Indicator management - Administrator Guide - Threat Intel Management Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-06-18
Category
Administrator Guide
Abstract

Perform actions (create, edit, export, delete) and search for indicators on the Cortex XSIAM Threat Intel page.

After you start ingesting indicators into Cortex XSIAM, you can start your investigation, including creating indicators, adding indicators to an incident, extracting indicators, exporting indicators, etc.

Cortex XSIAM Threat Intel includes access to the Unit 42 Intel service, enabling you to identify threats in your network and discover and contextualize trends. Unit 42 Intel provides data from WildFire (Palo Alto Networks’ cloud-based malware sandbox), the PAN-DB URL Filtering database, Palo Alto Networks’ Unit 42 threat intelligence team, and third-party feeds (including both closed and open-source intelligence). Unit 42 Intel data is continually updated to include the most recent threat samples analyzed by Palo Alto Networks, enabling you to keep up with threat trends and take a proactive approach to securing your network.

The indicators page is split into the following tabs:

  • Indicators

  • Sample Analysis

  • Sessions and Submissions

Indicators

Displays a list of indicators added to Cortex XSIAM, where you can perform several indicator actions, including Unit 42 data. Search and look up indicators. For understanding search queries, see Query indicators with Unit 42 Intel data.

You can perform the following actions on the Indicator page.

Action

Description

Take action on an indicator

Click on an indicator to view and take action on the indicator.

Create an indicator

Indicators are added to the Indicators table from feed integrations, adding Unit 42 data, or you can manually create a new indicator in the system.

When creating an indicator, in the Verdict field, you can either select a Verdict or leave it blank to calculate it later by clicking Save & Enrich, which updates the indicator from enrichment sources. After you select an indicator type, you can add any custom field data.

Edit

Edit a single indicator or select multiple indicators to perform a bulk edit.

Delete and Exclude

Delete and exclude one or more indicators from all indicator types or a subset of indicator types.

If you select the Do not add to exclusion list checkbox, the selected indicators are only deleted.

Export CSV

Export the selected indicators to a CSV file.

Export STIX

Export the selected indicators to a STIX file.

Upload a STIX file

To upload a STIX file, click the upload button (top right of the page) and add the indicators from the file to the system.

Investigate an indicator

When viewing an indicator, you can see the following tabs:

  • Summary/Info tab: View verdict, enrich, expire, delete and exclude the indicator, add relationships, view related incidents, and add comments. Add or remove tags, which can help classify known threats. For example, you may want to group specific malware indicators that are part of ransomware, trojan, loader, etc. In addition, Unit 42 Intel publishes tags.

  • Additional Details: Add or view any community notes for sharing and view custom details.

  • Unit 42 Intel: If the indicator is available in Unit 42, you can download the WildFire report and view related data.

You can perform actions on the indicator, such as:

Action

Description

Enrich an indicator

You can view detailed information about the indicator (WHOIS information for example), using third-party integrations such as VirusTotal and IPinfo. For more information, see Extract and enrich an indicator.

Expire an indicator

You may want to expire an indicator to filter out less relevant alerts, allowing analysts to focus on active threats. For more information, see Expire an indicator.

Manage indicator relationships

Relationships enable you to enhance investigations with information about indicators and how they might be connected to other incidents or indicators. For more information, see Manage indicator relationships.

Delete and exclude indicators

Indicators added to an exclusion list are disregarded by the system and are not created or involved in automated flows. For more information, see Delete and exclude indicators.

Sample analysis

Unit 42 Intel also provides sample analysis for files that help you conduct in-depth investigations, find links between attacks, and analyze threat patterns. If the file indicator is in the Unit 42 Intel service, you have access to a full report on activities, properties, and behaviors associated with the file. In addition, you can see how many other malicious, suspicious, or unknown file samples included the same activities, properties, and behaviors, and also build queries to find related samples.

Sessions and Submissions

Unit 42 Intel provides in-depth information on device communication.

Cortex XSIAM users can use their Sessions and submissions data for investigation and analysis. You can see which XDR agent reported the file and which computers are affected.

For example, if you have a file indicator that has been determined as malicious, in the Sessions & Submissions tab, you can see where this file came from and where it is in your network by viewing the firewall sessions this file passed through. You can see which XDR agents in your system reported the file, which tells you which machines might be infected. You can block the external IP address with your firewall, and, if needed, isolate the affected machines to contain the attack. If the source is internal, you can investigate that endpoint.