Use Cases - Administrator Guide - 6.5 - Cortex XSOAR - Cortex - Security Operations

Fetch Incidents with relevant filters

Create, close and delete incidents/events/cases

Update Incidents - Update status, assignees, Severity, SLA, etc.

Get events related to an incident/case for enrichment/investigation purposes

Query SIEM (consider aggregating logs)

Use credentials from the authentication vault in order to configure instances in Cortex XSOAR. (Save credentials in: Settings → Integrations → Credentials.) The integration should include the isFetchCredentials parameter, and other integrations that will use credentials from the vault, should have the Switch to credentials option.

Lock/Delete Account – Use an integration to lock/unlock a third-party account.

Reset Account - Perform a reset password command for a third-party account

Lock an external credentials vault - in case of emergency (if the vault has been compromised), allow the option to lock/unlock the entire vault via an integration.

Step-Up authentication - Enforce Multi Factor Authentication for an account.

Create, get, edit, close a ticket/issue, add + view comments

Assign a ticket/issue to a specified user

List all tickets, filter by name, date, assignee

Get details about a managed object, update, create, delete

Add and manage users

Enriching information about different IOC types: Upload object for scan and get the scan results. (If there’s a possibility to upload private/public, the default should be set to private.) Search for former scan results about an object. (This way you can get information about a sample without uploading it yourself.) Enrich information and scoring for the object.

Add/Search for indicators in the system

Add indicators to the exclusion list

Calculate DBot Score for indicators

Get message – Download the email itself, retrieve metadata, body

Download attachments for a given message

Manage senders – Block/ Allow specified mail senders

Manage URLs – Block/ Allow the sending of specified URLs

Encode/ Decode URLs in messages

Release a held message (The gateway can place suspicious messages on hold, and sometimes they would need to be released to the receiver.)

Fetch Incidents & Events

Get event details (from specified incident)

Quarantine File

Isolate and contain endpoints

Update Indicators (Network, hashes, etc.) by policy (can be block, monitor) – deny list

Add indicators to the exclusion list

Search for indicators in the system (Seen indicators and related incidents/events)

Download file (based on hash, path)

Trigger scans on specified hosts

Update .DAT files for signatures and compare existing .DAT file to the newest one on the server

Get information for a specified host (OS, users, addresses, hostname)

Get policy information and assign policies to endpoints

Submit a file and get a report (detonation)

Submit a URL and get a report (detonation)

Search for past analysis (input being a hash/URL)

Retrieve a PCAP file

Retrieve screenshots taken during analysis

Create block/accept policies (Source, Destination, Port), for IP addresses and domains

Add addresses and ports (services) to predefined groups, create groups, etc.

Support custom URL categories

Fetch network logs for a specific address for a configurable time frame

URL filtering categorization change request

Built-in blocked rule command for fast-blocking

If there is a Management FW, allow the option to manage policy rules through it

Get/Fetch alerts

Get PCAP file, packet

Get network logs filtered by time range, IP addresses, ports, etc.

Create/manage/delete policies and rules

Update signatures from an online source / upload + Get last signature update information

Install policy (if existing)

Enrich asset – get vulnerability information for an asset (or a group of assets) in the organization

Generate/Trigger a scan on specified assets

Get a scan report including vulnerability information for a specified scan and export it

Get details for a specified vulnerability

Scan assets for a specific vulnerability