Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

update xdr docs #1494

Merged
merged 3 commits into from
Feb 13, 2024
Merged

update xdr docs #1494

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
52e9c53
update xdr docs
OmriItzhak Feb 12, 2024
98e944d
Apply suggestions from code review
OmriItzhak Feb 13, 2024
1ceac7c
Update content-repo/extra-docs/packs/palo-alto-networks-cortex-xdr---…
OmriItzhak Feb 13, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions .../extra-docs/packs/palo-alto-networks-cortex-xdr---investigation-and-response.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,9 @@ If the verdict is set to benign, the playbook will close the incident.

As part of this playbook, you'll receive a comprehensive layout that presents incident details, analysis, investigation findings, and the final verdict. Additionally, the layout offers convenient remediation buttons for quicker manual actions.

To utilize this playbook as the default for handling XDR incidents, the classifier should be empty, and the selected incident type should be `Cortex XDR - Lite`.
The selected Mapper (incoming) should be `XDR - Incoming Mapper`, and the selected Mapper (outgoing) should be Cortex `XDR - Outgoing Mapper`.

## Device Control Violations
If a user connects an unauthorized device to the corporate network, such as a USB dongle or a portable hard disk drive, the connection creates an event in Cortex XDR.
The [Cortex XDR device control violations](#cortex-xdr-device-control-violations) playbook queries Cortex XDR for device control violations for specified hosts, IP addresses, or XDR endpoint IDs. It then communicates via email with the involved users to understand the nature of the incident and if the user connected the device.
Expand Down Expand Up @@ -86,6 +89,9 @@ If this was a port scan alert, the analyst will manually block the ports used fo

After the remediation, if there are no new alerts, the playbook stops the alert sync and closes the XDR incident and investigation.

To utilize this playbook for handling XDR incidents, the classifier that should be selected is `Cortex XDR - Classifier`.
The selected Mapper (incoming) should be `XDR - Incoming Mapper`, and the selected Mapper (outgoing) should be Cortex `XDR - Outgoing Mapper`.

### Syn Indicators between Cortex XSOAR and Cortex XDR
The [Cortex XDR - IOCs](https://xsoar.pan.dev/docs/reference/integrations/cortex-xdr---ioc) feed integration syncs indicators between Cortex XSOAR and Cortex XDR. The integration syncs indicators according to the defined fetch interval. At each interval, the integration pushes new and modified indicators defined in the Sync Query from Cortex XSOAR to Cortex XDR. Additionally, the integration checks if there are manual modifications of indicators on Cortex XDR and syncs back to Cortex XSOAR. Once per day, the integration performs a complete sync which also removes indicators that have been deleted or expired in Cortex XSOAR, from Cortex XDR.

Expand Down
Loading