Cortex XSOAR navigation cheat sheet - Administrator Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Cloud Documentation

Product
Cortex XSOAR
Version
8
Creation date
2024-03-07
Last date published
2024-12-05
Category
Administrator Guide
Solution
Cloud
Abstract

Learn about commonly used features of Cortex XSOAR.

The main menu for Cortex XSOAR includes:

Feature

Description

My Incidents

Includes your favorites, incidents you own, and incidents you have participated in.

Dashboards & Reports

Dashboards include visualized data, including Cortex XSOAR incident, indicator, and system data, displayed for a rolling, relative time frame. Dashboards enable you to track metrics, analyze trends that appear in your Cortex XSOAR data, and identify areas of concern. Dashboards can be customized with widgets that focus on the data points most relevant to your organization.

Reports also contain visualized data, but can be run for a specific time frame and automatically sent via email to internal or external stakeholders.

Incidents

On the Incidents page, you can search for and interact with incidents that have been ingested from third-party integrations or manually created in Cortex XSOAR.

Incidents enable you to organize your investigation and response work. Each incident is a self-documenting IR workbench where you can view incident details in a custom layout, run scripts and playbooks on the incident, create notes, tag evidence items, and more.

Threat Intel (Indicators

The Threat Intel page displays a table or summary view of all indicators.

Note

If you do not have a TIM license, the page is titled Indicators. Most Threat Intel features are available only with a Cortex XSOAR Threat Intelligence license.

Includes the following:

  • Indicators: Indicators database. Search, review, and interact with indicators including IPs, domains, URLs, hashes. Research threats and correlate indicators of compromise across multiple incidents. Track indicator properties such as their verdict and add tags to apply your own indicator classification and grouping logic.

  • Sample Analysis (TIM license only): View detailed file sample analysis results from PANW WildFire. Conduct in-depth research and analysis of file sample behaviors and characteristics based on WildFire’s sandboxed detonation of the file.

  • Sessions & Submissions (TIM license only): For users of PANW firewalls, WildFire, Cortex XDR, Prisma SaaS, and/or Prisma Access, search and view firewall sessions and file sample submission data from these products. Correlate file hashes observed in firewall sessions or submitted through other PANW products with hashes in Cortex XSOAR.

  • Threat Intel Reports (TIM license only): Build and share rich threat intelligence reports. Share threat intelligence reports with stakeholders either within or outside of Cortex XSOAR.

Playbooks

On the Playbooks page, you can browse, create, and customize Cortex XSOAR playbooks, which are workflows that link together ordered response steps including scripts, manual tasks, and communication tasks.

Playbooks enable you to standardize and orchestrate your IR processes. A playbook helps ensure users follow a consistent response process, automates mundane response tasks, ties together your different IR tools, and gathers all relevant incident context and enrichment data in one centralized place.

Note

You can copy/paste tasks from one playbook to another by using keyboard shortcuts.

Scripts

On the Scripts page, you can browse, create, and customize Python, PowerShell, and JavaScript scripts for use in Cortex XSOAR. View the code for out-of-the-box scripts in order to troubleshoot, better understand, or build upon them. You can create custom scripts to extend Cortex XSOAR’s functionality to achieve your automation goals.

Jobs

Jobs allow you to schedule playbooks to run on a recurring basis, either at a specific time or triggered by new indicators ingested from a feed integration. With jobs, you can automate actions you would normally take on a recurring basis, such as compiling malicious indicators and sending them to the SOC for verification before they are blocked.

Marketplace

The Cortex Marketplace provides access to hundreds of integrations that extend the functionality of Cortex XSOAR and allow communication with third-party services. Includes the following:

  • Browse: The central location for searching and installing Cortex XSOAR content, including playbooks, integrations, and scripts.

  • Installed content packs: View and manage your installed Cortex XSOAR content packs.

  • Contributions: Contribute content that you have created, including playbooks, integrations, and scripts.

  • Deployment Wizard: The Deployment Wizard significantly reduces the time required to set up your use case. It guides you through the process of setting up your content pack for your specific use case, Relevant for phishing and malware content packs.

Settings & Info

Includes the following:

  • Cortex Gateway: Cortex Gateway allows you to activate new tenants and view and manage existing tenants and tenants available for activation that are allocated to your Customer Support Portal account.

  • Cortex XSOAR License: View information about the licenses, expiry dates, and the number of licensed and active users.

  • Management Audit Logs: View and export a historical audit trail of user actions taken in Cortex XSOAR.

  • Settings: Access the detailed Settings menu.

Tenant Navigator

if you have more than one Customer Support Portal account, you can view and pivot to all the tenants that you have access to, by clicking Tenant Navigator. In the Tenant Navigator, you can do the following:

  • View existing tenants

    The currently chosen tenant is marked by a green Active Session label. The tenants are grouped according to Customer Support Portal accounts.

  • Pivot to an existing tenant

    The current tenant is marked by a green Active Session label.

  • Search for a tenant

    If there are more than 5 tenants, a search option is available. If there are more than 5 tenants within a specific account, a list of tenants is available for that Customer Support Portal account.

  • Pivot to Cortex Gateway

  • Pivot to the Customer Support Portal

Note

If you do not have more than one account, the Tenant Navigator is unavailable.

User Menu (username)

  • About: Detailed information on Cortex XSOAR version.

  • User preferences: Change default landing page and configure notifications via your preferred communication method. Customize your display to suit your preferences. Get notified of Cortex XSOAR events of interest to you, such as being assigned an incident. Disable unwanted notifications.

  • Set Yourself as Away: Change your away/active status.

  • Log out: Log out of the Customer Support Portal