Use the War Room for real-time investigation into an incident, to filter war room entries, and to disable indicator notifications.
The War Room contains an audit trail of all automatic or manual actions that take place in an incident. A War Room is where you can review and interact with your incidents. Cortex XSOAR provides machine learning insights to suggest the most effective analysts and command-sets. Each incident has a unique War Room.
Within Cortex XSOAR, real-time investigation is facilitated through the War Room, which is powered by ChatOps and helps you to do the following:
Run real-time security actions through the CLI, without switching consoles
Run security playbooks, scripts, and commands
Collaborate and execute remote actions across integrated products
Capture incident context from different sources
Document all actions in one source
Converse with others for joint investigations
Every Incident has a War Room, but every user has access, subject to permissions, to a private War Room called the Playground.
The Playground
The Playground is a non-production environment where you can safely develop and test data, such as scripts, APIs, and commands. It is an investigation area that is not connected to a live (active) investigation.
To access the playground you can do the following:
Type any command in the CLI (not in the incident).
If you type a command in the incident, the results are returned to the incident War Room, not the Playground.
If you have an Admin role, in My Incidents on the sidebar, click Playground.
Type
ctrl + k
and then select theWar Room
In any browser, type:
https://<tenant>/WarRoom/playground/
Note
If you want to erase an existing playground and create a new one, run the /playground_create
command.
The War Room
When you open the War Room, you can see all the actions taken on an incident, such as commands, notes, and evidence in several formats such as Markdown, and HTML When Markdown, HTML, or geographical information is received, the content is displayed in the relevant format. You can schedule a command in the War Room to run at a specific time. For more information, see Schedule a command in the War Room.
To view specific data entries, you can filter entries by selecting the relevant checkbox, such as:
Chats: Shows communication between team members.
Notes: Any entries marked as notes.
Files: Anything uploaded to the War Room in a playbook, script, or by the analyst
Incident History: Any incident field or SLA Timer field that was modified
Commands and playbook tasks: Any actions taken by playbook tasks or run manually by the analyst
Tags: Any tags that have been added
You can also highlight any command thread for tracking commands.
Note
Cortex XSOAR does not index notes, chats, and pinned as evidence entries.
In each War Room entry, you can take the following actions:
Action | Description |
---|---|
Edit | You can edit, format, or delete your entries. If an entry has been changed, a History link will appear where you can view all changes to the entry. |
Mark as Evidence | Opens the Mark as evidence window where you specify the evidence details to be saved in the Evidence Board. The Evidence Board stores key artifacts for current and future analysis. You can also add evidence in the Case Info tab or the Evidence Board tab. For more information, see Evidence Handling, |
Mark as note | Marks the entry as a note, which can help you understand why certain action was taken and assist future decisions. You can also add a note by doing the following:
When marked as a note, it is highlighted, so you can easily find them in the War Room or the Case Info tab. |
View artifact in new tab | Opens a new tab for the artifact. |
Detach from task | Removes a task from the artifact. |
Attach to a task | Adds a task to the artifact. |
Download artifact | Downloads an artifact according to the entry type, such txt files for text, json for a JSON entry, etc. |
Add tags | Add any relevant tags to use that help you find relevant information. |
Copy to CLI |
To find the entry ID or URL of an entry in the War Room, click on the vertical ellipsis icon at the upper right of the entry, then copy the value. |
You can also upload files to the War Room by selecting the paperclip icon next to the CLI. Any files that have been uploaded can also be downloaded from the War Room entry.
Caution
You are not protected from malicious content when downloading files from the War Room.