Skip to main content


In this section you can find useful Articles about Cortex XSOAR Content.

Add Indicators to SIEMThis article walks you through setting up a playbook to take indicators from a threat intel feed, enrich the indicators, and push them to your SIEM.
AWS Integrations - AuthenticationOverview of authentication methods for AWS Integrations in Cortex XSOAR.
Configure Server and Integrations to Trust Custom CertificatesSetup the Server and JS/Native Integrations to Trust Custom Certificates.
Content Management (Alpha)This process encapsulates what you need in order to control your XSOAR machines in an automated manner, while providing the ability to manage your own content, in your artifacts server of choice, with your version control system of choice.
Demisto Add-on for SplunkSplunk add-on for Cortex XSOAR. This add-on enables you to push incidents from Splunk into Cortex XSOAR, according to configurable trigger parameters.
Deprecated IntegrationsSupport dates and End of Life notices for Deprecated Integrations.
Email CommunicationCommunication across and between departments is a vital component of collecting information, and managing and remediating security events. The Email Communication content pack enables security teams to automate and streamline the communication and notification process with users across your organization via email.
Endpoint Malware Investigation - Generic V2The Endpoint Malware Investigation content pack provides a framework for handling malware investigations.
EWS V2 TroubleshootingThe following provides EWS V2 troubleshooting steps to perform before contacting Cortex XSOAR customer support for help.
Expanse PackThe Expanse Content Pack for Cortex XSOAR provides full coverage of the Expander and Behavior product capabilities from Expanse to allow SOCs to automate the defense of their company’s attack surface.
Export Indicators to a 3rd-partyWalk through of the configuration of the Export Indicators Service to export indicators with a bad or suspicious reputation coming from a specific Threat Intel Management (TIM) feed to Splunk.
Identity Lifecycle Management (ILM)This Identity Lifecycle Management (ILM) pack enables 2 flows. It enables you to provision users from Workday into Active Directory and/or Okta by performing management operations like creating, updating and deleting users. It also enables you to sync users to applications.
Ingesting IncidentsTakes you through a flow of setting up a SIEM to ingest multiple event types from a single source.
Integrations and Incidents Health CheckThe Health Check for Integrations and Incidents content pack uses out-of-the-box playbooks, scheduled as a job, to check for, return, and display information about failed integrations and incidents with errors. As part of the playbook run, users will be sent an email notification when failed incidents and/or integrations are discovered.
Invoking Long Running HTTP Integrations via Server's HTTPS endpointExplains how to set up long running integrations which expose an HTTP endpoint so they can be accessed via the Cortex XSOAR's HTTPS endpoint.
Managing CredentialsCredentials simplify and compartmentalize admin tasks, and enable you to save credentials without exposing usernames, passwords, or certificates.
Microsoft Azure and O365 Integrations OverviewThe following maps all of Microsoft integrations and their use cases. it also emphasizes the differences between similar integrations.
Microsoft Integrations - AuthenticationAuthentication method for Microsoft Graph and Azure integrations in Cortex XSOAR.
Migrating MineMeld to Cortex XSOARHow to implement the functionality of MineMeld nodes in Cortex XSOAR using a series of integrations.
MITRE ATT&CK - Courses of ActionThis MITRE ATT&CK - Courses of Action pack contains intelligence-driven Courses of Action (COA) defined by Palo Alto Networks Unit 42 team that integrate with MITRE ATT&CK techniques and sub-techniques to automate protection against common known vectors.
OProxyService for OAuth2 authentication with 3rd party vendors.
Palo Alto Networks Cortex XDR - Investigation and ResponseAutomates Cortex XDR incident response, and includes custom Cortex XDR incident views and layouts to aid analyst investigations.
Phishing CampaignHow to detect and manage phishing campaigns in Cortex XSOAR using the Phishing Campaign Content Pack.
Powershell Remoting - ConfigurationOverview of how to configure your Windows environment and XSOAR for the PowerShell Remoting integration.
Prisma CloudAutomate and unify security incident response across your cloud environments, while still giving a degree of control to dedicated cloud teams.
Processing Google Form Responses via a WebhookConnecting Google Forms with Cortex XSOAR.
RansomwareIdentify, investigate, and contain the ransomware attack.
Shift ManagementThis pack's purpose is to provide a single interface for all those essential elements of Shift management and handover in one place.
Troubleshooting GuideCommon troubleshooting steps for automations and integrations.
Windows ForensicsThis Windows Forensics pack enables gathering Forensics data from Windows hosts and analyzing the provided artifacts. The pack uses the Powershell Remoting integration to collect the artifacts and other tools such as the PCAP Miner and Registry Parse to analyze and parse the data.