How Cortex XSOAR “Jobs” Enable Proactive Security Operations

Mar 13, 2018
5 minutes
... views

Why Jobs?

When we created Cortex XSOAR (formerly known as Demisto), a main objective was to optimize incident response in the SOC. We created a platform that can respond to incidents in split seconds based on playbooks that require little if any human intervention. Now that we have many customers around the world, we always ask – how can we make your SOC even more efficient?

One answer that we heard everywhere is that the SOC does not only respond to incidents, it also performs many operational tasks; SOCs make sure that detection systems are running and up-to-date, add URLs to the proxy white list, go through checklists when certain employees leave the organization, and so on.

We analyzed many of these tasks and realized that, in most cases, our Cortex XSOAR server was already connected to the systems in question and all that was missing were relevant playbooks and a few other features that will allow customers to easily manage their SOC. We released this function about a year ago and it witnessed quick and encouraging adoption. We also realized that Jobs can help in proactively finding attacks before the detection systems discover them.

Desperately Seeking Attacks

Let’s talk about the over-reliance on reactive investigative measures in SOCs today. Even well-functioning SOCs continue to have problems with proactively running checks that identify incipient attacks before they manifest themselves and generate an incident. In most cases, attacks will leave breadcrumbs and give out warning signals before they actually become ‘attacks’; these signals can be picked up if SOCs proactively search for them instead of responding to incidents.

Most SOCs do not proactively look for attacks simply because their staff are busy responding to incidents that have already been discovered. This is unlikely to change – SOCs must prioritize, and we have not seen a single SOC where analysts are idle and can afford the luxury of searching for unknown attacks in their networks. Enter Jobs – a Cortex XSOAR feature that runs playbooks and helps SOCs automate proactive security operations.

In this blog, we’ll go over the Jobs feature in Cortex XSOAR, which enables proactive security operations by facilitating both scheduled and on-demand playbook runs that orchestrate across the entire security product stack.

How Cortex XSOAR Jobs Work

Jobs in Cortex XSOAR are playbooks that you can either schedule to run at pre-determined times and frequencies or have easy access to for on-demand execution.

Jobs Screen:

Jobs can be accessed by clicking the ‘Jobs’ button on the left toolbar. The default view of the Jobs page is given below:

Cortex XSOAR Jobs Screen
Fig 1: The Jobs home screen shows a dashboard of all Jobs and a tabular view with Jobs details

The top half of the screen shows a dashboard view of all the Jobs created by your SOC in Cortex XSOAR. You can see which Jobs are currently running, waiting for analyst input, disabled, or experiencing errors. If you have a large number of Jobs stored on the platform, you can write search queries or click on the sub-section of categories that you want to be shown.

The bottom half of the screen shows a tabular view of the Jobs along with salient details such as Job Status (Idle, Enabled, Disabled), Run Status (Aborted, Running, Waiting, Error), the timeline of the Job’s most recent run, when the next run is scheduled, and any additional details as notes.

Summary View:

If you want to see details of a single Job, click on the ‘Summary View’ button. This is how the Summary View looks like:

Cortex XSOAR Jobs Summary View
Fig 2: The Summary View shows the detailed run history of each Job

In this view, you can study the run history of a particular Job. In the screenshot above, the ‘Enrichment IOC’ Job has been selected, and you can see details of each instance it was run, such as incident creation and closure times.

Creating a new Job:

To create a new Job, click in the ‘New Job’ button on the top right of the page.

Cortex XSOAR Create New Job Button
Fig 3: Click the 'New Job' button to create a new Job

This will throw up the ‘New Job’ window, which looks like this:

Cortex XSOAR New Job WIndow
Fig 4: The New Job window

Here, you can fill in the Job’s name, assign owners as needed, choose the specific playbook that will run for this Job, enter timeline details if it’s a scheduled Job, and add any other tags, labels, or details as relevant. Once done, just click the ‘Create new job’ button on the bottom right.

Cortex XSOAR Jobs Use Cases

Jobs can be used for any workflows that need to be implemented at regular intervals by the SOC. They are also useful for having playbooks at the ready and launching them proactively instead of triggering them when an incident occurs.

A few use cases for Cortex XSOAR Jobs are:

  • Running scheduled VPN checks.
  • Threat hunting exercises using uploaded STIX files of IOCs.
  • Checks for expired SSL certificates.
  • Scans for vulnerable applications.
  • Policy compliance checks.
  • Checks on security system health.
  • Onboarding and removing privileged users.

By using Cortex XSOAR’s playbooks both as response mechanisms to incidents and as proactive Jobs, SOCs can cater to holistic security operations without being forced into a reaction-only mindset.

To see Cortex XSOAR in action, you can download our Free Community Edition.


Subscribe to Security Operations Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.