Indicator Management - Administrator Guide - Cortex XSIAM - Cortex

Indicator Management - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Product

Cortex XSIAM

Creation date

2024-02-26

Last date published

2024-04-18

Category

Administrator Guide

Abstract

Perform actions (create, edit, export, delete) and search for indicators on the Cortex XSIAM Threat Intel page.

After you have customized indicators and started ingesting indicators into Cortex XSIAM, you can create indicators, add indicators, extract indicators, export indicators, etc. The Cortex XSIAM Indicators page displays a table or summary view of all indicators, and enables you to perform several indicator actions.

You can perform the following actions on the Indicators page.

Action	Description
View and take action on an indicator	Click on an indicator to view and take action on indicator. You can view in detail the verdict, relationships, timeline, enrich indicators, etc.
Create a new indicator	Manually create a new indicator in the system.
Edit	Edit a single indicator or select multiple indicators to perform a bulk edit.
Delete and Exclude	Delete and exclude one or more indicators from all indicator types or from a subset of indicator types. If you select the Do not add to exclusion list check box, the selected indicators are only deleted.
Export	Export the selected indicators to a CSV file.
Export (STIX)	Export the selected indicators to a STIX file.
Upload a STIX file	Upload a STIX file and add the indicators from the file to the system.

Indicator Query

You can search for indicators using any of the available search fields. There are several search fields specific to indicators.

Field	Description
`Value`	Search for the value of an indicator. If used with `Contains`, performs wildcard search. If used with `=`, performs exact lookup and searches Unit 42 as well.
`Status`	Whether the indicator is Active or Expired.
`Verdict`	The reputation of the indicator: Malicious Suspicious Benign Unknown
`Has Related Alerts`	Whether the indicator has related alerts
`Detectable`	Whether an iIndicator has a detection rule associated with it.
`Preventable`	Whether an indicator has a prevention rule associated with it.
`Campaign`	Whether the indicator is part of an existing campaign.
`Tags`	Tags applied to indicators.
`Aggregated Reliability`	Searches for indicators based on a reliability score such as `A - Completely reliable`.
`Feed`	The source (script, manual, etc.) which last set the indicator's expiration status.
`Type`	The type of the indicator, such as File, Email, etc.

You can use a wildcard query, which finds indicators containing terms that match the specified wildcard. For example, the * pattern matches any sequence of 0 or more characters, and ? matches any single character. For a regex query, use the following value:

"/.*\\?.*/"