Indicator investigation - Administrator Guide - Threat Intel Management Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Cortex XSIAM
Creation date
Last date published
Administrator Guide

Learn how to use TIM in your use case, such as creating a TIM report, accessing and using Unit 42 Intel data, investigating an indicator and creating indicator relationships.

Cortex XSIAM enables you to centralize and manage every aspect of your TIM investigation. Create, extract, and enrich indicators using Unit 42 Intel data and explore their relationships to gain deeper insights.

After you start ingesting indicators into Cortex XSIAM, you can start your investigation, including creating indicators, adding indicators to an incident, extracting indicators, exporting indicators, etc.

Cortex XSIAM Threat Intel includes access to the Unit 42 Intel service, enabling you to identify threats in your network and discover and contextualize trends. Unit 42 Intel provides data from WildFire (Palo Alto Networks’ cloud-based malware sandbox), the PAN-DB URL Filtering database, Palo Alto Networks’ Unit 42 threat intelligence team, and third-party feeds (including both closed and open-source intelligence). Unit 42 Intel data is continually updated to include the most recent threat samples analyzed by Palo Alto Networks, enabling you to keep up with threat trends and take a proactive approach to securing your network.

When investigating an indicator, you can see the following tabs:

  • Summary

    View verdict, enrich, expire, delete and exclude the indicator, add relationships, view related incidents, and add comments. Add or remove tags, which can help classify known threats. For example, you may want to group specific malware indicators that are part of ransomware, such as trojan or loader. Unit 42 Intel data also publishes tags to assist your classification.

  • Additional Details

    Add or view any community notes for sharing and any custom details.

  • Unit 42 Intel

    If the indicator is available in Unit 42, you can view related Unit 42 Intel data.

    If the indicator has been found in the Unit 42 database you can view the following information (and download the Wildfire report (if available), according to indicator type:

When investigating an indicator, you can perform actions on the indicator, such as:



Enrich an indicator

You can view detailed information about the indicator (WHOIS information for example), using third-party integrations such as VirusTotal and IPinfo. For more information, see Extract and enrich an indicator.

Expire an indicator

You may want to expire an indicator to filter out less relevant alerts, allowing analysts to focus on active threats. For more information, see Expire an indicator.

Manage indicator relationships

Threat Intel Management in Cortex XSOAR includes a feed that brings in a collection of threat intel objects as indicators. These indicators are stored in the Cortex XSOAR threat intel library and include Malware, Attack Patterns, Campaigns, and Threat Actors. When you add or update an indicator from Unit 42 Intel, a relationship is formed in the database between the relevant threat intel object and the new, or updated, indicator. For more information, see Manage indicator relationships.

Delete and exclude indicators

Indicators added to an exclusion list are disregarded by the system and are not created or involved in automated flows. For more information, see Delete and exclude indicators.