Home

Location

Documentation Home
Palo Alto Networks
Support
Live Community
Knowledge Base

Home
Security Operations
Cortex XSOAR
Cortex XSOAR Administrator’s Guide
Cortex XSOAR Overview
Cortex XSOAR Telemetry

Last Updated:

Mon Feb 28 03:27:33 PST 2022

Current Version:

5.5 (EoL)

Version 6.8
Version 6.6
Version 6.5
Version 6.2 (EoL)
Version 6.1 (EoL)
Version 6.0 (EoL)
Version 5.5 (EoL)

End-of-Life (EoL)

Table of Contents

Search the Table of Contents

Cortex XSOAR Overview

Cortex XSOAR Licenses

Add a License

Product Support Lifecycle

Cortex XSOAR Telemetry

Cortex XSOAR Concepts

Use Cases

Keyboard Shortcuts

How to Search in Cortex XSOAR

Configure System Notifications

Install DBot for Slack

Single Server Deployment

System Requirements

Performance Benchmark

Install Cortex XSOAR for a Single Server Deployment

Installer Flags

Install Cortex XSOAR Offline

Dependencies for Offline Installation

Post-Installation Checklist

Server Post-Installation Health Check

Monitor Cortex XSOAR Components

HTTPS with a Signed Certificate

Create a Private Key and Certificate Signing Request (CSR)

AWS EC2 Deployment Guidelines

Upgrade the Cortex XSOAR Server

Uninstall Cortex XSOAR

Distributed Database Deployment

Distributed Database Deployment

Sizing Requirements for Distributed Database Deployment

Install Cortex XSOAR for a Distributed Database Deployment

Install a Distributed Database Node

Configure a Live Backup for a Distributed Database Overview

Configure the Live Backup Environment for a Distributed Database

Transition a Standby Server to Active Mode

Transition an Active Server to Standby Mode for a Distributed Database

Change the Node Admin Password

Delete a User from a Node

Convert a Single Server Deployment to a Distributed Database Deployment

Reindex Databases in a Distributed Database Deployment

Restore Databases in a Distributed Database Deployment

Upgrade the Cortex XSOAR Server for a Distributed Database

Proxy

Configure Proxy Settings

Use NGINX as a Reverse Proxy to the Cortex XSOAR Server

Install NGINX on Cortex XSOAR

Generate a Certificate for NGINX

Configure NGINX

Manage Data

Reindex the Entire Database

Reindex a Specific Index Database

Reindex the Entire Database for a Distributed Database

Reindex a Specific Index for a Distributed Database

Free up Disk Space with Data Archiving

Migrate Data to Another Server

Move Data Folders to Another Location on the Server

Restore an Archived Folder

Users and Roles

Users and Roles Overview

Roles in Cortex XSOAR

Define a Role

Default Admin

Self-Service Read-Only Users

Configure the Server for Self Service Read-Only Users

Create the Self Service Read-Only Users

Create the Read-Only Dashboard

Create the Read-Only Incident Type and Layout

User Settings and Preferences

Shift Management

Managing Shifts

User Invitations

Invite a User

Integration Permissions

Password Policy

Create a Password Policy

Edit a Default Password Policy

Default Password Policy Keys

Change the Administrator Password

Authenticate Users with SAML 2.0

Set up Okta as the Identity Provider Using SAML 2.0

Create Okta Groups for Cortex XSOAR Users

Define the Okta Application to authenticate Cortex XSOAR

SAML Settings for the Okta Application

Configure the SAML 2.0 Integration for Okta

SAML 2.0 Okta Parameters

Map Okta Groups to Cortex XSOAR Roles

Set up Microsoft Azure as the Identity Provider

Create a Non-Gallery Application in Azure

Define Azure to authenticate Cortex XSOAR

Configure the SAML 2.0 Integration for Azure

SAML 2.0 Azure Parameters

Map Azure Groups to Cortex XSOAR Roles

Set up ADFS as the Identity Provider Using SAML 2.0

Create Relying Party Trust in ADFS

Define the Claim Issuance Policy

Configure the SAML 2.0 Integration for ADFS

SAML 2.0 ADFS Parameters

Map ADFS Groups to Cortex XSOAR Roles

Configure User Notifications

Set the Default Theme for New Users

Disaster Recovery and Live Backup

Disaster Recovery and Live Backup Overview

Host Names, DNS, and Disaster Recovery

Configure the Live Backup Environment

Configure Live Backup for Multiple SAMLs

DR Scenario: Testing the DR Environment

DR Scenario: Unrecoverable Active Server Failure

DR Scenario: Unrecoverable Standby Server Failure

Transition an Active Server to Standby Mode

Transition a Standby Server to Active Mode

Transition Between DR States Through the Configuration File

Upgrade the Live Backup Environment

Cortex XSOAR Engines and Disaster Recovery

Backup the Database

Restore the Database

Remote Repositories in Cortex XSOAR

Remote Repositories Overview

Configure a Remote Repository on a Development Machine

Configure a Remote Repository on the Production Machine

Edit and Push Content to a Remote Repository

Troubleshoot a Remote Repository Configuration

Troubleshoot a Remote Repository Definition

Troubleshoot Editing and Pushing Content

Troubleshoot Content Issues

Engines

Cortex XSOAR Engines Overview

Install Cortex XSOAR Engines

Run the Engine as a Service on Windows

Use an Engine in an Integration

Manage Engines

Configure Engines

Edit the Engine Configuration

Common Properties When Editing an Engine Configuration

Configure the Engine to Use a Web Proxy

Configure the Engine to Call the Server Without Using a Proxy

Configure the Number of Workers for the Server and Engine

Configure Access to Communication Tasks through an Engine

Notify Users When an Engine Disconnects

Remove the Cortex XSOAR Server From the Load-Balancing Group

Remove an Engine

Troubleshoot Cortex XSOAR Engines

Troubleshoot Engine Upgrades

Docker

Docker Installation

Install Docker Enterprise Edition on Cortex XSOAR

Install Docker Community Edition on Cortex XSOAR

Update Container-Selinux

Install Docker Distribution for Red Hat on Cortex XSOAR

Install Docker Images Offline

Configure Python Docker Integrations to Trust Custom Certificates

Docker Images in Cortex XSOAR

Manage Docker Images

Create a Docker Image In Cortex XSOAR

Docker Hardening Guide

Configure Memory Limit Support Without Swap Limit Capabilities

Run Docker with Non-Root Internal Users

Use a Docker Image for Python Scripts

Configure the Memory Limitation

Test the Memory Limit

Limit Available CPU

Configure the PIDs Limit

Configure the Open File Descriptors Limit

Troubleshoot Docker Networking Issues

Run Docker with Non-Root Internal Users

Dashboards

Dashboard Overview

Create a Dashboard

Add a Widget to a Dashboard

Configure a Default Dashboard

Share and Unshare a Dashboard

Edit a Dashboard

Reports

Reports Overview

Configure Cortex XSOAR to Use PhantomJS

Create a Report

Schedule a report

Schedule a Report Examples

Create an Incident Summary Report

Add a Widget to a Report

Edit a report

Change the Report Logo

Configure the Time Zone and Format in a Report

Troubleshoot Reports

Widgets

Widgets Overview

Create a Widget in the Widgets Library

Widget Parameters

Create a Custom Widget Using a JSON File

JSON File Widget Parameters

JSON File Widget Example

Create a Custom Widget Using an Automation Script

Script Based Widgets Using Automation Scripts Examples

Create a Widget from an Indicator

Add a Custom Widget to the Indicator Page

Edit a Widget

Create a Used Percentage Widget for a Disk Partition

Saved By Dbot (ROI) Widget

Customize the Currency Symbol in the Saved by Dbot Widget

Manage Indicators

Understand Indicators

Feed Integrations

Indicators Page

Indicator Reputation

Customize the Dbot Reputation Score Logic

Indicator Types

Create an Indicator Type

Indicator Type Profile

File Indicators

Indicator Fields

Create a Custom Indicator Field

Map Custom Indicator Fields

Exclusion List

Create a Feed-Triggered Job

Manage the Indicator Timeline

Auto Extract Indicators

Configure What Auto Extract Executes

Disable Auto Extract for Scripts and Integrations

Auto Extract Indicators from a Phishing Email

Incidents

Incident Lifecycle

Incidents Management

Fetch Incidents from an Integration Instance

Classification and Mapping

Classify Events Using a Classification Key

Map Event Attributes to Fields

Receive Notification on an Incident Fetch Error

Create a Search Query for Incidents

Create a Widget From an Incident

Create a Widget From an Incident Example

Customize Incident View Layouts

Customize Incident Layouts

Customize an Incident Type Layout

Add a Custom Widget to the Incident page

Add a Dynamic Section to an Incident Layout

Add Note Information Using an Automation Script

Create Dynamic Fields in Incident Forms

Examples of Script Based Widgets for Incident Layouts

Customize Incident Close Reasons

Change the Display Name of Security Incidents

Incident Investigation

War Room Overview

Index War Room Entries

Add a Custom Widget in the War Room

Work Plan

Link Incidents

Manage Related Incidents

Configure Incident Fields for Related Incidents

Link and Unlink incidents in the CLI

Investigate Using the Canvas

Auto Populate the Canvas

Dbot Suggestions: Quick View Window

Edit Dbot Incident and Indicator Suggestions

Incident Actions

Evidence Handling

Incident Tasks

Create a To-Do Task

Incident Fields

Create a Custom Incident Field

Create a Grid Field for an Incident Type

Use Scripts with the Grid Field

Field Trigger Scripts

Incident De-Duplication

Automatic De-Duplication Using Scripts

Manually De-Duplicate Incidents

Create Pre-Process Rules for Incidents

Rule Actions for Pre-Process Rules

Post Processing for Incidents

Create a Post-Processing Script

Add a Post-Processing Script to the Incident Type

Incident Access Control Configuration

Limit Access to Investigations using RBAC

Restrict an Investigation

Playbooks

Playbooks Overview

Manage Playbook Settings

Playbook Inputs and Outputs

Playbook Tasks

Create a Conditional Task

Communication Tasks

Create an Ask Task

Ask Task Examples

Customize an Ask Task

Create a Data Collection Task

Data Collection Task Examples

Customize a Data Collection Task

Customize the SOC Name

Playbook Task Fields

Extend Context

Extend Context in a Playbook Task

Extend Context using the Command Line

Generic Polling

Filters and Transformers

Create Filters and Transformers in a Playbook

Filter Objects Using a Transformer

Filter Objects Using the Set Command

Filter Operators

Transformers Operators

Create Custom Filters and Transformers Operators

Common Scripts to use in Automations

Work with SLAs

SLA Overview

Create an SLA Field

Manage SLA and Timer Fields in an Incident

Create an SLA Trigger

Customize SLA Scripts

Search Incidents using SLA and Timer Fields

Configure the Global Risk Threshold

Machine Learning Models

Machine Learning Models Overview

Create a Machine Learning Model

Machine Learning Model Example

Phishing Command Examples Using a Machine Learning Model

Phishing Classifier Demo

DbotPredictOutOfTheBox Parameters

DbotPredictOutOfTheBox Parameters

DbotPredictOutOfTheBox Examples

Lists

Work With Lists

Create a List

Set the List Separator Character

Cortex XSOAR Enterprise Mobile App

Cortex XSOAR Enterprise Mobile App Overview

Android Certificate Requirements

Deploy the Android apk in a Self-Signed Certificate and an MDM Environment

Obtain the Full Certificate Chain for a Certificate

Configure the Mobile Device for Users

Use the Cortex XSOAR Enterprise Mobile App

Log in to the Cortex XSOAR Enterprise App

Switch Accounts in Multi-Tenants Deployments

Manage Dashboards in the Cortex XSOAR Enterprise Mobile App

Work with Incidents

Agents

Agents Overview

Shared Agents

Configure a Shared Agent Instance

Shared Agent Instance Parameters

Install a Shared Agent

D2 Agent

Install a D2 Agent

Troubleshoot a Remote Installation (Windows)

Agent Tools

Configure Cortex XSOAR to Use PowerShell

D2 Agent Script Commands

Return the memory dump file script

Running a Batch file Using Agent Tools

View All Running Processes Script

Logs

Audit Trail

Send the Audit Trail to an External Log Service

Cortex XSOAR Overview
Single Server Deployment
Distributed Database Deployment
Proxy
- Configure Proxy Settings
- Use NGINX as a Reverse Proxy to the Cortex XSOAR Server
Manage Data
Users and Roles
Disaster Recovery and Live Backup
Remote Repositories in Cortex XSOAR
Engines
Docker
Dashboards
Reports
Widgets
Manage Indicators
- Understand Indicators
- Auto Extract Indicators
Incidents
- Incident Lifecycle
- Incidents Management
Playbooks
Work with SLAs
Machine Learning Models
Lists
- Work With Lists
  - Create a List
- Set the List Separator Character
Cortex XSOAR Enterprise Mobile App
- Cortex XSOAR Enterprise Mobile App Overview
  - Android Certificate Requirements
  - Use the Cortex XSOAR Enterprise Mobile App
Agents
Logs
- Audit Trail
- Send the Audit Trail to an External Log Service

Document:Cortex XSOAR Administrator’s Guide

Cortex XSOAR Telemetry

Last Updated:

Mon Feb 28 03:27:33 PST 2022

Current Version:

5.5 (EoL)

Version 6.8
Version 6.6
Version 6.5
Version 6.2 (EoL)
Version 6.1 (EoL)
Version 6.0 (EoL)
Version 5.5 (EoL)

Table of Contents

Search the Table of Contents

Cortex XSOAR Overview

Cortex XSOAR Licenses

Add a License

Product Support Lifecycle

Cortex XSOAR Telemetry

Cortex XSOAR Concepts

Use Cases

Keyboard Shortcuts

How to Search in Cortex XSOAR

Configure System Notifications

Install DBot for Slack

Single Server Deployment

System Requirements

Performance Benchmark

Install Cortex XSOAR for a Single Server Deployment

Installer Flags

Install Cortex XSOAR Offline

Dependencies for Offline Installation

Post-Installation Checklist

Server Post-Installation Health Check

Monitor Cortex XSOAR Components

HTTPS with a Signed Certificate

Create a Private Key and Certificate Signing Request (CSR)

AWS EC2 Deployment Guidelines

Upgrade the Cortex XSOAR Server

Uninstall Cortex XSOAR

Distributed Database Deployment

Distributed Database Deployment

Sizing Requirements for Distributed Database Deployment

Install Cortex XSOAR for a Distributed Database Deployment

Install a Distributed Database Node

Configure a Live Backup for a Distributed Database Overview

Configure the Live Backup Environment for a Distributed Database

Transition a Standby Server to Active Mode

Transition an Active Server to Standby Mode for a Distributed Database

Change the Node Admin Password

Delete a User from a Node

Convert a Single Server Deployment to a Distributed Database Deployment

Reindex Databases in a Distributed Database Deployment

Restore Databases in a Distributed Database Deployment

Upgrade the Cortex XSOAR Server for a Distributed Database

Proxy

Configure Proxy Settings

Use NGINX as a Reverse Proxy to the Cortex XSOAR Server

Install NGINX on Cortex XSOAR

Generate a Certificate for NGINX

Configure NGINX

Manage Data

Reindex the Entire Database

Reindex a Specific Index Database

Reindex the Entire Database for a Distributed Database

Reindex a Specific Index for a Distributed Database

Free up Disk Space with Data Archiving

Migrate Data to Another Server

Move Data Folders to Another Location on the Server

Restore an Archived Folder

Users and Roles

Users and Roles Overview

Roles in Cortex XSOAR

Define a Role

Default Admin

Self-Service Read-Only Users

Configure the Server for Self Service Read-Only Users

Create the Self Service Read-Only Users

Create the Read-Only Dashboard

Create the Read-Only Incident Type and Layout

User Settings and Preferences

Shift Management

Managing Shifts

User Invitations

Invite a User

Integration Permissions

Password Policy

Create a Password Policy

Edit a Default Password Policy

Default Password Policy Keys

Change the Administrator Password

Authenticate Users with SAML 2.0

Set up Okta as the Identity Provider Using SAML 2.0

Create Okta Groups for Cortex XSOAR Users

Define the Okta Application to authenticate Cortex XSOAR

SAML Settings for the Okta Application

Configure the SAML 2.0 Integration for Okta

SAML 2.0 Okta Parameters

Map Okta Groups to Cortex XSOAR Roles

Set up Microsoft Azure as the Identity Provider

Create a Non-Gallery Application in Azure

Define Azure to authenticate Cortex XSOAR

Configure the SAML 2.0 Integration for Azure

SAML 2.0 Azure Parameters

Map Azure Groups to Cortex XSOAR Roles

Set up ADFS as the Identity Provider Using SAML 2.0

Create Relying Party Trust in ADFS

Define the Claim Issuance Policy

Configure the SAML 2.0 Integration for ADFS

SAML 2.0 ADFS Parameters

Map ADFS Groups to Cortex XSOAR Roles

Configure User Notifications

Set the Default Theme for New Users

Disaster Recovery and Live Backup

Disaster Recovery and Live Backup Overview

Host Names, DNS, and Disaster Recovery

Configure the Live Backup Environment

Configure Live Backup for Multiple SAMLs

DR Scenario: Testing the DR Environment

DR Scenario: Unrecoverable Active Server Failure

DR Scenario: Unrecoverable Standby Server Failure

Transition an Active Server to Standby Mode

Transition a Standby Server to Active Mode

Transition Between DR States Through the Configuration File

Upgrade the Live Backup Environment

Cortex XSOAR Engines and Disaster Recovery

Backup the Database

Restore the Database

Remote Repositories in Cortex XSOAR

Remote Repositories Overview

Configure a Remote Repository on a Development Machine

Configure a Remote Repository on the Production Machine

Edit and Push Content to a Remote Repository

Troubleshoot a Remote Repository Configuration

Troubleshoot a Remote Repository Definition

Troubleshoot Editing and Pushing Content

Troubleshoot Content Issues

Engines

Cortex XSOAR Engines Overview

Install Cortex XSOAR Engines

Run the Engine as a Service on Windows

Use an Engine in an Integration

Manage Engines

Configure Engines

Edit the Engine Configuration

Common Properties When Editing an Engine Configuration

Configure the Engine to Use a Web Proxy

Configure the Engine to Call the Server Without Using a Proxy

Configure the Number of Workers for the Server and Engine

Configure Access to Communication Tasks through an Engine

Notify Users When an Engine Disconnects

Remove the Cortex XSOAR Server From the Load-Balancing Group

Remove an Engine

Troubleshoot Cortex XSOAR Engines

Troubleshoot Engine Upgrades

Docker

Docker Installation

Install Docker Enterprise Edition on Cortex XSOAR

Install Docker Community Edition on Cortex XSOAR

Update Container-Selinux

Install Docker Distribution for Red Hat on Cortex XSOAR

Install Docker Images Offline

Configure Python Docker Integrations to Trust Custom Certificates

Docker Images in Cortex XSOAR

Manage Docker Images

Create a Docker Image In Cortex XSOAR

Docker Hardening Guide

Configure Memory Limit Support Without Swap Limit Capabilities

Run Docker with Non-Root Internal Users

Use a Docker Image for Python Scripts

Configure the Memory Limitation

Test the Memory Limit

Limit Available CPU

Configure the PIDs Limit

Configure the Open File Descriptors Limit

Troubleshoot Docker Networking Issues

Run Docker with Non-Root Internal Users

Dashboards

Dashboard Overview

Create a Dashboard

Add a Widget to a Dashboard