From 52e9c536a55459ee36019f29dd03ef5107cbbb2c Mon Sep 17 00:00:00 2001 From: oitzhak Date: Mon, 12 Feb 2024 16:30:24 +0200 Subject: [PATCH 1/3] update xdr docs --- ...alto-networks-cortex-xdr---investigation-and-response.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/content-repo/extra-docs/packs/palo-alto-networks-cortex-xdr---investigation-and-response.md b/content-repo/extra-docs/packs/palo-alto-networks-cortex-xdr---investigation-and-response.md index cb638b780..c0f3aca61 100644 --- a/content-repo/extra-docs/packs/palo-alto-networks-cortex-xdr---investigation-and-response.md +++ b/content-repo/extra-docs/packs/palo-alto-networks-cortex-xdr---investigation-and-response.md @@ -46,6 +46,9 @@ If the verdict is set to benign, the playbook will close the incident. As part of this playbook, you'll receive a comprehensive layout that presents incident details, analysis, investigation findings, and the final verdict. Additionally, the layout offers convenient remediation buttons for quicker manual actions. +To utilize this playbook as the default for handling XDR incidents, the classifier should be empty, and the selected incident type should be `Cortex XDR - Lite`. +The selected Mapper (incoming) should be `XDR - Incoming Mapper`, And the selected Mapper (outgoing) should be Cortex `XDR - Outgoing Mapper`. + ## Device Control Violations If a user connects an unauthorized device to the corporate network, such as a USB dongle or a portable hard disk drive, the connection creates an event in Cortex XDR. The [Cortex XDR device control violations](#cortex-xdr-device-control-violations) playbook queries Cortex XDR for device control violations for specified hosts, IP addresses, or XDR endpoint IDs. It then communicates via email with the involved users to understand the nature of the incident and if the user connected the device. @@ -86,6 +89,9 @@ If this was a port scan alert, the analyst will manually block the ports used fo After the remediation, if there are no new alerts, the playbook stops the alert sync and closes the XDR incident and investigation. +To utilize this playbook for handling XDR incidents, the classifier that should be selected is `Cortex XDR - Classifier`. +The selected Mapper (incoming) should be `XDR - Incoming Mapper`, And the selected Mapper (outgoing) should be Cortex `XDR - Outgoing Mapper`. + ### Syn Indicators between Cortex XSOAR and Cortex XDR The [Cortex XDR - IOCs](https://xsoar.pan.dev/docs/reference/integrations/cortex-xdr---ioc) feed integration syncs indicators between Cortex XSOAR and Cortex XDR. The integration syncs indicators according to the defined fetch interval. At each interval, the integration pushes new and modified indicators defined in the Sync Query from Cortex XSOAR to Cortex XDR. Additionally, the integration checks if there are manual modifications of indicators on Cortex XDR and syncs back to Cortex XSOAR. Once per day, the integration performs a complete sync which also removes indicators that have been deleted or expired in Cortex XSOAR, from Cortex XDR. From 98e944d4d59369a21eabbafafcc05f068b50c9b8 Mon Sep 17 00:00:00 2001 From: OmriItzhak <115150792+OmriItzhak@users.noreply.github.com> Date: Tue, 13 Feb 2024 09:21:41 +0200 Subject: [PATCH 2/3] Apply suggestions from code review Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> --- ...alo-alto-networks-cortex-xdr---investigation-and-response.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content-repo/extra-docs/packs/palo-alto-networks-cortex-xdr---investigation-and-response.md b/content-repo/extra-docs/packs/palo-alto-networks-cortex-xdr---investigation-and-response.md index c0f3aca61..c709f0be5 100644 --- a/content-repo/extra-docs/packs/palo-alto-networks-cortex-xdr---investigation-and-response.md +++ b/content-repo/extra-docs/packs/palo-alto-networks-cortex-xdr---investigation-and-response.md @@ -90,7 +90,7 @@ If this was a port scan alert, the analyst will manually block the ports used fo After the remediation, if there are no new alerts, the playbook stops the alert sync and closes the XDR incident and investigation. To utilize this playbook for handling XDR incidents, the classifier that should be selected is `Cortex XDR - Classifier`. -The selected Mapper (incoming) should be `XDR - Incoming Mapper`, And the selected Mapper (outgoing) should be Cortex `XDR - Outgoing Mapper`. +The selected Mapper (incoming) should be `XDR - Incoming Mapper`, and the selected Mapper (outgoing) should be Cortex `XDR - Outgoing Mapper`. ### Syn Indicators between Cortex XSOAR and Cortex XDR The [Cortex XDR - IOCs](https://xsoar.pan.dev/docs/reference/integrations/cortex-xdr---ioc) feed integration syncs indicators between Cortex XSOAR and Cortex XDR. The integration syncs indicators according to the defined fetch interval. At each interval, the integration pushes new and modified indicators defined in the Sync Query from Cortex XSOAR to Cortex XDR. Additionally, the integration checks if there are manual modifications of indicators on Cortex XDR and syncs back to Cortex XSOAR. Once per day, the integration performs a complete sync which also removes indicators that have been deleted or expired in Cortex XSOAR, from Cortex XDR. From 1ceac7c14a99f8564669250cc33595a530f1bbec Mon Sep 17 00:00:00 2001 From: OmriItzhak <115150792+OmriItzhak@users.noreply.github.com> Date: Tue, 13 Feb 2024 09:21:55 +0200 Subject: [PATCH 3/3] Update content-repo/extra-docs/packs/palo-alto-networks-cortex-xdr---investigation-and-response.md Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> --- ...alo-alto-networks-cortex-xdr---investigation-and-response.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content-repo/extra-docs/packs/palo-alto-networks-cortex-xdr---investigation-and-response.md b/content-repo/extra-docs/packs/palo-alto-networks-cortex-xdr---investigation-and-response.md index c709f0be5..974c28e4f 100644 --- a/content-repo/extra-docs/packs/palo-alto-networks-cortex-xdr---investigation-and-response.md +++ b/content-repo/extra-docs/packs/palo-alto-networks-cortex-xdr---investigation-and-response.md @@ -47,7 +47,7 @@ If the verdict is set to benign, the playbook will close the incident. As part of this playbook, you'll receive a comprehensive layout that presents incident details, analysis, investigation findings, and the final verdict. Additionally, the layout offers convenient remediation buttons for quicker manual actions. To utilize this playbook as the default for handling XDR incidents, the classifier should be empty, and the selected incident type should be `Cortex XDR - Lite`. -The selected Mapper (incoming) should be `XDR - Incoming Mapper`, And the selected Mapper (outgoing) should be Cortex `XDR - Outgoing Mapper`. +The selected Mapper (incoming) should be `XDR - Incoming Mapper`, and the selected Mapper (outgoing) should be Cortex `XDR - Outgoing Mapper`. ## Device Control Violations If a user connects an unauthorized device to the corporate network, such as a USB dongle or a portable hard disk drive, the connection creates an event in Cortex XDR.