Server Configurations - Administrator Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Product
Cortex XSOAR
Version
8
Creation date
2023-11-02
Last date published
2024-02-21
Category
Administrator Guide
Abstract

Customize and troubleshoot Cortex XSOAR with server configuration settings.

Cortex XSOAR provides custom server configuration settings that enable you to customize your Cortex XSOAR environment on the tenant level. You can also use custom server configuration settings in situations where you experience issues or need to troubleshoot situations in your environment.

To modify or add server configurations:

  1. Navigate to Settings & InfoSettingsSystemServer SettingsServer Configuration.

  2. Click + Add Server Configuration or edit an existing configuration.

  3. Enter the key and value.

  4. Click Save.

Engines

Key

Description

Default

engine.test.command.timeout<brand-name>

Increases the timeout, in seconds, for a specific integration when using an engine. For example, change it to 300 seconds. Type in this format adding the brand name: engine.test.command.timeoutTanium.

60

engines.notification.users

Specifies which users receive an email notification when an engine disconnects. A comma-separated list of Cortex XSOAR users. For example, user1,user2,user3. For more information, see Notify Users When an Engine Disconnects.

N/a

Google API

Key

Description

Default

UI.google.api.key

Entities that have Geo-location information (latitude and longitude) can be displayed on a Google map, by utilizing the Google Map API (which is required). For example, if you want to see the physical location of a computer that was attacked by Malware. To display the physical location of an entity on a map, run the this command with the value: Google Maps API Key. For more information, see How To Display a Geo-location Using Google Maps in the War Room.

N/a

Incidents

Key

Description

Default

incident.closereasons

Customizes incident close reasons in a comma separated list. For example, false positive, resolved, duplicate, low priority, invalid, other.

false positive, resolved, duplicate, other

inline.edit.on.blur

By default, when editing the following inline values in an incident/indicator/threat intel reports, the changes are not saved until you confirm your changes (clicking the checkmark icon in the value field).

  • Dropdown values, such as Owner, Severity, etc.

  • Text values, such as Asset ID. (You can only edit when you click the pencil in the value field).

These icons are designed to let you have an additional level of security before you make changes to the fields in incidents/indicators.

Set this configuration to true, to enable you to make changes to the inline fields without clicking the checkmark. The changes are automatically saved when clicking anywhere on the page or when navigating to another page. For text values you can also click anywhere in the value field to edit.

false

investigation.prevent.modify.closed

Whether to add chats and notes to closed investigation (set to false to allow).

true

module.health.notification.users

List of names in CSV format to receive notifications when an integration experiences a fetch error. For more information, see Receive Notification on an Incident Fetch Error.

N/a

Export.utf8bom

Whether to Export Incidents and Indicators to CSV Using the UTF8-BOM Format.

False

Indicators

Key

Description

Default

enrichment.reputationScript.reliability

The reliability of the score from a reputation script. For more information, see Indicator Type Profile

A++

indicator.timeline.auto.extract.enabled

Enables the indicator timeline in the indicator extraction flow. For more information, see Configure the indicator timeline.

true

indicator.timeline.enabled

Enables the indicator timeline in all flows. For more information, see Configure the indicator timeline.

true

Integrations

Key

Description

Default

<integration_name>.<command_name>.timeout

Timeout in minutes for specific integration commands.

3

sync.mirror.job.delay

The interval for the job in minutes. For more information, see Special Server Configurations.

1

sync.mirror.job.enable

Enable or disable the mirroring job. For more information, see Special Server Configurations.

enable

Notifications

Key

Description

Default

content.notification.enabled

Set to true to enable notification for new content updates.

false

content.notification.users

Notifies all users by email when there is a content update available (comma separated user names in Cortex XSOAR).

N/a

message.ignore.failedFetchIncidents

Whether to ignore failed fetch incident messages. For more information, see Receive Notification on an Incident Fetch Error.

false

message.ignore.incidentChanged

Whether to disable notifications when an incident is changed.

false

message.ignore.incidentOpened

Whether to disable notifications, when an incident is opened.

false

message.ignore.incidentAssigned

Whether to disable notifications when an incident is assigned.

false

message.ignore.investigationClosed

Whether to disable notifications when an incident is closed.

false

module.health.notification.users

List of names in CSV format. For example, user1,user2,user3. For more information, see Receive Notification on an Incident Fetch Error.

N/a

server.notification.using.send-mail

Select which email sender should send the notification. For more information, see Configure System Notifications.

Playbooks

Key

Description

Default

soc.name

Customizes the SOC name in the survey header for an Ask task. For more information, see Customize the SOC Name.

N/a

comm.ask.linktocontext.enabled

Whether to display the links generated for an Ask task in the Context Data of the Work Plan.

true

comm.datacollection.linktocontext.disabled

Whether to display the links generated for a Data Collection task in the Context Data of the Work Plan.

true

Proxy

Key

Description

Default

condition.ask.external.link

The address (including the HTTPS prefix) of the proxy used for external user communication in a conditional task.

N/a

Reports

Key

Description

Default

reports.time.zone

Configure the timezone for widgets in a report. For more information, see Configure the timezone in a report.

Local time/Location

Scripts

Key

Description

Default

script.timeout

The timeout, in minutes, to prevent blank pages when running a script. If you generate a report that runs a script and has blank pages you can Troubleshoot Reports.

3

SLAs

Key

Description

Default

sla.risk.threshold

Change the risk threshold for SLAs.

72 hours

Widgets

Key

Description

Default

ROI.Cost.ManHour

Amount in Dollars. Relevant for ROI widget. For more information, see Saved By Dbot (ROI) Widget.

60