What is Threat Intel Management? - Administrator Guide - Threat Intel Management Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Cortex XSIAM
Creation date
Last date published
Administrator Guide

Why use TIM with use cases.

The Cortex XSIAM native threat intel management capabilities allow you to unify the core components of threat intel, including threat intel aggregation, scoring, and sharing. Cortex XSIAM automates threat intel management by ingesting and processing indicator sources, such as feeds and lists, and exporting the enriched intelligence data to SIEMs, firewalls, and any other system that can benefit from the data. These capabilities enable you to sort through millions of indicators daily and take automated steps to make those indicators actionable.


You must have the Cortex XSIAM Threat Intel Management (TIM) Add-on to use this feature.

Why Threat Intel Management?
  • Powerful native centralized threat intel

    Supercharge investigations with instant access to a large repository of built-in, high-fidelity Palo Alto Networks threat intelligence crowdsourced from the largest footprint of network, endpoint, and cloud intel sources.

  • Indicator relationships

    Indicator connections enable structured relationships between threat intelligence sources and incidents. These relationships surface important context for security analysts on new threat actors and attack techniques.

  • Hands-free automated playbooks with extensible integrations

    Take automated action to shut down threats across over 600 third-party products with purpose-built playbooks based on proven SOAR capabilities.

  • Granular indicator scoring and management

    Take charge of your threat intel with playbook-based indicator lifecycle management and transparent scoring that can be easily extended and customized.

  • Automated, multi-source feed aggregation

    Eliminate manual tasks with automated playbooks to aggregate, parse, prioritize, and distribute relevant indicators in real-time to security controls for continuous protection

  • Most comprehensive marketplace

    The largest community of integrations with content packs that are prebuilt bundles of integrations, playbooks, dashboards, field subscription services, and all the dependencies needed to support specific security orchestration use cases. With a substantial amount of integrations and product integrations, you can buy intel on the go using Marketplace points.

Threat Intel with Security orchestration

Security orchestration, automation, and response (SOAR) solutions have been developed to weave threat intelligence management into workflows by combining TIM capabilities with incident management, orchestration, and automation capabilities. SOAR solutions weave threat intelligence into a more unified and automated workflow. It matches alerts both to their sources and to compiled threat intelligence data and can automatically execute an appropriate response.

As part of the extensible Cortex XSIAM platform, TIM unifies threat intelligence aggregation, scoring, and sharing with playbook-driven automation. It empowers security leaders with instant clarity into high-priority threats to drive the right response across the entire enterprise.

Cortex XSIAM provides a common platform for incidents and threat information, where there is no disconnect between external threat data and your environment. Automated data enrichment of indicators provides analysts with relevant threat data to make smarter decisions.

Integrated case management allows for real-time collaboration, boosts operational efficiencies across teams, and automates playbooks to speed response across security use cases.

Cortex XSIAM collects data from sources such as incidents, Unit 42, and external threat intel feeds. After the data is ingested, Threat Intel playbooks examine the data proactively. The data gets deduped, normalized, and stored in the Threat Intel database so that a Threat Intel analyst can start a threat analysis. The analyst can then send that information to firewalls, share it with other stakeholders, and take remedial action as necessary.