Add indicator data from Unit 42 Intel into Cortex XSIAM.
When you add indicators to the Cortex XSIAM threat intel library from Unit 42 Intel, the indicators are available for use in automations and playbooks.
Unit 42 Intel data is not automatically added to the Cortex XSIAM indicator database. When you query for an indicator on the Threat Intel page, in some cases the indicator is not in the Cortex XSIAM threat intel library, but exists in Unit 42 Intel. In other cases, the indicator may already be in the Cortex XSIAM threat intel library, but more in-depth information is available from Unit 42 Intel.
If the indicator does not exist in Cortex XSIAM, there are two options when adding the data from Unit 42 Intel.
Click on Add to XSIAM
The indicator is added to Cortex XSIAM . If the indicator is related to one or more Unit 42 threat intel objects already in (brought in through the Unit 42 Feed integration), relationships are created in the database between the Unit 42 threat intel objects and the file indicator. No third-party enrichments are run on the indicator. We recommend using this option if, for security reasons, you do not want to expose the indicator to any third-party services.
Click on Add to XSIAM & Enrich
The indicator is added to Cortex XSIAM . If the indicator is related to one or more Unit 42 threat intel objects already in Cortex XSIAM (brought in through the Unit 42 Feed integration), relationships are created in the database between the Unit 42 threat intel objects and the file indicator. Your configured third-party enrichments are run on the indicator.
Update Indicator with Unit 42 Intel
If the indicator already exists in Cortex XSIAM , but more information is available from Unit 42 Intel, the following options are available:
Click on Update
Updated Unit 42 Intel for the indicator is added to Cortex XSIAM . If the indicator is related to one or more Unit 42 threat intel objects already in Cortex XSIAM (brought in through the Unit 42 Feed integration), relationships are created in the database between the Unit 42 threat intel objects and the file indicator. No third-party enrichments are run on the indicator. We recommend using this option if, for security reasons, you do not want to expose the indicator to any third-party services.
Click on Update & Enrich
Updated Unit 42 Intel for the indicator is added to Cortex XSIAM . If the indicator is related to one or more Unit 42 threat intel objects already in Cortex XSIAM (brought in through the Unit 42 Feed integration), relationships are created in the database between the Unit 42 threat intel objects and the file indicator. Your configured third-party enrichments are run on the indicator.