Perform actions on an indicator - Threat Intel Management Guide - Cortex XSIAM - Cortex - Security Operations

Threat intel management

Product
Cortex XSIAM
Creation date
2023-07-30
Last date published
2024-04-15
Category
Threat Intel Management Guide
Abstract

Take action such as adding tags, expiring an indicator, using indicator relationships, and extracting and enriching indicators.

When investigating an indicator, you can see the following tabs:

  • Summary: View verdict, enrich, expire, delete and exclude the indicator, add relationships, view related incidents, and add comments. Add or remove tags, which can help classify known threats. For example, you may want to group specific malware indicators that are part of ransomware, trojan, loader, etc. In addition, Unit 42 Intel publishes tags.

  • Additional Details: Add or view any community notes for sharing and view custom details.

  • Unit 42 Intel: If the indicator is available in Unit 42 you can download the WildFire report and view related data.

    If the indicator has been found in the Unit 42 database you can view the following information, per indicator type:

    Indicator Type

    Layout Sections

    IP address

    • Verdict

    • Source

    • Relationships

    • PAN-DB Categorization

    • Passive DNS

    URL

    • Verdict

    • Source

    • Relationships

    • PAN-DB Categorization

    • WHOIS

    Domain

    • Verdict

    • Source

    • Relationships

    • PAN-DB Categorization

    • Passive DNS

    • WHOIS

    File

    • Verdict

    • Source

    • Relationships

    • Summary

    • WildFire Analysis

    • Related Sessions & Submissions