Home

Location

Documentation Home
Palo Alto Networks
Support
Live Community
Knowledge Base

Home
Security Operations
Cortex XSOAR
Cortex XSOAR Administrator’s Guide
Incidents
Incident Management
Create a Search Query for Incidents

Last Updated:

Mon Aug 08 23:37:51 PDT 2022

Current Version:

6.6

Version 6.9
Version 6.8
Version 6.6
Version 6.5
Version 6.2 (EoL)
Version 6.1 (EoL)
Version 6.0 (EoL)
Version 5.5 (EoL)

Table of Contents

Search the Table of Contents

Cortex XSOAR Overview

Cortex XSOAR Licenses

Add a License

Manually Refresh the Number of Licenses in Use

Cortex XSOAR Deployment Checklist

Cortex XSOAR Navigation Cheat Sheet

Cortex XSOAR New User FAQ

FIPS Version of Cortex XSOAR

Product Support Lifecycle

Cortex XSOAR Telemetry

Cortex XSOAR Concepts

Use Cases

Cortex XSOAR API Keys

Keyboard Shortcuts

Use the Command Line Interface

How to Search in Cortex XSOAR

How to Use Markdown in Cortex XSOAR

Customize the Logo

Customize the Login Message

Customize System Emails

Configure System Notifications

Install DBot for Slack

System Diagnostics

Cortex XSOAR Supported Ciphers

Single Server Deployment

System Requirements

Performance Benchmark

Install Cortex XSOAR for a Single Server Deployment

Installer Flags

Install Cortex XSOAR with Elasticsearch

Install Cortex XSOAR Offline

Dependencies for Offline Installation

Post-Installation Checklist

Server Post-Installation Health Check

Monitor Cortex XSOAR Components

HTTPS with a Signed Certificate

Create a Private Key and Certificate Signing Request (CSR)

Configure the Cortex XSOAR Server to Listen on HTTP

WebSocket Configuration

AWS EC2 Deployment Guidelines

Azure Virtual Machines Deployment Guidelines

GCP Compute Engine Deployment Guidelines

Upgrade the Cortex XSOAR Server

Uninstall Cortex XSOAR

Launch Cortex XSOAR from GCP Marketplace

Proxy

Configure Proxy Settings

Use NGINX as a Reverse Proxy to the Cortex XSOAR Server

Install NGINX on Cortex XSOAR

Generate a Certificate for NGINX

Configure NGINX

Manage Data

Reindex the Entire Database

Reindex a Specific Index Database

Reindex the Audit Log

Free up Disk Space with Data Archiving

Archive Artifacts and Attachments

Store Incident/Artifact Files in the Cloud

Migrate Data to Another Server

Migrate Data to Another Server for Multi-Tenant

Move Data Folders to Another Location on the Server

Restore an Archived Folder

Elasticsearch

Elasticsearch Overview

Elasticsearch Setup

Best Practices

Elasticsearch System Requirements

Elasticsearch Configurations

Elasticsearch Data Management

Elasticsearch Security

Elasticsearch General Security Guidelines

Elasticsearch Security Guidelines - Multi-tenant Deployments

Migration

Elasticsearch Migration Overview

Migrate Cortex XSOAR Objects to Elasticsearch for a Single Server

Migrate Cortex XSOAR Objects to Elasticsearch for Multi-Tenant

Migrate an Existing Elasticsearch Deployment

Migrate Objects to Elasticsearch for a Distributed Database

Manage Partial Migration to Elasticsearch

Validate the Migration to Elasticsearch

Elasticsearch Post Migration Health Check

Restore Cortex XSOAR Objects Stored in Elasticsearch

Disaster Recovery for Elasticsearch

Create Elasticsearch Snapshots

Restore Elasticsearch Snapshots

Archive Data with Elasticsearch

Troubleshoot Elasticsearch

Users and Roles

Users and Roles Overview

Roles in Cortex XSOAR

Pre-set Query per Role

Define a Role

Role-based Permission Levels

Set the User as Default Adminstator

Change the Default Administrator to a SAML User

Self-Service Read-Only Users

Configure the Server for Self-Service Read-Only Users

Create the Self-Service Read-Only Users

Create the Read-Only Dashboard

Create the Read-Only Incident Type and Layout

User Settings and Preferences

Configure User Settings

Shift Management

Managing Shifts

User Invitations

Invite a User

Integration Permissions

Password Policy

Create a Password Policy

Edit a Default Password Policy

Default Password Policy Keys

Change the Administrator Password

Authenticate Users with Active Directory

Authenticate Users with SAML 2.0

Set up Okta as the Identity Provider Using SAML 2.0

Create Okta Groups for Cortex XSOAR Users

Define the Okta Application to authenticate Cortex XSOAR

SAML Settings for the Okta Application

Configure the SAML 2.0 Integration for Okta

SAML 2.0 Okta Parameters

Map Okta Groups to Cortex XSOAR Roles

Set Up MS Azure as the Identity Provider Using SAML 2.0

Configure Microsoft Azure to Authenticate Cortex XSOAR

Configure the SAML 2.0 Integration for Azure

SAML 2.0 Azure Parameters

Set up ADFS as the Identity Provider Using SAML 2.0

Create Relying Party Trust in ADFS

Define the Claim Issuance Policy

Configure the SAML 2.0 Integration for ADFS

SAML 2.0 ADFS Parameters

Map ADFS Groups to Cortex XSOAR Roles

Duo for Single Sign-On

Create Duo Groups for Cortex XSOAR Users

Define Duo to authenticate Cortex XSOAR

Configure the SAML 2.0 Integration for Duo

Map Duo Groups to Cortex XSOAR Roles

Set Up SAML Logout

Set the Default Theme for New Users

Remove a User

Disaster Recovery and Live Backup

Disaster Recovery and Live Backup Overview

Host Names, DNS, and Disaster Recovery

Configure the Live Backup Environment

Configure Live Backup for Multiple SAMLs

DR Scenario: Testing the DR Environment

DR Scenario: Unrecoverable Active Server Failure

DR Scenario: Unrecoverable Standby Server Failure

Transition an Active Server to Standby Mode

Transition a Standby Server to Active Mode

Transition Between DR States Through the Configuration File

Upgrade the Live Backup Environment

Cortex XSOAR Engines and Disaster Recovery

Backup the Database

Restore the Database

Restore a Partition

High Availability

High Availability Overview

Sizing Requirements for High Availability Deployments

Monitor the Health of the App Servers

Migrate a Single Instance for High Availability

Migrate a Multi-Tenant Deployment for High Availability

Install Additional App Servers

Validate Additional App Servers

Deploy Engines in a High Availability Environment

Use a Signed Certificate

Remote Repositories in Cortex XSOAR

Content Management in Cortex XSOAR

Remote Repositories Overview

Configure a Remote Repository on a Development Machine

Configure a Remote Repository on the Production Machine

Edit and Push Content to a Remote Repository

Upgrade Remote Repositories from Versions 5.5 and below

Troubleshoot a Remote Repository Configuration

Troubleshoot a Remote Repository Definition

Troubleshoot Editing and Pushing Content

Troubleshoot Content Issues

Marketplace

Marketplace Overview

Content Packs Support Types

Marketplace FAQs

Access the Marketplace

Register Users in the Customer Support Portal

Add a Role in the Cortex XSOAR Marketplace App

Search and Navigate in the Marketplace

Convert Existing Content to Content Pack Format

Convert Some Content Items to a Content Pack

Migrate All Content to Content Packs

Content Pack Lifecycle

Marketplace Private Offer

Marketplace Private Offer FAQs

Content Pack Installation

Install a Content Pack

Delete a Content Pack

Update a Content Pack

Revert a Content Pack

Install a Content Pack Offline

Configure the Marketplace for Offline Installation

Marketplace Troubleshooting

Content Pack Contributions

Create a Content Pack

Engines

Cortex XSOAR Engines Overview

Install a Cortex XSOAR Engine

Run the Engine as a Service on Windows

Install a Signed Engine

Install a Cortex XSOAR Engine Offline

Use an Engine in an Integration

Run a Script using an Engine

Manage Engines

Configure Engines

Edit the Engine Configuration

Common Properties When Editing an Engine Configuration

Configure the Engine to Use a Web Proxy

Configure the Engine to Call the Server Without Using a Proxy

Configure the Number of Workers for the Server and Engine

Configure Access to Communication Tasks through an Engine

Configure an Engine to Use Custom Certificates

Notify Users When an Engine Disconnects

Remove an Engine

Troubleshoot Cortex XSOAR Engines

Troubleshoot Engine Installation

Troubleshoot Engine Upgrades

Troubleshoot Engine Connectivity

Troubleshoot Integrations Running on Engines

Troubleshoot Engine Import Error or Invalid Syntax Error

Troubleshoot Permission Denied

Docker

Docker Overview

Docker Installation

Update Container-Selinux

Install Docker Distribution for Red Hat on Cortex XSOAR

Configure Python Docker Integrations to Trust Custom Certificates

Docker Images in Cortex XSOAR

Create a Docker Image In Cortex XSOAR

Install Docker Images Offline

Docker Image Security

Manage Docker Images

Use a Docker Image for Python Scripts

Use the Cortex XSOAR Container Registry

Docker Hardening Guide

Run Docker with Non-Root Internal Users

Configure Memory Limit Support Without Swap Limit Capabilities

Configure the Memory Limitation

Test the Memory Limit

Limit Available CPU

Configure the PIDs Limit

Configure the Open File Descriptors Limit

Docker Network Hardening

Docker FAQs

Troubleshoot Docker Networking Issues

Troubleshoot Docker Performance Issues

Configure Docker Pull Rate Limit

Change the Docker Installation Folder

Podman

Podman Overview

Podman Installation

Configure the SELinux Policy for PowerShell Integrations

Migrate From Docker to Podman

Troubleshoot Podman

Dashboards

Dashboard Overview

Create a Dashboard

Add a Widget to a Dashboard

Share a Dashboard

Edit a Dashboard

Reports

Reports Overview

Create a Report

Schedule a report

Schedule a Report Examples

Customize the Email When Sending a Report

Create an Incident Summary Report

Select and Customize Sections to Export to a Summary Report

Add a Widget to a Report

Edit a report

Change the Report Logo

Configure the Time Zone and Format in a Report

Troubleshoot Reports

Troubleshoot Script Timeout for Reports

Widgets

Widgets Overview

Create a Widget using the Widget Builder

Create a Widget Using the Widget Builder Examples

Create a Custom Widget Using a JSON File

JSON File Widget Parameters

JSON File Widget Example

Create a Custom Widget Using an Automation Script

Script Based Widgets Using Automation Scripts Examples

Create a Widget from an Indicator

Add a Custom Widget to the Indicator Page

Edit a Widget

Create a Used Percentage Widget for a Disk Partition

Saved By Dbot (ROI) Widget

Customize the Currency Symbol in the Saved by Dbot Widget

Reset the ROI Widget

Indicators

Understand Indicators

Indicator Ingestion

Threat Intel Page

Export an Indicator to CSV Using the UTF8-BOM Format

Indicator Verdict

Reputation Scripts

Indicator Expiration

Indicator Types

Create an Indicator Type

Indicator Type Profile

File Indicators

File Indicator Merging Strategy

Indicator Fields

Create a Custom Indicator Field

Configure the HTML Field

Map Custom Indicator Fields

Indicator Field Trigger Scripts

Customize Indicator View Layouts

Customize an Indicator Type Layout

Add a Script in the Indicator Layout

Exclusion List

Create a Feed-Triggered Job

Manage the Indicator Timeline

Indicator Extraction

Create Indicator Extraction Rules for an Incident Type

Configure What Indicator Extraction Executes

Run Indicator Extraction in the CLI

Create Indicator Extract Rules for a Playbook Task

Disable Indicator Extraction for Automations or Integrations

Indicator Relationships

Create Indicator Relationships

Leverage Relationships in the Canvas

Incidents

Incident Lifecycle

Incident Management

Create an Incident

Fetch Incidents From an Integration Instance

Receive Notification on an Incident Fetch Error

Create a Search Query for Incidents

Create a Widget From an Incident

Create a Widget From an Incident Example

Export an Incident to CSV Using the UTF8-BOM Format

Incident Investigation

Incident Context Data

Work Plan

Investigate an Incident Using the Canvas

Auto Populate the Canvas

Dbot Suggestions: Quick View Window

Edit Dbot Incident and Indicator Suggestions

Incident Actions

Evidence Handling

Incident Tasks

Create a To-Do Task

Incident Fields

Create a Custom Incident Field

Create a Grid Field for an Incident Type

Use Scripts with the Grid Field

Incident Field Trigger Scripts

Troubleshoot Closing Case Incident after Changing Field Type

Incident De-Duplication

Automatic De-Duplication Using Scripts

Manually De-Duplicate Incidents

Create Pre-Process Rules for Incidents

Rule Actions for Pre-Process Rules

Post Processing for Incidents

Create a Post-Processing Script

Add a Post-Processing Script to the Incident Type

Link Incidents

Manage Related Incidents

Configure Incident Fields for Related Incidents

Link and Unlink incidents in the CLI

War Room Overview

Add a Custom Widget in the War Room

War Room Indexing

Index War Room Entries Using Bolt DB

Index War Room Entries Using Elasticsearch

Incident Access Control Configuration

Limit Access to Investigations using RBAC

Restrict an Investigation

Classification and Mapping

Classify Events Using a Classification Key

Create a Mapper

Incident Mirroring

Incident Customization

Create an Incident Type

Customize Incident Layouts

Add a Script to the Incident Layout

Examples of Script Based Widgets for Incident Layouts

Add a Custom Widget to the Incident Page

Add Note Information Using an Automation Script

Create Dynamic Fields in Incident Forms

Customize Incident Close Reasons

Change the Display Name of Security Incidents

Playbooks

Playbook Development

Manage Playbook Settings

Obtain Playbook Metadata

Playbook Inputs and Outputs

Playbook Tasks

Create Section Headers

Create a Conditional Task

Communication Tasks

Create an Ask Task

Ask Task Examples

Customize an Ask Task

Create a Data Collection Task

Data Collection Task Examples

Customize a Data Collection Task

Customize the SOC Name

Create Communication Task Authentication

Add Ad-hoc Tasks to a Work Plan

Playbook Task Fields

Configure a Sub-playbook Loop

Sub-Playbook Loop Example

Extend Context

Extend Context in a Playbook Task

Extend Context using the Command Line

Playbook Polling

Filters and Transformers

Create Filters and Transformers in a Playbook

Create a Filter Example

Create a Filter (Advanced) Example

Filter Operators

Transformers Operators

Create Custom Filter and Transformer Operators

Automations

Special Automation Tags

Common Scripts to use in Automations

Version Control

Playbook Debugger

Debug a Playbook

Debugger Troubleshooting

Create a Job

Work with SLAs

SLA Overview

Create an SLA Field

Manage SLA and Timer Fields in an Incident

Create an SLA Trigger

Customize SLA Scripts

Search Incidents using SLA and Timer Fields

Configure the Global Risk Threshold

Machine Learning

Machine Learning Capabilities

Machine Learning Models

Use the Phishing Classifier in Production

Create a Machine Learning Model

Machine Learning Model Example

Phishing Command Examples Using a Machine Learning Model

Phishing Classifier Demo

Phishing Classifier Demo Parameters

Phishing Classifier Demo Output Parameters

Phishing Classifier Demo Examples

Train a Phishing Classifier on Non-English Languages

Train a Classifier on Languages with Adjusted Tokenization

Train a Classifier on Other Languages

Additional Machine Learning Scripts

DBotFindSimilarIncidents Script

DBotPredictURLPhishing Script

DBotUpdateLogoURLPhishing Script

Lists

Work With Lists

Work with JSON Lists

Create a List

Set the List Separator Character

Transform a List into an Array

Logs

Logs Overview

Configure the Server Log

Configure the Access Log for HTTPS Requests

Create a Log Bundle

Audit Trail

Send the Audit Trail to an External Log Service

Server Configurations

Modify Server Configurations

Cortex XSOAR Overview
Single Server Deployment
Proxy
- Configure Proxy Settings
- Use NGINX as a Reverse Proxy to the Cortex XSOAR Server
Manage Data
Elasticsearch
Users and Roles
Disaster Recovery and Live Backup
High Availability
Remote Repositories in Cortex XSOAR
Marketplace
Engines
Docker
Podman
Dashboards
Reports
Widgets
Indicators
Incidents
Playbooks
Work with SLAs
Machine Learning
Lists
Logs
Server Configurations
- Modify Server Configurations

Document:Cortex XSOAR Administrator’s Guide

Create a Search Query for Incidents

Last Updated:

Mon Aug 08 23:37:51 PDT 2022

Current Version:

6.6

Version 6.9
Version 6.8
Version 6.6
Version 6.5
Version 6.2 (EoL)
Version 6.1 (EoL)
Version 6.0 (EoL)
Version 5.5 (EoL)

Table of Contents

Search the Table of Contents

Cortex XSOAR Overview

Cortex XSOAR Licenses

Add a License

Manually Refresh the Number of Licenses in Use

Cortex XSOAR Deployment Checklist

Cortex XSOAR Navigation Cheat Sheet

Cortex XSOAR New User FAQ

FIPS Version of Cortex XSOAR

Product Support Lifecycle

Cortex XSOAR Telemetry

Cortex XSOAR Concepts

Use Cases

Cortex XSOAR API Keys

Keyboard Shortcuts

Use the Command Line Interface

How to Search in Cortex XSOAR

How to Use Markdown in Cortex XSOAR

Customize the Logo

Customize the Login Message

Customize System Emails

Configure System Notifications

Install DBot for Slack

System Diagnostics

Cortex XSOAR Supported Ciphers

Single Server Deployment

System Requirements

Performance Benchmark

Install Cortex XSOAR for a Single Server Deployment

Installer Flags

Install Cortex XSOAR with Elasticsearch

Install Cortex XSOAR Offline

Dependencies for Offline Installation

Post-Installation Checklist

Server Post-Installation Health Check