Cortex XSIAM provides Unit 42 Intel data for additional indicator information, sample analysis, and sessions & submissions analysis.
Cortex XSIAM Threat Intel includes access to the Unit 42 Intel service, enabling you to identify threats in your network and discover and contextualize trends. Unit 42 Intel provides data from WildFire (Palo Alto Networks’ cloud-based malware sandbox), the PAN-DB URL Filtering database, Palo Alto Networks’ Unit 42 threat intelligence team, and from third-party feeds (including both closed and open-source intelligence). Unit 42 Intel data is continually updated to include the most recent threat samples analyzed by Palo Alto Networks, enabling you to keep up with threat trends and take a proactive approach to secure your network.
Unit 42 Intel data is cloud-based and remotely maintained, so that you can view data from Unit 42 Intel and add only the information you need to your Cortex XSIAM threat intel library. When you search for an IP address, domain, URL, or file in the Threat Intel page, you are able to view the indicator as well as the additional information provided by Unit 42 Intel. When an indicator does not yet exist in Cortex XSIAM, but does exist in Unit 42 Intel, you are able to add the indicator into the Cortex XSIAM threat intel library. You have the option to add the indicator and enrich it with your existing integrations or add the indicator without enrichment. When the indicator already exists in Cortex XSIAM, but there is additional information available from Unit 42 Intel, you can update your indicator with the most recent data from Unit 42 Intel.
For IP addresses, domains, URLs, and files, the following information is available:
Indicator Type | Layout Sections |
|---|---|
IP address |
|
URL |
|
Domain |
|
File |
|
Sample Analysis
For files, Unit 42 Intel also provides sample analysis that helps you conduct in-depth investigations, find links between attacks, and analyze threat patterns. If the file indicator is in the Unit 42 Intel service, you have access to a full report on activities, properties, and behaviors associated with the file. In addition, you can see how many other malicious, suspicious, or unknown file samples included the same activities, properties, and behaviors, and also build queries to find related samples.
Sessions & Submissions
Cortex XSIAM customers can use their Sessions & Submissions data for investigation and analysis in Cortex XSIAM. Sessions & Submissions data is available for customers with Cortex XSIAM and one or more of the following products:
Firewall - Samples that a Palo Alto Networks firewall forwarded to WildFire.
WF Appliance - Samples that a WildFire appliance submitted to the WildFire public cloud.
Prisma SaaS - Samples submitted through Prisma SaaS.
Prisma Access - Samples submitted through Prisma Access.
While the Sample Analysis tab provides information on what a file did, the Sessions & Subscriptions tab provides in-depth information on communication between devices. For example, you have a file indicator that has been determined to be malicious, and you have a Palo Alto Networks Firewall and Cortex XSIAM. In the Sessions & Submissions tab, you can see where this file came from and where it has gone in your network by viewing the firewall sessions this file passed through. You can see which XDR agents in your system reported the file, which tells you which machines might be infected. You can block the external IP address with your firewall, and, if needed, isolate the affected machines to contain the attack. If the source is internal, you can investigate that endpoint.
Relationships
The Threat Intel Management system in Cortex XSIAM includes a feed that brings in a collection of threat intel objects as indicators. These indicators are stored in the Cortex XSIAM threat intel library and include Malware, Attack Patterns, Campaigns, and Threat Actors.
When you add or update an indicator from Unit 42 Intel, a relationship is formed in the database between the relevant threat intel object and the new or updated, indicator.