War Room Overview
Use the Cortex XSOAR War Room for real-time investigation
into an incident, to filter war room entries, and to disable indicator
notifications.
Within Cortex XSOAR, real-time investigation
is facilitated through the War Room, which is powered by ChatOps
and helps analysts to do the following:
- Run real-time security actions through the CLI, without switching consoles.
- Run security playbooks, scripts and commands.
- Collaborate and execute remote actions across integrated products.
- Capture incident context from different sources.
- Document all actions in one source.
- Converse with others for joint investigations.
Cortex XSOAR also provides machine learning insights to suggest
the most effective analysts and command-sets. Each incident has
a unique War Room.
When you open the War Room, you can see a number of entries such
as commands, notes, evidence, tasks, etc, in several formats such
as Markdown,
HTML and so on. When Markdown, HTML or geographical information is
received the content is displayed in the relevant format.
You can do the following actions for each artifact entry.
Action | Description |
|---|---|
Edit | You can edit, format or delete your own entries.
If an entry has been changed, a History link will appear where you
can view all changes to the entry. |
Mark as Evidence | Opens the Mark as evidence window where you
specify the evidence details to be saved in the Evidence Board.
The Evidence Board stores key artifacts for current and future analysis.
You can add evidence in Case Info tab, the Evidence Board ,
or the War Room . |
Mark as note | Marks the incident as note. Notes can help
the analyst understand why certain action was taken and assists
future decisions. You can add them also in the Case Info tab. |
View artifact in new tab | Opens a new tab for the artifact. |
Detach from task | Removes a task from the artifact. |
Attach to a task | Adds a task to the artifact. |
Download artifact | Downloads an artifact according to the entry
type, such txt files for text, json for a JSON entry, etc. |
Add tags | Add any relevant tags to use, which helps you
find relevant information. |
You can run various commands in the CLI, by typing the following:
- !: Integration commands, automations, and built-in commands. For example, add evidence, assign an analyst, etc.
- /: System commands/operations. For example, add notes, close an investigation, etc.
- @: User tagging. Send notifications to administrators, teams, analysts, etc.
You can edit incidents, create a report, add child incidents,
and so on, as described in Incident Actions.
Filter Entities
You can filter entries by clicking
. You
can add any filter by selecting the checkbox or click
to remove
that action. The filter menu contains three types of War Room entities
by which you can filter:
. You
can add any filter by selecting the checkbox or click
to remove
that action. The filter menu contains three types of War Room entities
by which you can filter:- Actions
- Tags
- From
Use the And/Or toggles between the Actions, Tags and From sections.
- And: Use to combine two or more filters.
- Or: When one item is found it shows relevant entries.
You can save the filter by clicking
Add
.
You can also retrieve Saved filters
.Indicator Notifications
You can disable War Room notifications for related indicators.
Go to and add the
following server configuration:
Key | Value |
|---|---|
create.related.indicators.entry | false |
Cortex XSOAR does not index notes, chats, and pinned as evidence
entries. If you want to index these entries, see War Room Indexing.
