Investigate an incident using the canvas - Administrator Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Cloud Documentation

Product
Cortex XSOAR
Version
8
Creation date
2024-03-07
Last date published
2024-11-14
Category
Administrator Guide
Solution
Cloud
Abstract

Visually map a Cortex XSOAR incident using the investigation canvas.

The Cortex canvas offers SOC analysts the option to create and share dynamic attack diagrams, visualize key security incidents, link indicators of compromise, and maintain static snapshots to streamline and centralize threat intelligence and incident investigation.

To access the investigation canvas, click Canvas from the incident you want to investigate. The incident or indicator appears on the canvas display. In the Add entity to canvas section, Cortex XSOAR provides suggested indicators and incidents that might be related or relevant to the current incident for you to add to the canvas.

Incident Suggestions

The incidents are calculated according to the related incidents algorithm, which is based on several factors:

  • Common labels

  • Common indicators

  • Common incident custom fields

You can add the incidents by dragging and dropping the incident onto the canvas.

Indicator Suggestions

The indicators are determined according to the following factors (in this order):

  1. Indicators with a malicious verdict from the original incident (the incident that initiated the investigation).

  2. Indicators that are shared between incidents that you added to the canvas.

  3. The malicious ratio, which is the ratio between the indicators that appear in incidents with a malicious verdict, compared to the total number of incidents in Cortex XSOAR.

You can add the indicators by dragging and dropping the indicators onto the canvas.

Key Features

You can do the following:

  • Quick view of the incident and indicator: Click the incident or indicator to view details.

  • Connect incidents: Connect each incident by linking each incident and use comments on entity connections to communicate important information with team members by adding notes to connectors between entities.

  • Adding notes: You can add notes on the connection. Using notes enables you and other team members to collaborate on important issues. The note also shows the last user to edit the note and the time it was edited.

  • Dynamic Connections: When you rearrange entities on the canvas, the connections dynamically move with the entities. Connections that are dotted lines indicate that the indicator is part of the investigation, or two incidents are defined as related incidents. These connections are dynamic, which means if one entity is an IP address and you add that IP address to the allow list after it was added to the canvas, the dotted-lined connection is automatically removed.

  • Capture the Canvas as an image: Capture and study the incident by clicking Export to PNG or Export snapshot to War Room.

  • Relationships: You can expand or add relationships. From the entity, right-click and select Expand Relationships.

  • Search: You can search by incident or indicator fields or values.

  • Highlight: Right-click the selected incident or indicator and select Highlight.