Query indicators with Unit 42 Intel data - Administrator Guide - Threat Intel Management Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-06-18
Category
Administrator Guide
Abstract

How to query indicators in the threat intel library and in Unit 42 Intel.

You can access Threat Intel data through the following methods:

  • On the Threat Intel page, select an indicator to start investigating. If the indicator also exists in Unit 42 Intel, the Unit 42 Intel tab is available.

  • When investigating an incident, select an extracted indicator. The Quick View shows basic information about the indicator in Cortex XSIAM and Unit 42 (if available). Full view shows the full Cortex XSIAM indicator summary.

  • On the Threat Intel page, query an indicator, which may or may not be in the Cortex XSIAM intel library.

    Unit 42 Intel data is cloud-based and remotely maintained so that you can view data from Unit 42 Intel and add only the information you need to your Cortex XSIAM threat intel library. When you search for an IP address, domain, URL, or file, you can view the indicator in Cortex XSIAM and the additional information provided by Unit 42 Intel. When an indicator does not yet exist in Cortex XSIAM, but does exist in Unit 42 Intel, you can add the indicator to the Cortex XSIAM threat intel library. You can add the indicator and enrich it with your existing integrations, or add the indicator without enrichment. When the indicator already exists in Cortex XSIAM, but additional information is available from Unit 42 Intel, you can update your indicator with the most recent data from Unit 42 Intel.

    The Threat Intel library is a centralized space for all indicators, whether they are found in an incident, brought in as a feed, or added manually. You can view in-depth information on collected indicators and filter the library based on common attributes.

    Note

    You can search or look up indicators. A search, which can include wildcards and complex queries, can return multiple results. Searches are only performed in Cortex XSIAM. Lookups are exact values, are performed in both Cortex XSIAM and Unit 42 Intel data, and can only return one result.

Indicator query considerations
  • Querying an IP address, domain, URL, or SHA256 file hash, without a wildcard or complex search (Boolean search, type:file, etc.), queries both the Cortex XSIAM threat intel library and Unit 42 Intel, with no date range limit.

  • If you enter an indicator type that is not an IP address, domain, URL, or SHA256 file hash, or you enter a wildcard or complex option (Boolean search, type:file, etc.), no lookup is performed in Unit 42. In Cortex XSIAM, a search is performed. By default, the search is for the last 7 days, but you can adjust the date range.

  • Wildcard searches can only be performed in the local Cortex XSIAM threat intel library, and not in Unit 42 Intel data. Example: *xample.com

  • Complex searches are only conducted in the local Cortex XSIAM threat intel library, and not in Unit 42 Intel data. Example: type:URL and verdict:Malicious.

  • For files, only the SHA256 hash returns Unit 42 Intel data.

  • For a query to include Unit 42 Intel results, it must be a lookup for an exact match.

You can search for indicators using any of the available search fields. This is a partial list of the available search fields.

Field

Description

type

The type of the indicator, such as File or Email.

verdict

The reputation of the indicator:

  • Malicious

  • Suspicious

  • Benign

  • Unknown

aggregatedReliability

Searches for indicators based on a reliability score such as A - Completely reliable.

sourceBrands

Indicator feed or enrichment integrations.

sourceInstances

A specific instance of an indicator feed or enrichment integration.

expirationSource

The source (such as script or manual.) that last sets the indicator's expiration status.

tags

Tags applied to indicators.

comments

Search for keywords within indicators’ comments.

You can use a wildcard query, which finds indicators containing terms that match the specified wildcard. For example, the * pattern matches any sequence of 0 or more characters, and ? matches any single character. For a regex query, use the following value:

"/.*\\?.*/"

Indicator queries and Unit 42

Unit 42 Intel data is not automatically added to the Cortex XSIAM Threat Intel library. When you query for an indicator on the Threat Intel page, in some cases the indicator is not in the Threat Intel library, but exists in Unit 42 Intel. In other cases, the indicator may already be in the Cortex XSIAM Threat Intel library, but more in-depth information is available from Unit 42 Intel.

When a query is performed in both Cortex XSIAM and Unit 42 Intel, there are four possible results: