Indicator queries - Threat Intel Management Guide - Cortex XSIAM - Cortex - Security Operations

Threat intel management

Product
Cortex XSIAM
Creation date
2023-07-30
Last date published
2024-04-15
Category
Threat Intel Management Guide
Abstract

How to query indicators in the threat intel library and in Unit 42 Intel.

You can access Threat Intel data through the following methods:

  • On the Threat Intel page, select an indicator to start investigating. If the indicator also exists in Unit 42 Intel, the Unit 42 Intel tab is available.

  • When investigating an incident, select an extracted indicator. The Quick View shows basic information about the indicator in Cortex XSIAM and Unit 42 (if available). Full view shows the full Cortex XSIAM indicator summary.

  • On the Threat Intel page, query an indicator, which may or may not be in the Cortex XSIAM intel library.

    Unit 42 Intel data is cloud-based and remotely maintained so that you can view data from Unit 42 Intel and add only the information you need to your Cortex XSIAM threat intel library. When you search for an IP address, domain, URL, or file, you can view the indicator in Cortex XSIAM and the additional information provided by Unit 42 Intel. When an indicator does not yet exist in Cortex XSIAM, but does exist in Unit 42 Intel, you can add the indicator to the Cortex XSIAM threat intel library. You can add the indicator and enrich it with your existing integrations, or add the indicator without enrichment. When the indicator already exists in Cortex XSIAM, but additional information is available from Unit 42 Intel, you can update your indicator with the most recent data from Unit 42 Intel.

    The Threat Intel library is a centralized space for all indicators, whether they are found in an incident, brought in as a feed, or added manually. You can view in-depth information on collected indicators and filter the library based on common attributes.

    Note

    You can search or look up indicators. A search, which can include wildcards and complex queries, can return multiple results. Searches are only performed in Cortex XSIAM. Lookups are exact values, are performed in both Cortex XSIAM and Unit 42 Intel data, and can only return one result.

Indicator query considerations

You can search for indicators using any of the available search fields. This is a partial list of the available search fields.

Field

Description

type

The type of the indicator, such as File or Email.

verdict

The reputation of the indicator:

  • Malicious

  • Suspicious

  • Benign

  • Unknown

aggregatedReliability

Searches for indicators based on a reliability score such as A - Completely reliable.

sourceBrands

Indicator feed or enrichment integrations.

sourceInstances

A specific instance of an indicator feed or enrichment integration.

expirationSource

The source (such as script or manual.) that last set the indicator's expiration status.

tags

Tags applied to indicators.

comments

Search for keywords within indicators’ comments.

You can use a wildcard query, which finds indicators containing terms that match the specified wildcard. For example, the * pattern matches any sequence of 0 or more characters, and ? matches any single character. For a regex query, use the following value:

"/.*\\?.*/"

Indicator queries and Unit 42

Unit 42 Intel data is not automatically added to the Cortex XSIAM Threat Intel library. When you query for an indicator on the Threat Intel page, in some cases the indicator is not in the Threat Intel library, but exists in Unit 42 Intel. In other cases, the indicator may already be in the Cortex XSIAM Threat Intel library, but more in-depth information is available from Unit 42 Intel.

When a query is performed in both Cortex XSIAM and Unit 42 Intel, there are four possible results: