Server configurations - Administrator Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Cloud Documentation

Product
Cortex XSOAR
Version
8
Creation date
2024-03-07
Last date published
2024-11-04
Category
Administrator Guide
Solution
Cloud
Abstract

Customize and troubleshoot Cortex XSOAR with server configuration settings.

Cortex XSOAR provides custom server configuration settings that enable you to customize your Cortex XSOAR on the tenant level. You can also use custom server configuration settings in situations where you experience issues or need to troubleshoot situations in your environment.

To modify or add server configurations:

  1. Navigate to Settings & InfoSettingsSystemServer SettingsServer Configuration.

  2. Click Add Server Configuration or edit an existing configuration.

  3. Enter the key and value.

  4. Click Save.

Engines

Key

Description

Default

engine.test.command.timeout<brand-name>

Increases the timeout, in seconds, for a specific integration when using an engine. For example, change it to 300 seconds. Type in this format adding the brand name:

engine.test.command.timeoutTanium

60

engines.notification.users

Specifies which users receive an email notification when an engine disconnects. A comma-separated list of Cortex XSOAR users. For example:

user1,user2,user3user1,user2,user3

N/a

Google API

Key

Description

Default

UI.google.api.key

Entities that have Geo-location information (latitude and longitude) can be displayed on a Google map, by utilizing the Google Map API (which is required). For example, if you want to see the physical location of a computer that was attacked by Malware. To display the physical location of an entity on a map, run this command with the value: Google Maps API Key. For more information, see Set up Google Maps in Cortex XSOAR to use map automations.

N/a

Incidents

Key

Description

Default

incident.closereasons

Customizes close reasons in a comma-separated list. For example:

false positive, resolved, duplicate, low priority, invalid, other

false positive, resolved, duplicate, other

inline.edit.on.blur

By default, when editing the following inline values in an incident/indicator/threat intel report, the changes are not saved until you confirm your changes (clicking the checkmark icon in the value field).

  • Dropdown values, such as Owner, Severity, etc.

  • Text values, such as Asset ID. (You can only edit when you click the pencil in the value field).

These icons are designed to let you have an additional level of security before you make changes to the fields in incidents/indicators.

Set this configuration to true, to enable you to make changes to the inline fields without clicking the checkmark. The changes are automatically saved when clicking anywhere on the page or when navigating to another page. For text values, you can also click anywhere in the value field to edit.

false

investigation.prevent.modify.closed

Whether to add chats and notes to the closed investigation (set to false to allow).

true

module.health.notification.users

List of names in CSV format to receive notifications when an integration experiences a fetch error. For more information, see Receive notifications on an incident fetch error.

N/a

Export.utf8bom

Whether to export incidents and indicators to CSV using the UTF8-BOM format. For more information, see Export an incident to CSV using the UTF8-BOM format.

False

Indicators

Key

Description

Default

enrichment.reputationScript.reliability

The reliability of the score from a reputation script.

A++

indicator.timeline.auto.extract.enabled

Enables the indicator timeline in the indicator extraction flow. For more information, see Configure the indicator timeline.

true

indicator.timeline.enabled

Enables the indicator timeline in all flows. For more information, see Configure the indicator timeline.

true

Integrations

Key

Description

Default

<integration_name>.<command_name>.timeout

Timeout in minutes for specific integration commands.

3

sync.mirror.job.delay

The interval for the job in minutes. For more information, see Special Server Configurations.

1

sync.mirror.job.enable

Enable or disable the mirroring job. For more information, see Special Server Configurations.

enable

Notifications

Key

Description

Default

content.notification.enabled

Set to true to enable notification for new content updates.

false

content.notification.users

Notifies all users by email when there is a content update available (comma-separated user names in Cortex XSOAR).

N/a

message.ignore.failedFetchIncidents

Whether to ignore failed fetch incident messages. For more information, see Receive notifications on an incident fetch error.

false

message.ignore.incidentChanged

Whether to disable notifications when an incident is changed.

false

message.ignore.incidentOpenedincidentOpened

Whether to disable notifications, when an incident is opened.

false

message.ignore.incidentAssigned

Whether to disable notifications when an incident is assigned.

false

message.ignore.investigationClosedinvestigationClosed

Whether to disable notifications when an incident is closed.

false

module.health.notification.users

List of names in CSV format. For example, user1,user2,user3. For more information, see Receive notifications on an incident fetch error.

N/a

server.notification.using.send-mail

Select which email sender should send the notification. For more information, see Configure notifications in Cortex XSOAR.

Playbooks

Key

Description

Default

soc.name

Customizes the SOC name in the survey header for an Ask task. For more information, see Customize the SOC Name.

N/a

comm.ask.linktocontext.enabled

Whether to display the links generated for an Ask task in the Context Data of the Work Plan.

true

comm. datacollection.linktocontext.disabled

Whether to display the links generated for a Data Collection task in the Context Data of the Work Plan.

true

ignore.default.in.playbooks

Whether to allow the Do Not Use By Default checkbox to affect playbooks. By default the Cortex XSOAR playbook does not take Do not use by default into account (only for CLI Commands). For example, if you have 3 mail sender instances, 2 of them are set to not use by default, when running the playbook without specifying an instance, it sends with all 3 instances. After you set this configuration to true, it only sends from the one that is not marked as do not use by default.

false

Proxy

Key

Description

Default

condition.ask.external.link

The address (including the HTTPS prefix) of the proxy used for external user communication in a conditional task.

N/a

Remote Repository

Key

Description

Default

UI.version.control.admin.only

Set to true to restrict access for pushing content to a remote repository to administators only.

Note

When set to true this key also removes the Save Version feature. This prevents users who don't have administration permissions from pushing content changes to the remote repository.

For more information, see Remote repository management.

false

Reports

Key

Description

Default

reports.time.zone

Configure the timezone for widgets in a report. For more information, see Configure the timezone in a report.

Local time/Location

Scripts

Key

Description

Default

script.timeout

The timeout, in minutes, to prevent blank pages when running a script. If you generate a report that runs a script and has blank pages you can Troubleshoot the script timeout. For more information, see Troubleshoot script timeout for reports.

3

System Settings

Key

Description

Default

UI.show.timezone.in.server.settings

If set to true, settings for Keyboard Shortcuts, Timezone, and Timestamp format appear on the Server Settings page. By default, these settings instead appear on the Preferences tab of the User Details page.

false

SLA

Key

Description

Default

sla.risk.threshold

Change the SLA risk threshold.

72 hours

Widgets

Key

Description

Default

ROI.Cost.Monitor

Amount in Dollars. Relevant for ROI widget. For more information, see Saved By Dbot (ROI) Widget.

60