Threat Intel Management use cases - Administrator Guide - Threat Intel Management Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Cortex XSIAM
Creation date
Last date published
Administrator Guide

Typical use cases for analysts and how to set up the use cases by administrators.

The following examples illustrate typical use cases for Threat Intel Management analysts.

Proactive blocking of known threats

The security team needs to leverage threat intelligence to block or alert on known bad domains, IPs, hashes, etc. (indicators). The indicators are collected from many sources, which need to be normalized, scored, and analyzed before pushing to security devices such as firewalls for alerting. Detection tools can only handle limited amounts of threat intelligence data and need to constantly re-prioritize indicators.


Indicator prioritization. Cortex XSIAM can ingest phishing alerts from email inboxes through integrations. Once an alert is ingested, a playbook is triggered and can have any combination of automated or manual actions that users desire. The playbooks can have filters and conditions that execute different branches depending on certain values.

Alert enrichment using Threat Intel data

Most tools that Security Operations Centers and Incident Response teams use to respond to alerts are very generic. There is little correlation between network data and understanding of threats and attacker movements. There is often a dump of information, including bad IP addresses or domains, and someone has to be assigned to manually resolve to figure out false positives. There is also a lack of understanding of malicious families, hacking tools, and their patterns of attacks.


Accelerate alert response with TIM and alert enrichment using threat intelligence data. The incident enrichment workflow in Cortex XSIAM leverages threat intelligence from our centralized threat intelligence library, including information on:

  • Data from Unit 42 Intel to learn about known malware campaigns or families

  • IPs and domains with WHOIS data

  • Passive DNS data

  • Web categorization data

External threat landscape modeling

Threat Intelligence teams must understand attack details and how their organization may be vulnerable. The foundational element of understanding risk/impact on an organization begins when threat analysts start profiling the attacks.


Threat modeling to prevent or mitigate the effects of threats to the system. The intel team builds profiles of threat actors, identifies if there are related attacks, and then identifies which techniques and tools the threat actor used. This information is shared with stakeholders, including security operations and leadership.