Skip to content

Commit

Permalink
first commit
Browse files Browse the repository at this point in the history
  • Loading branch information
@tcarmeli1
tcarmeli1 committed Dec 8, 2024
1 parent 47622ee commit cee6ce4
Showing 1 changed file with 50 additions and 7 deletions.
57 changes: 50 additions & 7 deletions .../extra-docs/packs/palo-alto-networks-cortex-xdr---investigation-and-response.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -92,7 +92,8 @@ After the remediation, if there are no new alerts, the playbook stops the alert
To utilize this playbook for handling XDR incidents, the classifier that should be selected is `Cortex XDR - Classifier`.
The selected Mapper (incoming) should be `XDR - Incoming Mapper`, and the selected Mapper (outgoing) should be Cortex `XDR - Outgoing Mapper`.

### Syn Indicators between Cortex XSOAR and Cortex XDR
### Sync Indicators between Cortex XSOAR and Cortex XDR

The [Cortex XDR - IOCs](https://xsoar.pan.dev/docs/reference/integrations/cortex-xdr---ioc) feed integration syncs indicators between Cortex XSOAR and Cortex XDR. The integration syncs indicators according to the defined fetch interval. At each interval, the integration pushes new and modified indicators defined in the Sync Query from Cortex XSOAR to Cortex XDR. Additionally, the integration checks if there are manual modifications of indicators on Cortex XDR and syncs back to Cortex XSOAR. Once per day, the integration performs a complete sync which also removes indicators that have been deleted or expired in Cortex XSOAR, from Cortex XDR.

## Cloud IAM User Access Investigation
Expand Down Expand Up @@ -171,29 +172,52 @@ The response actions available are:
The playbook will move forward for the analyst's resolution when the response phase has finished.

## In This Pack

The Palo Alto Networks Cortex XDR - Investigation and Response content pack includes several content items.

### Automations
- **EntryWidgetNumberHostsXDR**: Entry widget that returns the number of hosts in a Cortex XDR incident.

- **CortexXDRAdditionalAlertInformationWidget**: This script retrieves additional alert information from the context.
- **CortexXDRCloudProviderWidget**: This script returns an HTML result of the cloud providers in the incident.
- **CortexXDRIdentityInformationWidget**: This widget displays Cortex XDR identity information.
- **CortexXDRInvestigationVerdict**: This widget displays the incident verdict based on the 'Verdict' field.
- **CortexXDRRemediationActionsWidget**: This widget displays Cortex XDR remediation action information.
- **DBotGroupXDRIncidents**: This script uses a train clustering model on Cortex XDR incident type.
- **EntryWidgetNumberHostsXDR**: Entry widget that returns the number of hosts in a Cortex XDR incident.
- **EntryWidgetNumberRegionsXCLOUD**: Entry widget that returns the number of regions in a Cortex XDR incident.
- **EntryWidgetNumberResourcesXCLOUD**: Entry widget that returns the number of resources in a Cortex XDR incident.
- **EntryWidgetNumberUsersXDR**: Entry widget that returns the number of users that participated in a specified Cortex XDR incident.
- **EntryWidgetPieAlertsXDR**: Entry widget that returns a pie chart of alerts for a specified Cortex XDR incident by alert severity (low, medium, and high).
- **XCloudRegionsPieWidget**: XCLOUD dynamic section, showing the top ten regions types in a pie chart.
- **XCloudResourcesPieWidget**: XCLOUD dynamic section, showing the top ten resource types in a pie chart.
- **XDRConnectedEndpoints**: The widget returns the number of the connected endpoints using xdr-get-endpoints command.
- **XDRDisconnectedEndpoints**: The widget returns the number of the disconnected endpoints using xdr-get-endpoints command.
- **XDRSyncScript**: Deprecated. The incoming and outgoing mirroring feature added in XSOAR version 6.0.0 is used instead to sync XDR. After the Calculate Severity - Generic v2 sub-playbook’s run, Cortex XSOAR will be treated as the single source of truth for the severity field, and it will sync only from Cortex XSOAR to XDR, so manual changes for the severity field in XDR will not update in the XSOAR incident.

### Classifiers

- **Cortex XDR - Classifier**: Classifies Cortex XDR incidents.
- **Cortex XDR - Incoming Mapper**: Maps incoming Cortex XDR incidents fields.
- **Cortex XDR - Outgoing Mapper**: Maps outgoing Cortex XDR incidents fields.
- **Cortex XDR Incident Handler - Classifier**: Classifies Cortex XDR incidents.

### Incident Types

- **Cortex XDR - Lite**
- **Cortex XDR Device Control Violations**
- **Cortex XDR Disconnected endpoints**
- **Cortex XDR Incident**
- **Cortex XDR Port Scan**
- **Cortex XDR - XCLOUD**
- **ortex XDR - XCLOUD Cryptomining**

### Incident Fields

- **LastMirroredInTime**
- **XDR Alert Category**
- **XDR Alert Count**
- **XDR Alert Name**
- **XDR Alert Search Results**
- **XDR Alerts**
- **XDR Assigned User Email**
- **XDR Assigned User Pretty Name**
Expand All @@ -202,37 +226,57 @@ The Palo Alto Networks Cortex XDR - Investigation and Response content pack incl
- **XDR device control violations**
- **XDR Disconnected endpoints**
- **XDR File Artifacts**
- **XDR File Name**
- **XDR File SHA256**
- **XDR High Severity Alert Count**
- **XDR Host Count**
- **XDR Incident ID**
- **XDR Investigation results**
- **XDR Low Severity Alert Count**
- **XDR manual severity**
- **XDR Medium Severity Alert Count**
- **XDR MITRE Tactics**
- **XDR MITRE Techniques**
- **XDR Modification Time**
- **XDR Network Artifacts**
- **XDR Notes**
- **XDR Resolve Comment**
- **XDR Status (Deprecated from version 6.0.0. Use XDR Status v2 instead)**
- **XDR Risky Host Count**
- **XDR Risky Hosts**
- **XDR Risky User Count**
- **XDR Risky Users**
- **XDR Similar Incidents**
- **XDR Starred**
- **XDR Status v2**
- **XDR URL**
- **XDR User Count**
- **XDR Users**

### Indicator Fields

XDR status: The indicator status in XDR.

### Integrations

#### Cortex XDR - IOC
Syncs indicators between Cortex XSOAR and Cortex XDR.

Syncs indicators between Cortex XSOAR and Cortex XDR.

#### Palo Alto Networks Cortex XDR - Investigation and Response

Enables direct execution of Cortex XDR actions within Cortex XSOAR.

#### Cortex XDR - XQL Query Engine

Enables to run XQL queries on your data sources.

### Layouts
There are 5 layouts in this pack. The information displayed in the layouts are similar with minor changes as detailed below.

There are 6 layouts in this pack. The information displayed in the layouts are similar with minor changes as detailed below.

![XDR Case Info Tab](../../../docs/doc_imgs/reference/XDRLayout.png)

#### Cortex XDR Device Control Violations layout
#### Cortex XDR Device Control Violations

| Layout sections | Description |
|------------------ | ------------- |
Expand All @@ -244,7 +288,6 @@ There are 5 layouts in this pack. The information displayed in the layouts are s
| Linked Incidents | Displays any incident that is linked to the current incident. |



#### Cortex XDR Disconnected endpoints

| Layout sections | Description |
Expand Down

0 comments on commit cee6ce4

Please sign in to comment.