Visually map a Cortex XSOAR incident using the investigation canvas.
The Cortex canvas offers SOC analysts the option to create and share dynamic attack diagrams, visualize key security incidents, link indicators of compromise, and maintain static snapshots to streamline and centralize threat intelligence and incident investigation.
To access the investigation canvas, click Canvas from the incident you want to investigate. The incident or indicator appears on the canvas display. In the Add entity to canvas section, Cortex XSOAR provides suggested indicators and incidents that might be related or relevant to the current incident for you to add to the canvas.
Incident Suggestions
The incidents are calculated according to the related incidents algorithm, which is based on several factors:
Common labels
Common indicators
Common incident custom fields
You can add the incidents by dragging and dropping the incident onto the canvas.
Indicator Suggestions
The indicators are determined according to the following factors (in this order):
Indicators with a malicious verdict from the original incident (the incident that initiated the investigation).
Indicators that are shared between incidents that you added to the canvas.
The malicious ratio, which is the ratio between the indicators that appear in incidents with a malicious verdict, compared to the total number of incidents in Cortex XSOAR.
You can add the indicators by dragging and dropping the indicators onto the canvas.
Key Features
You can do the following:
Quick view of the incident and indicator: Click the incident or indicator to view details.
Connect incidents: Connect each incident by linking each incident and use comments on entity connections to communicate important information with team members by adding notes to connectors between entities.
Adding notes: You can add notes on the connection. Using notes enables you and other team members to collaborate on important issues. The note also shows the last user to edit the note and the time it was edited.
Dynamic Connections: When you rearrange entities on the canvas, the connections dynamically move with the entities. Connections that are dotted lines indicate that the indicator is part of the investigation, or two incidents are defined as related incidents. These connections are dynamic, which means if one entity is an IP address and you add that IP address to the allow list after it was added to the canvas, the dotted-lined connection is automatically removed.
Capture the Canvas as an image: Capture and study the incident by clicking Export to PNG or Export snapshot to War Room.
Relationships: You can expand or add relationships. From the entity, right-click and select Expand Relationships.
Search: You can search by incident or indicator fields or values.
Highlight: Right-click the selected incident or indicator and select Highlight.