Home

Location

Documentation Home
Palo Alto Networks
Support
Live Community
Knowledge Base

Home
Security Operations
Cortex XSOAR
Cortex XSOAR Administrator’s Guide
Incidents
Classification and Mapping

Last Updated:

Sat Mar 05 23:12:46 PST 2022

Current Version:

6.0 (EoL)

Version 6.8
Version 6.6
Version 6.5
Version 6.2 (EoL)
Version 6.1 (EoL)
Version 6.0 (EoL)
Version 5.5 (EoL)

End-of-Life (EoL)

Table of Contents

Search the Table of Contents

copyright

Cortex XSOAR Overview

Cortex XSOAR Licenses

Add a License

Product Support Lifecycle

Cortex XSOAR Telemetry

Cortex XSOAR Concepts

Use Cases

Keyboard Shortcuts

Use the Command Line Interface

How to Search in Cortex XSOAR

Customize the Logo

Customize System Emails

Configure System Notifications

Install DBot for Slack

Performance Tuning of Cortex XSOAR Server

Single Server Deployment

System Requirements

Performance Benchmark

Install Cortex XSOAR for a Single Server Deployment

Installer Flags

Install Cortex XSOAR with Elasticsearch

Install Cortex XSOAR Offline

Dependencies for Offline Installation

Post-Installation Checklist

Server Post-Installation Health Check

Monitor Cortex XSOAR Components

HTTPS with a Signed Certificate

Create a Private Key and Certificate Signing Request (CSR)

Configure the Cortex XSOAR Server to Listen on HTTP

WebSocket Configuration

AWS EC2 Deployment Guidelines

Azure Virtual Machines Deployment Guidelines

GCP Compute Engine Deployment Guidelines

Upgrade the Cortex XSOAR Server

Uninstall Cortex XSOAR

Launch Cortex XSOAR from GCP Marketplace

Distributed Database Deployment

Distributed Database Deployment

Sizing Requirements for Distributed Database Deployment

Install Cortex XSOAR for a Distributed Database Deployment

Install a Distributed Database Node

Configure a Live Backup for a Distributed Database Overview

Configure the Live Backup Environment for a Distributed Database

Transition a Standby Server to Active Mode

Transition an Active Server to Standby Mode for a Distributed Database

Change the Node Admin Password

Change the Database Secret

Delete a User from a Node

Convert a Single Server Deployment to a Distributed Database Deployment

Upgrade the Cortex XSOAR Server for a Distributed Database

Delete a Database Node

Proxy

Configure Proxy Settings

Use NGINX as a Reverse Proxy to the Cortex XSOAR Server

Install NGINX on Cortex XSOAR

Generate a Certificate for NGINX

Configure NGINX

Manage Data

Migrate Cortex XSOAR Objects to Elasticsearch

Storing Cortex XSOAR Objects in Elasticsearch

Elasticsearch Migration Use Cases

Elasticsearch Security Guidelines

Elasticsearch Sizing Requirements

Migrate Cortex XSOAR Objects to Elasticsearch for a Single Server

Migrate Objects to Elasticsearch for a Distributed Database

Migrate Cortex XSOAR Objects to Elasticsearch for Multi-Tenant

Backup Cortex XSOAR Objects Stored in Elasticsearch

Restore Cortex XSOAR Objects Stored in Elasticsearch

Troubleshoot Elasticsearch

Troubleshoot Elasticsearch Memory Issues

Troubleshoot Elasticsearch Feed Ingestion Issues

Reindex the Entire Database

Reindex a Specific Index Database

Reindex the Entire Database for a Distributed Database

Reindex a Specific Index for a Distributed Database

Free up Disk Space with Data Archiving

Migrate Data to Another Server

Migrate Data to Another Server for Multi-Tenant

Move Data Folders to Another Location on the Server

Restore an Archived Folder

Users and Roles

Users and Roles Overview

Roles in Cortex XSOAR

Pre-set Query per Role

Define a Role

Role-based Permission Levels

Set the User as Default Adminstator

Change the Default Administrator to a SAML User

Self-Service Read-Only Users

Configure the Server for Self-Service Read-Only Users

Create the Self-Service Read-Only Users

Create the Read-Only Dashboard

Create the Read-Only Incident Type and Layout

User Settings and Preferences

Shift Management

Managing Shifts

User Invitations

Invite a User

Integration Permissions

Password Policy

Create a Password Policy

Edit a Default Password Policy

Default Password Policy Keys

Change the Administrator Password

Authenticate Users with SAML 2.0

Set up Okta as the Identity Provider Using SAML 2.0

Create Okta Groups for Cortex XSOAR Users

Define the Okta Application to authenticate Cortex XSOAR

SAML Settings for the Okta Application

Configure the SAML 2.0 Integration for Okta

SAML 2.0 Okta Parameters

Map Okta Groups to Cortex XSOAR Roles

Set up MS Azure as the Identity Provider Using SAML 2.0

Configure Microsoft Azure to Authenticate Cortex XSOAR

Configure the SAML 2.0 Integration for Azure

SAML 2.0 Azure Parameters

Set up ADFS as the Identity Provider Using SAML 2.0

Create Relying Party Trust in ADFS

Define the Claim Issuance Policy

Configure the SAML 2.0 Integration for ADFS

SAML 2.0 ADFS Parameters

Map ADFS Groups to Cortex XSOAR Roles

Set Up SAML Logout

Duo for Single Sign-On

Create Duo Groups for Cortex XSOAR Users

Define Duo to authenticate Cortex XSOAR

Configure the SAML 2.0 Integration for Duo

Map Duo Groups to Cortex XSOAR Roles

Configure User Settings

Set the Default Theme for New Users

Disaster Recovery and Live Backup

Disaster Recovery and Live Backup Overview

Host Names, DNS, and Disaster Recovery

Configure the Live Backup Environment

Configure Live Backup for Multiple SAMLs

DR Scenario: Testing the DR Environment

DR Scenario: Unrecoverable Active Server Failure

DR Scenario: Unrecoverable Standby Server Failure

Transition an Active Server to Standby Mode

Transition a Standby Server to Active Mode

Transition Between DR States Through the Configuration File

Upgrade the Live Backup Environment

Cortex XSOAR Engines and Disaster Recovery

Backup the Database

Restore the Database

Restore a Partition

Remote Repositories in Cortex XSOAR

Remote Repositories Overview

Configure a Remote Repository on a Development Machine

Configure a Remote Repository on the Production Machine

Edit and Push Content to a Remote Repository

Upgrade Remote Repositories for Versions Prior to 6.0

Troubleshoot a Remote Repository Configuration

Troubleshoot a Remote Repository Definition

Troubleshoot Editing and Pushing Content

Troubleshoot Content Issues

Marketplace

Marketplace Overview

Content Packs Support Types

Marketplace FAQs

Access the Marketplace

Register Users in the Customer Support Portal

Add a Role in the Cortex XSOAR Marketplace App

Search and Navigate in the Marketplace

Convert Existing Content to Content Pack Format

Convert Some Content Items to a Content Pack

Migrate All Content to Content Packs

Marketplace Troubleshooting

Content Pack Lifecycle

Content Pack Installation

Install a Content Pack

Delete a Content Pack

Update a Content Pack

Install a Content Pack Offline

Configure the Marketplace for Offline Installation

Content Pack Contributions

Create a Content Pack

Engines

Cortex XSOAR Engines Overview

Install a Cortex XSOAR Engine

Run the Engine as a Service on Windows

Install a Signed Engine

Use an Engine in an Integration

Manage Engines

Configure Engines

Edit the Engine Configuration

Common Properties When Editing an Engine Configuration

Configure the Engine to Use a Web Proxy

Configure the Engine to Call the Server Without Using a Proxy

Configure the Number of Workers for the Server and Engine

Configure Access to Communication Tasks through an Engine

Configure an Engine to Use Custom Certificates

Notify Users When an Engine Disconnects

Remove the Cortex XSOAR Server From the Load-Balancing Group

Remove an Engine

Troubleshoot Cortex XSOAR Engines

Troubleshoot Engine Installation

Troubleshoot Engine Upgrades

Troubleshoot Permission Denied

Troubleshoot Engine Import Error or Invalid Syntax Error

Troubleshoot Permission Denied

Troubleshoot Engine Connectivity

Docker

Docker Overview

Docker Installation

Update Container-Selinux

Install Docker Distribution for Red Hat on Cortex XSOAR

Configure Python Docker Integrations to Trust Custom Certificates

Docker Images in Cortex XSOAR

Create a Docker Image In Cortex XSOAR

Install Docker Images Offline

Docker Image Security

Manage Docker Images

Use a Docker Image for Python Scripts

Use the Cortex XSOAR Container Registry

Docker Hardening Guide

Run Docker with Non-Root Internal Users

Configure Memory Limit Support Without Swap Limit Capabilities

Configure the Memory Limitation

Test the Memory Limit

Limit Available CPU

Configure the PIDs Limit

Configure the Open File Descriptors Limit

Docker FAQs

Troubleshoot Docker Networking Issues

Troubleshoot Docker Performance Issues

Configure Docker Pull Rate Limit

Dashboards

Dashboard Overview

Create a Dashboard

Add a Widget to a Dashboard

Configure a Default Dashboard

Share and Unshare a Dashboard

Edit a Dashboard

Reports

Reports Overview

Create a Report

Schedule a report

Schedule a Report Examples

Customize the Email When Sending a Report

Create an Incident Summary Report

Select and Customize Sections to Export to a Summary Report

Add a Widget to a Report

Edit a report

Change the Report Logo

Configure the Time Zone and Format in a Report

Troubleshoot Reports

Troubleshoot Script Timeout for Reports

Widgets

Widgets Overview

Create a Widget in the Widgets Library

Widget Parameters

Create a Custom Widget Using a JSON File

JSON File Widget Parameters

JSON File Widget Example

Create a Custom Widget Using an Automation Script

Script Based Widgets Using Automation Scripts Examples

Create a Widget from an Indicator

Add a Custom Widget to the Indicator Page

Edit a Widget

Create a Used Percentage Widget for a Disk Partition

Saved By Dbot (ROI) Widget

Customize the Currency Symbol in the Saved by Dbot Widget

Reset the ROI Widget

Manage Indicators

Understand Indicators

Indicators Page

Indicator Reputation

Indicator Expiration

Indicator Types

Create an Indicator Type

Indicator Type Profile

File Indicators

Indicator Fields

Create a Custom Indicator Field

Configure the HTML Field

Map Custom Indicator Fields

Customize Indicator View Layouts

Customize an Indicator Type Layout

Add a Script in the Indicator Layout

Exclusion List

Create a Feed-Triggered Job

Manage the Indicator Timeline

Auto Extract Indicators

Configure What Auto Extract Executes

Disable Auto Extract for Scripts and Integrations

Auto Extract Indicators from a Phishing Email

Incidents

Incident Lifecycle

Incident Management

Create an Incident

Fetch Incidents from an Integration Instance

Receive Notification on an Incident Fetch Error

Create a Search Query for Incidents

Create a Widget From an Incident

Create a Widget From an Incident Example

Incident Investigation

Work Plan

Investigate an Incident Using the Canvas

Auto Populate the Canvas

Dbot Suggestions: Quick View Window

Edit Dbot Incident and Indicator Suggestions

Incident Actions

Evidence Handling

Incident Tasks

Create a To-Do Task

Incident Fields

Create a Custom Incident Field

Create a Grid Field for an Incident Type

Use Scripts with the Grid Field

Field Trigger Scripts

Troubleshoot Closing Case Incident after Changing Field Type

Incident De-Duplication

Automatic De-Duplication Using Scripts

Manually De-Duplicate Incidents

Create Pre-Process Rules for Incidents

Rule Actions for Pre-Process Rules

Post Processing for Incidents

Create a Post-Processing Script

Add a Post-Processing Script to the Incident Type

Incident Access Control Configuration

Limit Access to Investigations using RBAC

Restrict an Investigation

Link Incidents

Manage Related Incidents

Configure Incident Fields for Related Incidents

Link and Unlink incidents in the CLI

War Room Overview

Index War Room Entries

Add a Custom Widget in the War Room

Classification and Mapping

Classify Events Using a Classification Key

Create a Mapper

Configure Incident Mirroring

Incident Customization

Create an Incident Type

Customize Incident Layouts

Add a Script to the Incident Layout

Examples of Script Based Widgets for Incident Layouts

Add a Custom Widget to the Incident page

Add Note Information Using an Automation Script

Create Dynamic Fields in Incident Forms

Customize Incident Close Reasons

Change the Display Name of Security Incidents

Playbooks

Playbook Development

Manage Playbook Settings

Obtain Playbook Metadata

Playbook Inputs and Outputs

Playbook Tasks

Create Section Headers

Create a Conditional Task

Communication Tasks

Create an Ask Task

Ask Task Examples

Customize an Ask Task

Create a Data Collection Task

Data Collection Task Examples

Customize a Data Collection Task

Customize the SOC Name

Add Ad-hoc Tasks to a Work Plan

Playbook Task Fields

Configure a Sub-playbook Loop

Sub-playbook Tutorial

Extend Context

Extend Context in a Playbook Task

Extend Context using the Command Line

Generic Polling

Filters and Transformers

Create Filters and Transformers in a Playbook

Create a Filter Example

Create a Filter (Advanced) Example

Filter Operators

Transformers Operators

Create Custom Filter and Transformer Operators

Automations

Common Scripts to use in Automations

Version Control

Create a Job

Work with SLAs

SLA Overview

Create an SLA Field

Manage SLA and Timer Fields in an Incident

Create an SLA Trigger

Customize SLA Scripts

Search Incidents using SLA and Timer Fields

Configure the Global Risk Threshold

Machine Learning Models

Machine Learning Models Overview

Use the Phishing Classifier in Production

Create a Machine Learning Model

Machine Learning Model Example

Phishing Command Examples Using a Machine Learning Model

Phishing Classifier Demo

DbotPredictOutOfTheBox Parameters

DbotPredictOutOfTheBox Parameters

DbotPredictOutOfTheBox Examples

Train a Phishing Classifier on Non-English Languages

Train a Classifier on Languages with Adjusted Tokenization

Train a Classifier on Other Languages

Lists

Work With Lists

Create a List

Set the List Separator Character

Transform a List into an Array

Cortex XSOAR Enterprise Mobile App

Cortex XSOAR Enterprise Mobile App Overview

Android Certificate Requirements

Deploy the Android apk in a Self-Signed Certificate and an MDM Environment

Obtain the Full Certificate Chain for a Certificate

Configure the Mobile Device for Users

Use the Cortex XSOAR Enterprise Mobile App

Log in to the Cortex XSOAR Enterprise App

Switch Accounts in Multi-Tenant Deployments

Manage Dashboards in the Cortex XSOAR Enterprise Mobile App

Work with Incidents

Troubleshoot Mobile App Notifications

Agents

Agents Overview

Shared Agents

Configure a Shared Agent Instance

Shared Agent Instance Parameters

Install a Shared Agent

D2 Agent

Install a D2 Agent

Troubleshoot a Remote Installation (Windows)

Agent Tools

Configure Cortex XSOAR to Use PowerShell

D2 Agent Script Commands

Return the Memory Dump File Script

Running a Batch file Using Agent Tools

View All Running Processes Script

Logs

Logs Overview

Configure the Server Log

Create a Log Bundle

Audit Trail

Send the Audit Trail to an External Log Service

copyright
Cortex XSOAR Overview
Single Server Deployment
Distributed Database Deployment
Proxy
- Configure Proxy Settings
- Use NGINX as a Reverse Proxy to the Cortex XSOAR Server
Manage Data
Users and Roles
Disaster Recovery and Live Backup
Remote Repositories in Cortex XSOAR
Marketplace
Engines
Docker
Dashboards
Reports
Widgets
Manage Indicators
- Understand Indicators
- Auto Extract Indicators
Incidents
Playbooks
Work with SLAs
Machine Learning Models
Lists
Cortex XSOAR Enterprise Mobile App
Agents
Logs

Document:Cortex XSOAR Administrator’s Guide

Classification and Mapping

Last Updated:

Sat Mar 05 23:12:46 PST 2022

Current Version:

6.0 (EoL)

Version 6.8
Version 6.6
Version 6.5
Version 6.2 (EoL)
Version 6.1 (EoL)
Version 6.0 (EoL)
Version 5.5 (EoL)

Table of Contents

Search the Table of Contents

copyright

Cortex XSOAR Overview

Cortex XSOAR Licenses

Add a License

Product Support Lifecycle

Cortex XSOAR Telemetry

Cortex XSOAR Concepts

Use Cases

Keyboard Shortcuts

Use the Command Line Interface

How to Search in Cortex XSOAR

Customize the Logo

Customize System Emails

Configure System Notifications

Install DBot for Slack

Performance Tuning of Cortex XSOAR Server

Single Server Deployment

System Requirements

Performance Benchmark

Install Cortex XSOAR for a Single Server Deployment

Installer Flags

Install Cortex XSOAR with Elasticsearch

Install Cortex XSOAR Offline

Dependencies for Offline Installation

Post-Installation Checklist

Server Post-Installation Health Check

Monitor Cortex XSOAR Components

HTTPS with a Signed Certificate

Create a Private Key and Certificate Signing Request (CSR)

Configure the Cortex XSOAR Server to Listen on HTTP

WebSocket Configuration

AWS EC2 Deployment Guidelines

Azure Virtual Machines Deployment Guidelines

GCP Compute Engine Deployment Guidelines

Upgrade the Cortex XSOAR Server

Uninstall Cortex XSOAR

Launch Cortex XSOAR from GCP Marketplace

Distributed Database Deployment

Distributed Database Deployment

Sizing Requirements for Distributed Database Deployment

Install Cortex XSOAR for a Distributed Database Deployment

Install a Distributed Database Node

Configure a Live Backup for a Distributed Database Overview

Configure the Live Backup Environment for a Distributed Database

Transition a Standby Server to Active Mode

Transition an Active Server to Standby Mode for a Distributed Database

Change the Node Admin Password

Change the Database Secret

Delete a User from a Node

Convert a Single Server Deployment to a Distributed Database Deployment

Upgrade the Cortex XSOAR Server for a Distributed Database

Delete a Database Node

Proxy

Configure Proxy Settings

Use NGINX as a Reverse Proxy to the Cortex XSOAR Server

Install NGINX on Cortex XSOAR

Generate a Certificate for NGINX

Configure NGINX

Manage Data

Migrate Cortex XSOAR Objects to Elasticsearch

Storing Cortex XSOAR Objects in Elasticsearch

Elasticsearch Migration Use Cases

Elasticsearch Security Guidelines

Elasticsearch Sizing Requirements

Migrate Cortex XSOAR Objects to Elasticsearch for a Single Server

Migrate Objects to Elasticsearch for a Distributed Database