Use the War Room in an investigation - Administrator Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Cloud Documentation

Product
Cortex XSOAR
Version
8
Creation date
2024-03-07
Last date published
2024-11-28
Category
Administrator Guide
Solution
Cloud
Abstract

Use the War Room for real-time investigation into an incident, to filter war room entries, and to disable indicator notifications.

The War Room contains an audit trail of all automatic or manual actions that take place in an incident. A War Room is where you can review and interact with your incidents. Cortex XSOAR provides machine learning insights to suggest the most effective analysts and command-sets. Each incident has a unique War Room.

war-room-overview.png

Within Cortex XSOAR, real-time investigation is facilitated through the War Room, which is powered by ChatOps and helps you to do the following:

  • Run real-time security actions through the CLI, without switching consoles

  • Run security playbooks, scripts, and commands

  • Collaborate and execute remote actions across integrated products

  • Capture incident context from different sources

  • Document all actions in one source

  • Converse with others for joint investigations

Every Incident has a War Room, but every user has access, subject to permissions, to a private War Room called the Playground.

The Playground

The Playground is a non-production environment where you can safely develop and test data, such as scripts, APIs, and commands. It is an investigation area that is not connected to a live (active) investigation.

To access the playground you can do the following:

  • Type any command in the CLI (not in the incident).

    If you type a command in the incident, the results are returned to the incident War Room, not the Playground.

  • If you have an Admin role, in My Incidents on the sidebar, click Playground.

  • Type ctrl + k and then select the War Room

  • In any browser, type: https://<tenant>/WarRoom/playground/

Note

If you want to erase an existing playground and create a new one, run the /playground_create command.

The War Room

When you open the War Room, you can see all the actions taken on an incident, such as commands, notes, and evidence in several formats such as Markdown, and HTML When Markdown, HTML, or geographical information is received, the content is displayed in the relevant format. You can schedule a command in the War Room to run at a specific time. For more information, see Schedule a command in the War Room.

To view specific data entries, you can filter entries by selecting the relevant checkbox, such as:

  • Chats: Shows communication between team members.

  • Notes: Any entries marked as notes.

  • Files: Anything uploaded to the War Room in a playbook, script, or by the analyst

  • Incident History: Any incident field or SLA Timer field that was modified

  • Commands and playbook tasks: Any actions taken by playbook tasks or run manually by the analyst

  • Tags: Any tags that have been added

You can also highlight any command thread for tracking commands.

Note

Cortex XSOAR does not index notes, chats, and pinned as evidence entries.

In each War Room entry, you can take the following actions:

Action

Description

Edit

You can edit, format, or delete your entries. If an entry has been changed, a History link will appear where you can view all changes to the entry.

Mark as Evidence

Opens the Mark as evidence window where you specify the evidence details to be saved in the Evidence Board. The Evidence Board stores key artifacts for current and future analysis. You can also add evidence in the Case Info tab or the Evidence Board tab. For more information, see Evidence Handling,

Mark as note

Marks the entry as a note, which can help you understand why certain action was taken and assist future decisions.

You can also add a note by doing the following:

  • Upload a file to the War Room by selecting Mark as Note.

  • If the Case Info tab includes a NOTES section, add it to the section.

  • In a playbook task (Advanced tab)

    Tasks can be automatically added from script outputs as notes.

  • In the CLI by running the !markAsNote entryIDs=<ID of the war room entry> command.

    In the relevant War Room entry, click Copy to CLI to retrieve the ID of the War Room entry.

When marked as a note, it is highlighted, so you can easily find them in the War Room or the Case Info tab.

View artifact in new tab

Opens a new tab for the artifact.

Detach from task

Removes a task from the artifact.

Attach to a task

Adds a task to the artifact.

Download artifact

Downloads an artifact according to the entry type, such txt files for text, json for a JSON entry, etc.

Add tags

Add any relevant tags to use that help you find relevant information.

Copy to CLI

  • ID: Entry IDs are used to uniquely identify War Room entries and take the format <ENTRY_IDENTIFER>@<INCIDENT_ID>, for example, 54925dc3-a972-4489-8bef-793331fa6c77@1. Many out-of-the-box commands and scripts use entry IDs arguments to pass in files as inputs.

  • URL: Copy the URL which is a direct link to the War Room entry

To find the entry ID or URL of an entry in the War Room, click on the vertical ellipsis icon at the upper right of the entry, then copy the value.

You can also upload files to the War Room by selecting the paperclip icon next to the CLI. Any files that have been uploaded can also be downloaded from the War Room entry.

Caution

You are not protected from malicious content when downloading files from the War Room.