Module 1 – Cortex XSOAR Functionality and Feature Sets
• Four Pillars of Go-to-Market Focus
• High-Level Solution Design
• Three Avenues of Approach to Cortex XSOAR
• How Integrations Create Incidents — High-Level Flow Logic
• Cortex XSOAR Decision Making, Design, and Deployment
• Use Case Definition Document
• The Elements of Security Operations
• Unit 42 — Global Response Capability
Lab: Cortex XSOAR Initial Discovery
• Log in to the lab environment
• Create two new user accounts
• Explore the War Room
• Explore the Marketplace and install content packs
• Explore the web interface of Cortex XSOAR
Module 2 – XSOAR Integrations
• Cortex XSOAR Integrations
• Cortex XSOAR Integration and System Architecture
• Integrations and System Architecture
• Types of Integrations
• Cortex XSOAR Use Cases
• Recommended Action for Initial Engineering and Deployment
• Introduction to the Marketplace
• Integrations Installed by Default
• The Settings > Integrations Page
• Integration Details and Management
• Integration Configuration
• Use Cases for Multiple Instances
• Integration Permissions
• Potentially Harmful Commands
• How to View Integration Code
Lab: Integrations
• Configure the basic integrations
• Configure the urlscan.io integration
• Configure the VirusTotal integration
• Configure custom integrations
• Test the integrations
• Review the indicators
Module 3 – Playbooks
• Playbook Development Process
• Define and Document Your Use Cases
• The Cortex XSOAR Developer Website
• Join the DFIR Slack Community
• High-level Playbook Functions
• Context Data
• Playbook Tasks
• Conditions
• Loops
• Extending the Context
• Sub-Playbooks
• Indicator Extraction (Auto-Extract)
• Impact and Use of Indicator Extraction
• Indicator Extraction Match Criteria
Lab: Incidents Investigation
• Select an incident
• Case Info and Investigation tabs
• War Room tab
• Work Plan tab
• Mark as Evidence
• Collaboration
• Evidence Board tab
Module 4 – Classification and Mapping
• How Integrations Create Incidents — High-Level Flow Logic
• Incident Classification, Mapping, & Visible Outcomes
• Integrations Configuration
• Generating Test Incidents
• Classification & Mapping Editors
• Classification: Mapping Each Event to an Incident Type
• The Incidents Classification Editor
• Incident Classification: Get Data Options
• Mapping Event Data to Cortex XSOAR Fields
• Incidents Incoming Mapping Editor
• Field Mapping and Context Data
Lab: Classification and Mapping
• Create an Incident Classifier
• Create a new Incident Mapper
• Map data to the Detected IPs field
• Map data to the Detected User field
• Map data to the File MD5 field
• Test the Mapping Rule
Module 5 – Layout Builder
• Incident Management: Investigation Flow
• Which Layouts Configuration Will Be Used?
• How to Open the Incident Layout Builder
• The Settings > Advanced > Layouts Page
• Layout Builder: Incident Summary Tabs
• Layout Builder: Input Forms and Other Layouts
• Layout Builder Hierarchy of Elements
• The Library Panel within the Layout Builder
• RBAC Controls and Summary Tabs
• Best Practices
Lab: Incidents Layout Configuration
• Create a new Incident Type
• Create a new Field
• Define the Incident Layout
• Update the new Incident Layout
• Test the layout
Module 6 – Solution Architecture
• Server Installation Options
• Basic On-premises Deployment Scheme
• Extended On-Premises Deployment Scheme
• Live Backup Topology (for Disaster Recovery)
• Basic Hosted, Private, or Hybrid Cloud Topology
• Scalability Support for Multiple Engines
• Elasticsearch Database Support and Deployment
• High-Availability and Disaster Recovery with Elasticsearch
• Legacy Scalability for Dedicated and Distributed Databases
• Content Development Life Cycle
• Dev-Prod Topology, Considerations, and Update Retrieval
• How to Push Local Dev Changes to the Remote Repository
• Access to Troubleshooting Logs and Settings
• Log File Downloads and Log Bundle Files
Module 7 – Docker
• Docker Technology
• Docker Capabilities
• How Cortex XSOAR Uses Docker
• Runtime Settings for Automations (Scripts) and Integrations
• Docker Image Distribution
• Docker Hardening & Optimization
• Use of Custom Docker Containers
Lab: Pre-Process Rules
• Create the pre-process rule
• Verify the results
Module 8 – Automation Development & Debugging
• XSOAR Scripts and Automation
• Primary Use Cases for Automations
• Invoking Automation Scripts
• CLI Access to Automation Objects
• Distinguish Automation Scripts from Integration Commands
• Automation Script Interface (The Automations Page)
• Creating a New Automation
• Automation Scripts – Script Helper
• Automation Scripts and Docker
• Basic Out-of-the-Box Automation Script Examples
Lab: Build a Playbook
• Create a new incident
• Create a custom playbook
• Test the playbook in the Work Plan
• Continue the playbook creation
Module 9 – The Marketplace and Content Management
• Content Life Cycle Management
• What Is Cortex XSOAR Content?
• Levels of Interaction with Marketplace Content
• Marketplace Contribution Process
• Content Status and Updates
• Detaching Content
• Custom Content Import and Export
Module 10 – Indicators and Threat Intelligence Management
• Indicator Types
• Regex Matching Example
• Threat Intel Page
• Indicators Layouts
• Auto Extraction
• Auto Extraction Modes and Considerations for Use
• Threat Intel Management (TIM) Use Cases
• List Administration Use Case Examples
• Allow List Automation for SaaS Applications
• Proactive Blocking and Alerting of Known Threats
• TIM Integration Configuration
• Typical Integration Options for Feeds
• Business Partner & Internal Lists
• Output Methods for TIM Integrations
• Indicator Analysis Job
Lab: Add SaaS Applications to a Firewall Allow List
• Configure the Office 365 feed
• Configure the Instance Execute External setting
• Configure the Palo Alto Networks firewall integration
• Populate and test the PANW EDL Service integration
• Configure the firewall to get the EDL
Lab: Block and/or Alert on Observable Known Threats
• Configure threat-feed integrations
• Create a job for indicator analysis
• Business-partner and internal lists
• Test the functionality of the list
• Configure the PANW EDL Service to get configured Threat Feeds
• Verify that the EDL operates as expected
Module 11 – Jobs and Job Scheduling
• Cortex XSOAR Job Concepts
• Job Creation
• Monitor and Manage Jobs
Lab: XSOAR Lists
• Set up the webserver
• Create a list
• Create a playbook
• Test your playbook
Lab: Jobs
• Create a New Job
Module 12 – Users and Role-Based Access Controls (RBAC)
• Basic User Account and Management Concepts
• Adding Local User Accounts
• Email Sender Integrations
• User Invitation and First Logon
• External Authentication Services for Console Access
• Configuring Network User Accounts
• RBAC System Governance
• Out-of-the-Box User Roles
• Nested Roles Are Roles Added to an Existing Role
• RBAC Troubleshooting
Lab: Users and RBAC
• Create roles
• Assign roles
• Create a playbook to assign roles
• Assign a default playbook to incident types
• Review your classification and pre-processing rules
• Test your role assignment
Lab: Custom Widgets and Shifts
• Create some new users
• Create shift roles
• Create an automation script for a widget
• Create a new dashboard and add a widget
Module 13 – Integration Development
• Bring Your Own Integration
• Integration Authoring Tools
• Integration Development Interface
• Script Helper
• Editor Style Options
• PyCharm IDE Plugin
• General Guidelines
• The Cortex XSOAR Developer Website
• Leverage the DFIR Slack Community