Evidence Handling - Administrator Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Cloud Documentation

Product
Cortex XSOAR
Version
8
Creation date
2024-03-07
Last date published
2024-11-04
Category
Administrator Guide
Solution
Cloud
Abstract

Add evidence to the evidence board to assist with your investigation. Mark any entity as evidence in the War Room by adding tags.

While you're investigating an incident, you can add notes and evidence to assist you with your investigation.

Notes can help you understand why certain actions were taken and assist future decisions. Notes are highlighted, so you can easily find them, especially in the War Room.

When marking an artifact as evidence, these artifacts are added to the Evidence Board tab, which enables you to see all artifacts for current and future analysis in a single location.

Note

You can change a note to evidence or vice-versa and have the same entry as a note and evidence.

How to add evidence

You can add evidence by doing the following:

Action

Description

War Room Entry

In a War Room entry, click Mark as Evidence.

Add a description that should contain enough information, so it can be used for future reference. Adding a tag helps you to find the evidence by searching for the tag. You can also add a time and date when it occurred.

When adding a time/date you need to save it before updating the evidence.

Upload a file

Upload a file to the War Room by selecting Mark as Evidence.

Using the CLI

Run the !AddEvidence entryIDs=ID of the war room entry command.

In the relevant War Room entry, click Copy to CLI to retrieve the ID of the War Room entry.

Playbook task

In a Playbook task (Advanced tab). Tasks can be automatically added as evidence from script outputs.

Case Info tab

If the Case Info tab includes an EVIDENCE section, you can add it to the section.

Whenever you add evidence, this appears in both the Evidence Board tab and the EVIDENCE section in your layout.

Evidence Board

The Evidence Board tab shows all the entries marked as evidence for current and future analysis. Typically you can use the Evidence Board to do the following:

  • Reconstruct attack chains

  • Piece together key pieces of verification for root cause discovery

  • Construct a timeline of events that can further clarify your incident response

  • Use it for audit reports and compliance requirements to show how you reached a decision.

You can search for evidence and select the date range when the evidence occurred.

When viewing an Evidence artifact you can see the following fields:

  • occurred: The time/date that you added when the artifact occurred. For example, when the file was created. If no time/date is specified it is marked as Unknown.

  • fetched: The time/date when the entry was created in Cortex XSOAR.

  • markedDate: The time/date when you marked it as evidence.

  • MarkedBy The user who marked it as evidence.

  • Any Evidence fields you have added to the tab.

You can also edit or remove evidence from the Evidence Board.

Use the toggle button toggle-evidence.png to switch between Table View or Summary View. In the Table View, you can remove, export, or show evidence in the War Room. In the Summary View you can remove or edit the evidence.