Understanding Indicator Queries - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Product
Cortex XSIAM
Creation date
2023-10-30
Last date published
2024-03-28
Category
Administrator Guide
Abstract

Query indicators in the Cortex XSIAM threat intel library and in Unit 42 Intel.

There are two ways to access Threat Intel data.

  • When investigating an alert, you can click on an extracted indicator. The Quick View shows basic information about the indicator in Cortex XSIAM and Unit 42 (if available). Clicking on Full view shows the full Cortex XSIAM indicator summary. If the indicator also exists in Unit 42 Intel, the Unit 42 Intel tab is available.

  • You can query for an indicator, which may or may not already be in the Cortex XSIAM threat intel library, from the search box on the Threat Intel page.

Note

"Search" and "lookup" are different actions with different results. A search, which can include wildcards and complex queries, can return multiple results. Searches are only performed in Cortex XSIAM . Lookups are exact values, are performed in both Cortex XSIAM and Unit 42 Intel data, and can only return one result.

When querying directly on the Threat Intel page, the following considerations apply:

  • Querying for an IP address, domain, URL, or SHA256 file hash using the value contains option will query both the Cortex XSIAM threat intel library and Unit 42 Intel, with no date range limit.

  • If you enter an indicator type that is not an IP address, domain, URL, or SHA256 file hash, or you enter a wildcard (contains) or complex option (Boolean search, type:file, etc.), no lookup is performed in Unit 42. In Cortex XSIAM , a search is performed. By default, the search is for the last 7 days, but you can adjust the date range.

  • Value Contains searches can only be performed in the local Cortex XSIAM threat intel library, and not in Unit 42 Intel data. Example: xample.com returns example.com using the value contains option.

  • Complex searches are only conducted in the local Cortex XSIAM threat intel library, and not in Unit 42 Intel data. Example: type:URL and verdict:Malicious

  • For files, only the SHA256 hash returns Unit 42 Intel data.

  • For a query to include Unit 42 Intel results, it must be a lookup for an exact match. To perform a lookup, use value = with the exact value of the indicator.

When a query is performed in Unit 42 Intel, there are four possible results:

  • The indicator exists in Cortex XSIAM but does not exist in Unit 42 Intel.

    The Cortex XSIAM search result is displayed in a table. Click on the value to reach the Summary tab. The Summary tab presents information about the indicator stored in Cortex XSIAM . The Unit 42 Intel tab is greyed out.

  • The indicator exists in Unit 42 Intel, but does not exist in the Cortex XSIAM threat intel library.

    To view the Unit 42 Intel data for this indicator, click on the indicator search term.

    From the Unit 42 Intel tab, you have the option to Add the indicator to Cortex XSIAM or to Add & Enrich.

  • The indicator exists in Cortex XSIAM and in Unit 42 Intel.

    Click on the value to reach the Summary tab. The Summary tab presents information about the indicator stored in Cortex XSIAM . Click on the Unit 42 Intel tab to view Unit 42 data. From the Unit 42 Intel tab, you have the option to Update the indicator in Cortex XSIAM with additional information from Unit 42 Intel, or to Update & Enrich.

  • The indicator does not exist in Cortex XSIAM or in Unit 42 Intel.

    If the query was for an indicator type that is not an IP address, domain, URL, or SHA256 file hash OR if the query included a wildcard or a complex search, the search was performed on Cortex XSIAM data from the last 7 days. You can extend the date range to see if the indicator is in Cortex XSIAM but is older than 7 days.