Integrate External Threat Intelligence Services - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Product
Cortex XDR
License
Pro
Creation date
2023-10-31
Last date published
2024-03-18
Category
Administrator Guide
Abstract

Learn more about integrating external threat intelligence service verdicts to aid in your incident investigation.

To aid you with threat investigation, Cortex XDR displays the WildFire-issued verdict for each Key Artifact in an incident. To provide additional verification sources, you can integrate an external threat intelligence service with Cortex XDR . The threat intelligence services the app supports are:

  • AutoFocus—AutoFocus groups conditions and indicators related to a threat with a tag. Tags can be user-defined or come from threat-research team publications and are divided into classes, such as exploit, malware family, and malicious behavior. When you add the service, the relevant tags display on the incident details page under Key Artifacts. Without an AutoFocus license key, you can still pivot from Cortex XDR to the service to initiate a query for the artifact. See the AutoFocus Administrator’s Guide for more information on AutoFocus tags.

  • VirusTotal—VirusTotal provides aggregated results from over 70 antivirus scanners, domain services included in the block list, and user contributions. VirusTotal Premium API is required for this integration. The VirusTotal score is represented as a fraction, where, for example, a score of 34/52 means out of 52 queried services, 34 services determined the artifact to be malicious. When you add the service, the relevant VirusTotal score displays on the incident details page under Key Artifacts. Without a VirusTotal license key, you can still pivot from Cortex XDR to the service to initiate a query for the artifact.

  • WildFire—WildFire detects known and unknown threats, such as malware. The WildFire verdict contains detailed insights into the behavior of identified threats. The WildFire verdict displays next to relevant Key Artifacts in the incidents details page, the causality view, and within the Live Terminal view of processes.

    Note

    WildFire provides verdicts and analysis reports to Cortex XDR users without requiring a license key. Using WildFire for next-generation firewalls or other use cases continues to require an active license.

Before you can view external threat intelligence in Cortex XDR incidents, you must obtain the license key for the service and add it to the Cortex XDR Configuration. After you integrate any services, you will see the verdict or verdict score when you investigate the incident.

To integrate an external threat intelligence service:

  1. Get your API License Key for the service.

  2. Enter the license key in the Cortex XDR app.

    Select SettingsConfigurationsIntegrationsThreat Intelligence and then enter the license key.

  3. Test your license key.

    Select Test. If there is an issue, an error message provides more details.

  4. Verify the service integration in an incident.

    After adding the license key, you should see the additional verdict information from the service included in the Key Artifacts of an incident. You can right-click the service, such as VirusTotal (VT) or AutoFocus (AF), to see the entire verdict. See Manage Incidents for more information on where these services are used within the Cortex XDR app.