings menu.


Menu Item


What You Can Do



Set up your Cortex XSOAR instance to communicate with third-party tools.

Integrations are key to unlocking the power of Cortex XSOAR. Set up the tools in your environment to communicate with each other, correlate data, and orchestrate your response actions.

Integration Permissions

Assigns permissions to commands in integrations.

Restrict commands, instances, and permitted roles for integrations.

Integration Log

Displays integration log details, including status and error messages.

Refresh the display, filter by field, export to tsv file.


Securely store credentials for use with integration instances.

Store credentials that may be used with multiple integration instances. If the credential changes, you only need to edit the credential in one place in Cortex XSOAR and the change will carry over to all instances using the credential.


Create, view, and manage Cortex XSOAR engines, which are servers used for proxying.

Use engines as a proxy to allow communication between a remote network and your Cortex XSOAR tenant. For example, communication between an internal network segment that cannot connect to the Internet and your Cortex XSOAR tenant. You can also use engines to distribute a processing load across servers.

External Dynamic List Integration

Configure the Generic Export Indicators Service.

Create an External Dynamic List to share a list of Cortex XSOAR indicators with other products in your network, such as a firewall or SIEM.

API Keys

Generate Cortex XSOAR REST API keys.

The Cortex XSOAR REST API enables you to automate activities for Cortex XSOAR, including batch creating, deleting, and closing incidents, batch editing indicators, managing users, and much more.

Syslog Servers

Add and manage syslog servers.

Configure Cortex XSOAR to send audit notifications to syslog servers.

Object Setup


Manage Cortex XSOAR incident objects such types, fields, layouts, classifiers, and mappers.

Configure the properties of Cortex XSOAR objects:

  • Edit a type to set its layout (and playbook, for incidents).

  • Edit a classifier to determine how ingested objects (for example, incidents) are classified into incident types.

  • Add new fields to make them available to add to a mapper or layout.

  • Edit a mapper to control the values mapped to fields.

  • Set indicators to be ignored by Cortex XSOAR. Excluded indicators are not created in the indicators database and are not enriched, conserving API queries and reducing clutter.


Manage indicator objects such as types, fields, layouts, classifiers, mappers, and the exclusion list.

Threat Intel Reports

Build and share rich threat intelligence reports.Threat Intel Reports

Share threat intelligence reports with stakeholders either within or outside of Cortex XSOAR.

Access Management


View and manage users.

Add/edit roles, user groups, accumulated permissions, import multiple user roles, etc.


View, create, edit, and delete roles.

Control access and permission levels (none, read only, or read/write) to different sections of the Cortex XSOAR platform based on roles, one or more of which can be assigned to each user.

User Groups

View and manage user groups

Import a group from Active Directory and manage user groups

Single Sign-on

Log in using SAML 2.0

Set up SSO using SAML 2.0



Save freeform text data that can be read and updated by playbooks and scripts.

Lists function as global variables in Cortex XSOAR, and are useful when data needs to be accessed or updated across multiple incidents. For example, a list can be used to store a mapping of usernames to email addresses to perform lookups.

Content Repository

Relevant if using the content repository feature. Review content item changes on development and push to production.

Push content items to the production tenant so they are available for installation on production.


Server Settings

Change system server settings.

Configure the quick launch keyboard shortcut, timestamp format and timezone, add a logo, and import/export custom content. Add server configurations for advanced customization and troubleshooting.

Security Settings

Manage sessions, user expiration, and allowed domains.

Configure expiration time periods for user logins and dashboards, allow access from only approved domains or IP ranges, and disable access for users who haven’t logged in for an extended period of time.

Audit Notifications

Forward Management Audit Logs.

Add forwarding configurations to send management audit log notifications to an email distribution list or external syslog server.

User Menu (Username)

Menu Item


What You Can Do


Detailed information on Cortex XSOAR version.

Copy to the clipboard.

User Preferences

Change default landing page and configure notifications via your preferred communication method.

Customize your display to suit your preferences. Get notified of Cortex XSOAR events of interest to you, such as being assigned an incident. Disable unwanted notifications.

Set Yourself as Away

Change your away/active status.


Log out

Log out of the CSP.