Investigate an incident - Administrator Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Cloud Documentation

Product
Cortex XSOAR
Version
8
Creation date
2024-03-07
Last date published
2024-11-28
Category
Administrator Guide
Solution
Cloud
Abstract

Investigate and take remediation steps in Cortex XSOAR.

You can open an incident investigation:

  • Automatically: If associated with a playbook, incidents open automatically for investigation and run the associated playbook.

  • Manually: Open an incident manually by clicking the incident ID hyperlink in the Incidents table.

    Note

    If the incident ID hyperlink is unavailable, the incident was closed before the investigation started, usually through a preprocess rule or it was already closed when fetched. If you want to see the incident details, click the Switch to detailed view icon at the top of the incidents page.

    switch-to-detailed-view.png

    After an incident is created, it is assigned a Pending status. When you start to investigate an incident the status changes automatically to Active, which starts the remediation process.

  • In the CLI: If you want to open an incident in the CLI, type /investigate id=<incidentID#>.

You can limit access to investigations and restrict investigations according to your requirements, as described in Limit access to investigations using access control.

Note

If you cannot perform a specific action or view data, you may not have sufficient user role permissions. Contact your Cortex XSOAR for more details.

When you open an incident, you can see various tabs that assist you in the investigation. The following tabs are common to most incident types:

Note

Tabs, tab names, sections, and fields vary according to the incident layout.

In an investigation, images from external links don't appear, as they are restricted due to security issues. To use an image, either upload the image using base64 or upload it using markdown in the War Room.

Tab

Description

Case Info

A summary of the incident, such as case details, outstanding tasks, linked incidents, and evidence. Some fields are informational and some are editable. Includes the following sections (depending on the layout):

  • CASE DETAILS: A summary of the incident, such as type, severity, and when the incident occurred. Update these fields as required.

  • WORK PLAN When you click on the section, you can view or take action on the following:

    • Playbook tasks: When a playbook runs, any outstanding tasks appear. You can take various actions here or in the Work Plan tab.

    • To-Do Tasks View or create To-Do tasks.

      You can also create To-Do Tasks from the Actions tab. See Incident Tasks.

  • NOTES: If added to the layout, notes help you understand specific actions taken, and allow you to view conversations between analysts to see how they arrived at a certain decision. You can see the thought process behind identifying key evidence and identifying similar incidents.

    You can add notes in this section or in the War Room. Notes are searchable when using the incidents search bar.

  • EVIDENCE: A summary of data marked as evidence. You can add evidence in this tab, the NOTES field, or the Evidence Board tab.

  • LINKED INCIDENTS: Add or remove linked incidents. For more information, see Link incidents.

Investigation

Provides an overview of the information collected about the investigation, such as indicators, email information, and URL screenshots.

War Room

A comprehensive collection of all investigation actions, artifacts, and collaboration. It is a chronological journal of the incident investigation. Each incident has a unique War Room. For information, see Use the War Room in an investigation

Work Plan

A visual representation of the running playbook that is assigned to the incident. For more information, see Use the Work Plan in an investigation.

Evidence Board

View any entity that has been designated as evidence. The Evidence board stores key artifacts for current and future analysis. You can reconstruct attack chains and piece together key pieces of verification for root cause discovery. For more information, see Evidence Handling.

Canvas

A visual representation of an incident and linked indicators that are relevant to the investigation. For more information, see Investigate an incident using the canvas

You can do several actions when investigating an incident, such as adding members, creating a report, and restricting incidents.

When viewing an incident, from the Side panels dropdown, you can do the following:

Action

Description

Quick View

A summary of the incident, timeline information, labels, and indicators.

Incident tasks

Add tasks for users to complete as part of an investigation. For more information, see Incident Tasks.

Team

Add or delete incident team members.

Note

When you mention team members in the CLI, they are automatically added as team members.

Context data

View context data to see what information was returned. The context is a map (dictionary) created for each incident and is used to store structured results from the integration commands and scripts. Context keys are strings and the values can be strings, numbers, objects, and arrays.

Context data acts as an incident data dump from which data is mapped into incident fields. When an incident is generated in Cortex XSOAR and a playbook or analyst begins investigating it, context data will be written to the incident to assist with the investigation and remediation process.

Note

All incident data stored in incident fields are also stored in the context data. In most cases, not all context data is stored in incident fields. Incident fields represent a subset of the total incident data.

When an incident is created, the incident data is stored in the context data, under the incident key. When an investigation is opened and integration commands are run, data returned from those commands is also stored outside of the main incident key.

For more information, see Use incident context data.

When viewing an incident, from the Actions dropdown, you can do the following:

Action

Description

Edit

Edit the incident, as required.

Report

Create a report to capture investigation-specific data and share it with team members. For more information, see Create an incident summary report.

Add a child incident

Child investigations are used to compartmentalize sensitive War Room activity. You can create child investigations to collaborate discreetly with a select group of people on a specific topic of investigation. Child investigations are also used where a secondary investigation is needed and its content may add too much "noise" to the original investigation.

Select the Restricted checkbox to turn the child investigation into a discrete investigation.

Restrict/Permit an incident

Restrict an investigation for the incident owner and team. If restricted, select permit to open the incident to all users. For more information, see Limit access to investigations using access control.

Close/Reopen an incident

Mark the incident as closed. If closed, you can select Reopen the incident.

Retain/Undo Retain an incident

Mark the incident for retention or disable retention for the incident. For more information, see Retain incidents.

Delete

Delete the incident from the database.

You can navigate directly to a specific incident via the incident ID or incident name, using Ctrl+ K for Windows or Command-K for macOS.

When investigating an incident opened from My Incidents or the main Incidents page, you can navigate to the next/previous incident from within the incident, without returning to the original list. The navigation buttons appear next to the Action button. The total number of incidents from the list of incidents is shown (depending on your search criteria) and where you are in the list. For example, in the last 30 days, there were 7000 incidents. When opening an incident, you can investigate 7000 incidents using the navigation buttons without returning to the Incidents page.

Only users with permission to edit incidents can view the navigation buttons.

The navigation buttons are only available if the incident is opened from My Incidents or the Incidents page. If you navigate directly to an incident, without going through the Incidents page or My Incidents list, no navigation buttons appear.

Note

In a multi-tenant environment, the incident navigation buttons are available when directly viewing a child tenant or if the child tenant is selected in the main account.