Scribd
Upload
1K views68 pages

Cortex XSOAR LABS

Uploaded by

Muhammad Waseem Ahsan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
1K views68 pages

Cortex XSOAR LABS

Uploaded by

Muhammad Waseem Ahsan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 68

Workshop Guide

Workshop Guide

- HANDS ON WORKSHOP -

Security Orchestration,
Automation and Response.

© 2020 Palo Alto Networks. Proprietary and Confidential

1
Workshop - Up Level Your SOC with Cortex XSOAR
Workshop Guide

Table of Contents

Table of Contents
ACTIVITY 0 – LOG IN TO YOUR CORTEX XSOAR WORKSHOP INSTANCE AND OPTIONALLY INSTALL THE MOBILE APP.................7
ACTIVITY 1 – PHISHING CAMPAIGN INVESTIGATION AND RESPONSE ........................................................................................7
TASK 1 – SEARCH AND LOCATE PHISHING INCIDENTS IN CORTEX XSOAR........................................................................................................ 8
TASK 2 – UNDERSTAND PHISHING INVESTIGATION DATA ........................................................................................................................... 12
TASK 3 – EDIT CUSTOM LAYOUT FOR PHISHING INCIDENTS......................................................................................................................... 18
TASK 4 – PLAYBOOK OVERVIEW ........................................................................................................................................................... 20
TASK 5 – INTRODUCTION TO NATIVE THREAT INTEL MANAGEMENT IN XSOAR .............................................................................................. 23
ACTIVITY 2 – BEHAVIORAL THREAT INVESTIGATION AND RESPONSE ...................................................................................... 29

TASK 1 – SEARCH AND FIND INCIDENTS OF TYPE “CORTEX XDR INCIDENT” ................................................................................................... 29
TASK 2 – INCIDENT INVESTIGATION ...................................................................................................................................................... 33
TASK 3 – SEARCH AND CONFIGURE INTEGRATIONS ................................................................................................................................... 45
TASK 4 – WAR ROOM AND COMMAND LINE OPERATIONS ......................................................................................................................... 49

ACTIVITY 3 – IMPOSSIBLE TRAVELER INCIDENT INVESTIGATION AND RESPONSE..................................................................... 52


TASK 1 – FIND THE INCIDENT WITH TYPE “IMPOSSIBLE TRAVELER” .............................................................................................................. 52
TASK 2 – UNDERSTAND MULTI SECTION INCIDENT INVESTIGATION VIEWS ..................................................................................................... 57

2
Workshop - Up Level Your SOC with Cortex XSOAR
Workshop Guide

How to use this Guide:


The activities outlined in this guide are meant to contain all the information necessary to
navigate the User Interfaces for the different functionality available in Cortex XSOAR
security orchestration automation and response platform. This guide is meant to be used
in conjunction with the information and guidance provided by your facilitator.

The screenshots in this guide may not completely match what you see in your browser. For
example, some of the alerts may have different details such as timestamps, dates etc. But
the basic steps will still apply

This workshop covers only basic topics and is not a substitute for a formal proof of concept,
Universal Test Drives (UTD) or training classes conducted at a Palo Alto Networks
Authorized Training Center (ATC). Please contact your partner or regional sales manager
for more training information.

Terminology:
Incidents Potential security threat data that SOC administrators identify and remediate. There are several
incident triggers, including:

● SIEM alerts
● Mail alerts
● Security alerts from third-party services, such as SIEM, mailboxes, data in CSV format, or from the
Cortex XSOAR RESTful API.

Cortex XSOAR includes several out-of-the-box incident types, and users can add custom incident types
with custom fields, as necessary.

Incident Lifecycle

3
Workshop - Up Level Your SOC with Cortex XSOAR
Workshop Guide

Integrations Third-party tools and services that the Cortex XSOAR platform orchestrates and automates SOC
operations. In addition to third-party tools, you can create your own integration using the Bring Your Own
Integration (BYOI) feature.

Integration Categories This list is not exhaustive and highlights the main integration categories.

● Analytics & SIEM


● Authentication
● Case Management
● Data Enrichment
● Threat Intel Feeds
● Database
● Endpoint
● Forensics & Malware Analysis
● IT Services
● Messaging
● Network Security
● Vulnerability Management

Playbook Cortex XSOAR Playbooks are self-contained, fully documented prescriptive procedures that
query, analyze, and take action based on the gathered results. Playbooks enable you to organize and
document security monitoring, orchestration, and response activities. There are several out-of-the-box
playbooks that cover common investigation scenarios. You can use these playbooks as-is or customize
them according to your requirements. Playbooks are written in YAML file format using the COPS standard.
Playbooks are made up of tasks, each of which perform a specific action. Tasks are either manual or
automatic. Manual tasks are actions that are not associated with scripts. Automated tasks are associated
with scripts, written in Python or JavaScript.

4
Workshop - Up Level Your SOC with Cortex XSOAR
Workshop Guide

A key feature of Playbooks is the ability to structure and automate security responses, which were
previously handled manually. You can reuse Playbook tasks as building blocks for new playbooks, saving
you time and streamlining knowledge retention.

Automation The Automation section is where you manage, create, and modify scripts. These scripts
perform a specific action and are comprised of commands associated with an integration. You write scripts
in either Python or JavaScript. Scripts are used as part of tasks, which are used in playbooks and
commands in the War Room.

Scripts can access all Cortex XSOAR APIs, including access to incidents, investigations, share data to the
War Room, and so on. Scripts can receive and access arguments, and you can password protect scripts.

The Automation section includes a Script Helper, that provides a list of available commands and scripts,
ordered alphabetically.

Playground The playground is a non-production environment where you can safely develop and test
automation scripts, APIs, commands, and more. investigation area that is not connected to a live (active)
investigation. To erase a playground and create a new one, in the Cortex XSOAR CLI run
the /playground_create command.

Here's an example for how to use the playground:

1. Configure a Mail Listener integration.

2. Create a new default incident type.

● Navigate to Settings > Advanced > Incident Types.

● Associate the incident type with the Default playbook.

● Select the Run playbook automatically checkbox.

● Select it as Default Incident Type.

3. Send an email to an email address associated with your Cortex XSOAR account, with the word
“phishing” in the subject.

4. Verify that an incident is created with the correct incident type and associated playbook

Indicator, Indicator Types and Threat Intel Feeds DBot can simplify your incident investigation process by
collecting and analyzing information and artifacts found in War Room entries and ingesting the threat intel
feed data. Cortex XSOAR analyzes indicators to determine whether they are malicious. Using indicator
types reveals predefined, regular expressions in the War Room.

5
Workshop - Up Level Your SOC with Cortex XSOAR
Workshop Guide

Hits are indicators that are determined to have a bad reputation and were previously identified in the
network. The reputation is the indicator's level of maliciousness, determined manually or by hypersearch
scripts. If a hyper search script identifies an indicator, the source is DBot.

There are several out-of-the-box indicator types, but you can add custom indicator types as necessary:

● IP address (IP4, IP6)

● Registry path

● URL

● Email

● File hash (SHA-1, MD5).

When you add an indicator type, you can add enhancement and reputation scripts. Enhancement scripts
enable you to gather additional data about the highlighted entry in the War Room. Reputation scripts
calculate the reputation score for an entry that DBot analyzed, for example, DataIPReputation, which
calculates the reputation of an IP address.

Tab: mainly refers to the different tabs along the bottom left part of each screen in the GUI.

Time Zones: Cortex XSOAR uses UTC (Universal Time Coordinated) to handle time zones. This is the most
precise and commonly referred to time standard, enabling all users will see times in their timezone (local
time).

6
Workshop - Up Level Your SOC with Cortex XSOAR
Workshop Guide

Activity 0 – Log in to your Cortex XSOAR workshop


instance and optionally install the mobile app
1. Follow the instructions from your workshop instructor to receive your workshop instance URL and
default login credentials
2. Once you successfully login, please make sure to change the default password and set a new one
3. Optionally you can also install Cortex XSOAR mobile application on android and IOS devices by
searching for “Cortex XSOAR” on the Appstore. Once installed, please use your Cortex XSOAR
instance URL, username and the updated password to connect to your Cortex XSOAR workshop
instance from the mobile app

Activity 1 – Phishing Campaign Investigation and


Response
This activity focuses on automated response to phishing attacks. Phishing is by far one of the most
commonly seen security incidents and Cortex XSOAR helps you automate the process of investigating
phishing campaigns and also enables the security operation teams to respond back using automated
playbooks.

In this activity, you will:


● Understand how to search for “phishing campaign” alerts in Cortex XSOAR and launch an
investigation process
● Dive deep into phishing campaign investigation data and understand investigation sections
● Learn how to edit custom layouts for phishing investigation
● Get an overview of the automated phishing response playbook
● Introduction to the native threat intel management functionality of Cortex XSOAR

7
Workshop - Up Level Your SOC with Cortex XSOAR
Workshop Guide

Task 1 – Search and locate phishing incidents in Cortex XSOAR

Step 1: Within your Cortex XSOAR workshop instance, navigate to the incidents page and from the search
bar perform a search for incidents of type “Phishing Campaign”. Make sure to select the appropriate time
range as shown below, example select “All times”. This will result in a list of all incidents in the platform
that are associated with phishing attacks.

A. To get started, hover your mouse to the extreme left side of the screen. You will view a list
of tabs on the bottom left part of the screen. Click on the “incidents” tab that will take you
to the incidents page.

B. On the incidents page, go to the search bar located at the top of the page and type
“Phishing Campaign” and hit enter. Make sure to select the date range as “All times” as
shown below. This will result in a list of incidents displayed on the incidents page. Observe
that different incidents may have similar or different “severity” levels such as Critical or
High etc.

8
Workshop - Up Level Your SOC with Cortex XSOAR
Workshop Guide

Step 2: Select one of the critical severity incidents and mark it as favorite by clicking on the “star” icon
located under the “ID” incident field. Marking the incident as favorite helps you to easily access this
incident at a later time. This will make the incident investigation appear on the left side of the screen that
is visible when you hover your mouse to the extreme left. Notice that this incident has a playbook named
“Email Phishing” already associated with it. This means that the playbook “Email Phishing” automatically
runs every time an incident of “phishing campaign” type is created in Cortex XSOAR.

9
Workshop - Up Level Your SOC with Cortex XSOAR
Workshop Guide

Step 3: Cortex XSOAR allows you to perform multiple incident operations from the incident page. Click on
each of the following tabs as shown here to perform incident operations such as assign the incident to an
analyst, edit the incident, mark it as duplicate, run command, export, close or delete. Notice that you can
also associate SLA for incident investigation and view it from the incident page. Click on the “gear” icon
located on the right side of the page as shown below. This will allow you to select or unselect incident
page.

10
Workshop - Up Level Your SOC with Cortex XSOAR
Workshop Guide

Step 4: XSOAR allows security analysts to slice and dice incidents data to suite individual viewing
preferences. You can view the incident data in different ways such as a table view or summary view as
shown below. Further you can hide the chart panel if you prefer viewing the tabular representation of the
incidents.

Step 5: Hover to the extreme left side of the screen and click on the incident marked as favorite as shown
below.

11
Workshop - Up Level Your SOC with Cortex XSOAR
Workshop Guide

This will take you to the multi section views of the investigation page.

Task 2 – Understand phishing investigation data

Step 1: Investigations in XSOAR consists of multi section views that are unique to each individual incident
with associated playbook for response actions. Please click on each of the eight sections as shown below,
to view data represented in each section. Each section is made up of customizable layouts and each layout
has multiple widgets that gets auto populated with incident investigation data as shown below. Let’s view
each section in detail and understand the data presented in it. We will review the workplan section in the
last task for this activity.

Case info:

The case info page contains multiple customizable widgets that provides complete information about the
incident. This includes but is not limited to following:

• Case information details including case type, severity, owner and phase.
• Timeline information – includes incident occurred time, creation time, last updated, closed time,
and remediation SLA
• List of team members associated with the incident
• DBot - XSOAR’s native security bot, lists task information, task results etc.
• Workplan actions and evidence board information published on the case info page.

12
Workshop - Up Level Your SOC with Cortex XSOAR
Workshop Guide

Let’s dive deep into the phishing incident investigation. From the case information page, it’s clear that it is a
phishing campaign incident occurred on 3 April at 8:24 PM and has “critical” severity. It is currently on the
phase 4 of the investigation process. The analyst can immediately view the list of malicious indicators that
are extracted and presented by DBot. There is also a task waiting for the analyst action.

Investigation:

The investigation page below captures incident management and response actions in various different
widgets as shown below. The phishing incident has been ingested into the XSOAR and during the
investigation, the “EMAIL HTML” image has been captured along with “Raw Email HTML” and “Email Text”.
All the associated indicators can be viewed as a list on the “Indicator values”, “reputation”, “First seen”, “last
seen” etc. The number of incidents per email address and any associated files can also be viewed.

The incident investigation page captures all the required details to draw inference of a phishing activity.
The rasterized image along with email body and subject allows analysts to get additional information. The

13
Workshop - Up Level Your SOC with Cortex XSOAR
Workshop Guide

malicious indicators are presented in a separate widget. Any URLs identified as part of the incident is
automatically extracted and checked for bad reputation.

War room:

War room is a built in out of the box functionality, that captures all the analyst, DBot and playbook
response actions for future reference. Each entry provides the analysts with an option to take action such
as mark it as a note, evidence, create tags, view in a separate window etc. Analysts can easily search, filter
and report on the war room data.

14
Workshop - Up Level Your SOC with Cortex XSOAR
Workshop Guide

Evidence Board:

Evidence board presents a chronological list of artifacts that can be used for audit or retrospective analysis
purposes. Evidence board is an optional section associated with each individual investigation. Each
incident investigation has a unique evidence board. Below you can see the list of extracted indicators that
can be readily viewed from the evidence board.

15
Workshop - Up Level Your SOC with Cortex XSOAR
Workshop Guide

Related Incidents:

Just like the evidence board, the related incidents section is unique to each investigation. Optionally
analysts can make use of this section to view a set of incidents that’s related to the current incident under
investigation. Analysts can change the date range and adjust the similarity scale to view list of common
indicators. Based on the data presented and the resulting analysis, they can either mark the incidents as
“Linked” or “Duplicate”. The actions taken on this section is auto committed across all other sections so as
to have consistent data.

16
Workshop - Up Level Your SOC with Cortex XSOAR
Workshop Guide

Canvas:

Canvas section is an optional component of incident investigation, that presents analysts with relationship
of incidents and indicators. Canvas is unique for each investigation. Analysts can click on the “Auto
populate” button to immediately populate the page with incident linked to the indicators. Analysts can
also alternately drag and drop the incidents and indicators to create their own custom relationship. Finally,
users can also save the canvas, download an image of the canvas and click on the “Send snapshot to War
Room” to view the image in the war room.

17
Workshop - Up Level Your SOC with Cortex XSOAR
Workshop Guide

Task 3 – Edit custom layout for phishing incidents

Step 1: Navigate to the bottom left part of the screen and go to the settings page as shown below.

18
Workshop - Up Level Your SOC with Cortex XSOAR
Workshop Guide

Step 2: From the settings page navigate to settings->Advanced->Incident Types. On the search bar search
for “phishing campaign” as shown below. Select the checkbox for phishing campaign and click on “Edit
Layout”

Step 3: The “Layout Builder” page can be used to edit custom layout widgets for incidents.

19
Workshop - Up Level Your SOC with Cortex XSOAR
Workshop Guide

Step 4: Click on “New”/” Edit” section as shown below to add/modify/remove fields from the layout. You
can drag and drop field values from the ‘Library” pane on to the layout to add new fields, similarly you can
delete the fields that are not required. Finally save and close the layout builder page and return back to
the incidents page.

Task 4 – Playbook overview

Step 1: Navigate to the “Work Plan” section of the incident investigation. This will open the playbook that
has already run automatically and has presented output. Playbook are task-based workflows that
performs a series of response actions automatically.

20
Workshop - Up Level Your SOC with Cortex XSOAR
Workshop Guide

Step 2: Click on the “Rasterize Email” task. You will notice that the DBot has captured the rasterized image
of the webpage and presented to the analyst to view within the XSOAR platform.

21
Workshop - Up Level Your SOC with Cortex XSOAR
Workshop Guide

Step 3: The “Extract Indicators” task presents the list of extracted indicators.

Step 4: The playbook has executed all the tasks and presented with its outputs. The playbook output can
also be viewed on the war room as well.

22
Workshop - Up Level Your SOC with Cortex XSOAR
Workshop Guide

Step 5: The “CLOSED” message on the bottom right part of the webpage confirms that the playbook has
run and successfully completed all actions.

SIDE NOTE
The successful run of the playbook itself depends on the successful execution of the tasks it consists of. The
“green” colored tasks signify successful completion of the task. If one or more tasks turns “red” in color, then it
means that the task failed due to some reason. In cases where one or more tasks fail, please click on the tasks
to view the error message. Notify the instructor for help.

Task 5 – Introduction to native threat intel management in XSOAR

Step 1: Navigate back to the “investigation” section for the incident. Navigate to the “Indicators” widget
and click on the URL with bad reputation.

23
Workshop - Up Level Your SOC with Cortex XSOAR
Workshop Guide

Step 2: Clicking on an indicator listed inside the “indicator” widget will open a new window to the right
side of the screen as shown below. On this window analysts can view additional context around the
incident including viewing the indicator reputation, known history, comments, custom fields etc.
Analysts can also perform several operations such as edit the incident and use the “Actions” button
to perform several operations from the same page.

24
Workshop - Up Level Your SOC with Cortex XSOAR
Workshop Guide

Step 3: Some of the actions include running scripts on the indicator. In this case you can run the listed
scripts (URL reputation, Splunk search etc.) on the URL, re-calculate the reputation of the indicator
using the latest information, exclude the indicator and delete the indicator respectively.

25
Workshop - Up Level Your SOC with Cortex XSOAR
Workshop Guide

Step 4: Click on the “Full view” button, that will open a full page dedicated to this indicator as shown on
below screens.

The below window is completely customizable. By default, the page displays full threat data related
to this indicator, including indicator reputation, tags, timeline information, expiration status,
related incidents, source data, comments etc.

26
Workshop - Up Level Your SOC with Cortex XSOAR
Workshop Guide

Step 5: Hover over to the extreme left side of the screen and navigate to the “indicators” page and click
on the “indicator” tab on the bottom left side of the page.

The indicators page provides the list of all indicators ingested into the platform. You can perform a
number of operations on indicators from this page such as create an incident from an indicator,
create new indicators, edit indicators, delete and exclude indicators and export as CSV or STIX etc.
27
Workshop - Up Level Your SOC with Cortex XSOAR
Workshop Guide

End of Activity 1

28
Workshop - Up Level Your SOC with Cortex XSOAR
Workshop Guide

Activity 2 – Behavioral threat investigation and


response

In this activity we will focus on Cortex XSOAR’s automated response to a behavioral threat incident
reported by Cortex XDR.
In this activity, you will:
● Search for “Cortex XDR” incidents in XSOAR and mark the incident as favorite
● Learn to create and save incident queries
● Understand the behavioral threat data reported by XDR
● Dive deep into the Related Incidents and Canvas sections
● Search and configure integrations
● Perform War room operations

Task 1 – Search and find incidents of type “cortex XDR incident”

Step 1: Navigate back to the incidents page. Clear the search bar by removing any filters and reset the date
range and select “All times”, so that you can view the list of all incidents occurred at all times as shown
below.

29
Workshop - Up Level Your SOC with Cortex XSOAR
Workshop Guide

Step 2: From the search bar perform a search for incidents of type “Cortex XDR incident”. Make sure to
select the appropriate time range as shown below, example select “All times”. This will result in a list of
incidents in the platform that are associated with Cortex XDR incident.

Step 3: Select one of the incidents of type “Cortex XDR incident” and mark it as favorite, so that you can
easily access this incident at a later time. In order to mark the incident as favorite, you will have to click on
the star as shown below. This will make the incident investigation appear on the left-hand side screen that
is visible when you hover to the extreme left of page.

Notice that this incident has a playbook named “Cortex XDR Incident Handling Demo” already associated
with it. This means that the playbook “Cortex XDR Incident Handling Demo” automatically runs every time
an incident of “Cortex XDR Incident” type is created in Cortex XSOAR

30
Workshop - Up Level Your SOC with Cortex XSOAR
Workshop Guide

Step 4: Click on “Add” located right next to the search bar. That opens a text window as shown below.
Type a meaningful name for the search query (ex: Cortex XDR Incident) and click on “save” button to save
the query for future reference.

31
Workshop - Up Level Your SOC with Cortex XSOAR
Workshop Guide

Step 5: Click on “Saved queries”. You will view the list of all saved queries. Optionally you can also click on
the “Mark as Page Default” option located next to the saved query names to mark the query as page
default.

• Click on the incident marked as favorite as shown below.

32
Workshop - Up Level Your SOC with Cortex XSOAR
Workshop Guide

Task 2 – Incident Investigation

Step 1: Click on the case information section of the investigation. This will display a set of widgets that
provide relevant context around the incident. From the case details section, we know that this is a high
severity incident of type “Cortex XDR Incident”. The playbook “Cortex XDR Incident Handling Demo “is
already configured to automatically run whenever there is an incident from Cortex XDR ingested into XSOAR.
The XDR basic information widgets display the complete description of the incident. In this case we know
that the XDR incident is a behavioral threat aggregated over 10 such alerts generated by XDR agent, NGFW,
XDR BIOC, and XDR Analytics detected on 2 hosts involving 2 users. The incident id on XDR is 159 and the
XDR status says this incident is under investigation. There is also a URL that takes you directly to the XDR
page. From an incident management perspective, analysts can easily view the incident owner and also add
notes using the notes section to add additional context to the incident.

33
Workshop - Up Level Your SOC with Cortex XSOAR
Workshop Guide

Step 2: The investigation section lists all the relevant XDR alerts along with alert Id, Detection Timestamp,
Severity, Name, Category, Action, Description, Host IP, Host Name etc. One of the alerts from XDR has the
name “BabyShark command and control traffic detection”. We also can view the category of the incidents
and learn that it’s a spyware. Analyst can also learn the associated URL and host IP as well as host name.
Among other things XSOAR has also readily ingested the File SHA256 from XDR and used Wildfire
integration to automatically detect that it is a malware.

Step 3: Analysts can click on the red highlighted indicators to view the detailed information presented on
the specific indicator in a separate window. The indicator information presented to the users consists of
First seen, last seen, indicator reputation information from each reputation sources. Known history,
comments, custom fields etc.

34
Workshop - Up Level Your SOC with Cortex XSOAR
Workshop Guide

Step 4: XSOAR allows analysts to take incident actions from the investigation section. You can click on the
“Action” button as shown below to take a look at the different options available for analyst action
including edit, report, add child incident, restrict an incident or close incident.

35
Workshop - Up Level Your SOC with Cortex XSOAR
Workshop Guide

Step 5: XSOAR also allows analysts to view the systems, team and context information associated for each
incident investigation. You can click on the button with three dots as shown below to take a look at the
different options available for analyst viewing.

36
Workshop - Up Level Your SOC with Cortex XSOAR
Workshop Guide

Step 6: Click on the war room section, that provides you with a list of artifacts related to this investigation
for viewing. Scroll through the war room to take a look at different types of artifacts. These artifacts can
range from an analyst’s manual actions on the CLI, DBot’s auto extracted indicators to playbook auto
response actions. You can take several actions from the war room, such as mark an artifact as an evidence,
mark as a note, create tags. Using these tags, you can search and filter on the artifacts of interest.

37
Workshop - Up Level Your SOC with Cortex XSOAR
Workshop Guide

Step 7: Click on the “work plan” section. This section has the playbook in run mode. The playbook has
already run and completed all the actions. Each rectangular box is an action. These actions can be either
automated or manual in nature. Following are some of the screens that provide an overview of the
playbook. Click on each task to take a look at the output of the task.

38
Workshop - Up Level Your SOC with Cortex XSOAR
Workshop Guide

39
Workshop - Up Level Your SOC with Cortex XSOAR
Workshop Guide

Step 8: The related incidents section is unique to each investigation. Optionally analysts can make use of
this section to view a set of incidents that’s related to the current incident under investigation. Analysts
can change the date range and adjust the similarity scale to view list of common indicators. Based on the
data presented and their analysis they can either mark the incidents as “Linked” or “Duplicate”. The
actions taken on this section is auto committed across all other sections so as to have consistent data.

Click on any of the circles or square icons visible inside the circle. You will notice that two windows open
side by side as shown below. These two windows show the similarities between the two incidents. Any
similar labels or indicators are identified automatically and presented for analyst viewing.

40
Workshop - Up Level Your SOC with Cortex XSOAR
Workshop Guide

Based on the review, analyst can either mark the two incidents as related or duplicate, as shown below.

41
Workshop - Up Level Your SOC with Cortex XSOAR
Workshop Guide

Step 9: Canvas section is an optional component of incident investigation that presents analysts with
relationship of incidents with indicators. Canvas is unique for each investigation. Analysts can click on the
“Auto populate” button to instantly populate the page with incidents linked to related indicators. Analysts
can also alternately drag and drop the incidents and indicators to create their own custom relationship.
Finally, users can also save the canvas, download an image of the canvas and click on the “Send snapshot
to War Room” to view the image in the war room. The following screens display a series of actions that
can be performed by the analyst on the Canvas page.

The current incident under active investigation will be presented by default on the canvas layout as shown
below.

42
Workshop - Up Level Your SOC with Cortex XSOAR
Workshop Guide

Click on the “Auto populate” button located at the top right side of the page to automatically place
following on the canvas as shown in the following 2 screens:

• Top 10 incidents most related to the current incident under investigation


• Linked incidents (if any)
• Bad and suspicious common indicators

43
Workshop - Up Level Your SOC with Cortex XSOAR
Workshop Guide

Click on any indicator, such as the file hash shown in the below screen. That will open a new window on
the right side providing additional context around the indicator. The window will also provide with
multiple other options to deal with the canvas. Please click on each option presented inside the canvas
and the options presented inside the right-side window to view different canvas related actions.

Click on the “save” icon to save the canvas in its final state.

Click on the “Send snapshot to the War Room” link as shown below and subsequently navigate to the war
room section.

44
Workshop - Up Level Your SOC with Cortex XSOAR
Workshop Guide

The canvas image is automatically presented to you inside the war room section as shown below

Task 3 – Search and configure integrations

Step 1: Navigate to the bottom left part of the screen and go to the settings page.

45
Workshop - Up Level Your SOC with Cortex XSOAR
Workshop Guide

Step 2: Under “Servers and Services” section, you will observe a search bar where you can search for
different integrations based on a product / vendor name. Also click on “Category” to filter the integrations
based on list of different security and non-security product categories that have built-in out of the box
integrations. While on the “integrations” section under “servers and services” sub tab search bar, type
“ipinfo” to view ipinfo integration as shown below.

Step 3: For the configured integration click on the gear icon as shown below and view the parameters that
are required to configure the ipinfo integration. You can always click on the “test” button to test the
integration. Notice that you can also add additional instances if needed. You can also clone and edit the
integrations or view the source code for each integration by clicking the “eye” icon. Click on the “show
commands” link to expand and view the list of commands for each integration.

46
Workshop - Up Level Your SOC with Cortex XSOAR
Workshop Guide

Step 4: Repeat the same steps as mentioned above to configure and test the “whois” integration as well
as shown below.

47
Workshop - Up Level Your SOC with Cortex XSOAR
Workshop Guide

Step 5: Note that the Palo Alto Networks “Autofocus feeds” located under the “Threat Intel Feeds”
category comes preconfigured as part of Cortex XSOAR. This helps Cortex XSOAR users to always have
access to the high reliability Autofocus threat feeds.

48
Workshop - Up Level Your SOC with Cortex XSOAR
Workshop Guide

Task 4 – War room and command line operations

Step 1: The built-in command line interface (CLI) is located at the bottom of the webpage. The output of
the CLI operations can be viewed inside the war room. You can use CLI to achieve multiple outcomes such
as real time chat operations, running commands, real time collaboration across teams etc.

On the CLI, type “@” to get the list of XSOAR users and select and hit enter to add one or more of your
team members to the war room and seek help with the investigation as shown below.

You will notice that the user has got added to the war room as shown on the below screen.

49
Workshop - Up Level Your SOC with Cortex XSOAR
Workshop Guide

Step 2: Use the CLI and hit “!” button on keyboard and select one of the commands that pop up and
corresponding parameters to run the command on the CLI. As an example use the “!ipinfo_field”
command and pass relevant arguments such as city and hit enter as shown on below screenshot.

The response from the command will be listed inside the war room as shown below. Feel free to try out
other available commands that are readily accessible and executable from the CLI. Note that the successful
execution of the commands will be subject to preconfigured integration and correct parameters.

50
Workshop - Up Level Your SOC with Cortex XSOAR
Workshop Guide

End of Activity 2

51
Workshop - Up Level Your SOC with Cortex XSOAR
Workshop Guide

Activity 3 – Impossible Traveler Incident Investigation


and Response

In this activity we will focus on investigation and automated response for impossible traveler risk
incidents. Impossible travel incidents are generally detected by security information and event
management platforms and ingested into Cortex XSOAR for automated execution of incident
management and response processes.
In this activity, you will:
● Search and locate impossible traveler risk incidents, mark it as favorite and save search query
● Understand playbook and actions results
● Related incidents and canvas section overview and associated operations

Task 1 – Find the incident with type “Impossible Traveler”

Step 1: From the “incidents page”, perform a search operation to get the list of all impossible traveler risk
incidents based on “incident type” search field. Make sure to adjust the time range to reflect “All times”
as shown on below screens.

52
Workshop - Up Level Your SOC with Cortex XSOAR
Workshop Guide

Step 2: Each incident search query can be saved for quick references. Marking the saved search query as
default allows you to get the required results displayed on the incidents page by default. Please follow the
below steps to save the search query and name it appropriately. Optionally you can also mark the saved
query as default.

Navigate to the right-hand side of the search bar and click on “Add” as shown below.

53
Workshop - Up Level Your SOC with Cortex XSOAR
Workshop Guide

This will open a text box to enter search query name.

Enter a meaningful name for the search query and click on save.

The query will be saved inside the “saved query” list. Click on “saved query” to view the list of all saved
queries, including the one that you just created.

54
Workshop - Up Level Your SOC with Cortex XSOAR
Workshop Guide

Optionally you can mark the search query as default by clicking on the “Mark as page default”.

55
Workshop - Up Level Your SOC with Cortex XSOAR
Workshop Guide

Step 3: Select one of the incidents and mark the incident as favorite by clicking on the star icon located on
the left side of the incident.

The incident marked as “favorite” will be located on the left side of the web page. You will need to hover
over to the extreme left of the page to view the incident marked as favorite as shown below. Click on the
incident to view the different sections of the incident investigation.

56
Workshop - Up Level Your SOC with Cortex XSOAR
Workshop Guide

Task 2 – Understand multi section Incident investigation views

Step 1: Navigate to the “Incident Info” section for the incident under investigation as shown below. You
will notice that the associated playbook has already run automatically and the workplan widget has a task
waiting for user response. Also, additional information and context around this incident is presented on
the below screen that includes investigation data, case details, detailed travel information, notes, travel
overview etc. Please note that the entire layout is customizable to suite the user preferences or to suite
the use case scenario.

Notice that the “Travel Details” widget provides two different sets of IP and location details and also
mentions the distance between the locations and estimate of travel time. Based on this, it is easy to infer
that this is not a normal behavior and is a high-risk incident, given the impossible nature of the incident.

57
Workshop - Up Level Your SOC with Cortex XSOAR
Workshop Guide

Step 2: Navigate to the “war room” section and scroll all the way up and down to look at the various
artifacts that have been automatically produced and stored for reference purposes. Notice that some of
the indicators will have a red or green underline such as the one shown below. This indicates that the DBot
has automatically extracted and enriched these indicators. A red underline means that the indicator
reputation is bad. On the below screen the IP address with red underline is of bad reputation.

58
Workshop - Up Level Your SOC with Cortex XSOAR
Workshop Guide

Step 3: Click on the indicator with bad reputation as shown below. A new window will open on the right
side that provides additional information and context on the bad indicator. Please click on different
buttons such as “Full view” or “Actions” to view more in-depth information on this indicator.

Step 4: Go ahead and try to locate other highlighted indicators including hashes such as shown below
screens.

59
Workshop - Up Level Your SOC with Cortex XSOAR
Workshop Guide

60
Workshop - Up Level Your SOC with Cortex XSOAR
Workshop Guide

Step 5: Navigate to the “Work Plan” section to view the playbook in run mode. Each green rectangular box
indicates an action item that has successfully completed execution. You can click on each box to view the
output.

61
Workshop - Up Level Your SOC with Cortex XSOAR
Workshop Guide

Step 6: Some of the actions of interest are “Calculate Geographical Distance”, “Calculate Event Duration”,
and “rasterizeGeoMap_v2” among other actions. Click on these actions and view the responses.

62
Workshop - Up Level Your SOC with Cortex XSOAR
Workshop Guide

Step 7: Similarly click on other actions and look at the responses

63
Workshop - Up Level Your SOC with Cortex XSOAR
Workshop Guide

Step 8: Navigate to the evidence board to view any artifacts that are automatically marked as evidence.
Evidence board can be populated automatically using playbooks or manually done from the war room or
work plan sections.

Step 9: Click on the “Related Incidents” section to view the list of all incidents related to the incident
under investigation based on a similarity scale and date range. Please refer below screens to explore list of
incidents that are related to this incident and that might have occurred in recent past and have similar
indicators. The related incidents page lets the analysts to either link the incidents or mark as duplicate.

64
Workshop - Up Level Your SOC with Cortex XSOAR
Workshop Guide

Notice that the date range can be adjusted based on user preference.

65
Workshop - Up Level Your SOC with Cortex XSOAR
Workshop Guide

66
Workshop - Up Level Your SOC with Cortex XSOAR
Workshop Guide

Step 10: The canvas section allows you to get a visual correlation and a provision to study the relationship
between incidents and indicators. Clicking on the “Auto populate” button will automatically populate the
canvas with related incidents and indicators. Notice that DBot makes active suggestions and analysts can
also simply drag and drop indicators and incidents onto the canvas page.

End of Activity 3

This is the end of the Hands-on portion.

67
Workshop - Up Level Your SOC with Cortex XSOAR
Workshop Guide

Start Your Free Trial! Sign Up Below for Cortex XSOAR Free Community Edition

https://start.paloaltonetworks.com/sign-up-for-community-edition.html

68
Workshop - Up Level Your SOC with Cortex XSOAR

You might also like