Add evidence to the evidence board to assist with your investigation. Mark any entity as evidence in the War Room by adding tags.
While you're investigating an incident, you can add notes and evidence to assist you with your investigation.
Notes can help you understand why certain actions were taken and assist future decisions. Notes are highlighted, so you can easily find them, especially in the War Room.
When marking an artifact as evidence, these artifacts are added to the Evidence Board tab, which enables you to see all artifacts for current and future analysis in a single location.
Note
You can change a note to evidence or vice-versa and have the same entry as a note and evidence.
How to add evidence
You can add evidence by doing the following:
Action | Description |
---|---|
War Room Entry | In a War Room entry, click Mark as Evidence. Add a description that should contain enough information, so it can be used for future reference. Adding a tag helps you to find the evidence by searching for the tag. You can also add a time and date when it occurred. When adding a time/date you need to save it before updating the evidence. |
Upload a file | Upload a file to the War Room by selecting Mark as Evidence. |
Using the CLI | Run the In the relevant War Room entry, click Copy to CLI to retrieve the ID of the War Room entry. |
Playbook task | In a Playbook task (Advanced tab). Tasks can be automatically added as evidence from script outputs. |
Case Info tab | If the Case Info tab includes an EVIDENCE section, you can add it to the section. Whenever you add evidence, this appears in both the Evidence Board tab and the EVIDENCE section in your layout. |
Evidence Board
The Evidence Board tab shows all the entries marked as evidence for current and future analysis. Typically you can use the Evidence Board to do the following:
Reconstruct attack chains
Piece together key pieces of verification for root cause discovery
Construct a timeline of events that can further clarify your incident response
Use it for audit reports and compliance requirements to show how you reached a decision.
You can search for evidence and select the date range when the evidence occurred.
When viewing an Evidence artifact you can see the following fields:
occurred: The time/date that you added when the artifact occurred. For example, when the file was created. If no time/date is specified it is marked as Unknown.
fetched: The time/date when the entry was created in Cortex XSOAR.
markedDate: The time/date when you marked it as evidence.
MarkedBy The user who marked it as evidence.
Any Evidence fields you have added to the tab.
You can also edit or remove evidence from the Evidence Board.
Use the toggle button to switch between Table View or Summary View. In the Table View, you can remove, export, or show evidence in the War Room. In the Summary View you can remove or edit the evidence.