Perform actions (create, edit, export, delete) and search for indicators on the Cortex XSOAR Threat Intel page.
After you have customized indicators and started ingesting indicators into Cortex XSOAR, you can create indicators, add indicators, extract indicators, export indicators, etc. If you have a TIM license you can use Threat Intel Reports and use the Unit 42 feature.
The Threat Intel page displays a table or summary view of all indicators, and enables you to perform several indicator actions. If you do not have a TIM license, the page is called Indicators.
You can perform the following actions on the Indicators page.
Action | Description |
---|---|
Create a new indicator | Manually create a new indicator in the system. |
Create incident | Create an incident from the selected indicators and populate relevant incident fields with indicator data. |
Edit | Edit a single indicator or select multiple indicators to perform a bulk edit. |
Delete and Exclude | Delete and exclude one or more indicators from all indicator types or from a subset of indicator types. If you select the Do not add to exclusion list checkbox, the selected indicators are only deleted. |
Export | Export the selected indicators to a CSV file. You can also Export an Indicator to CSV Using the UTF8-BOM Format. |
Export (STIX) | Export the selected indicators to a STIX file. |
Upload a STIX file | Upload a STIX file and add the indicators from the file to the system. |
Indicator Query
You can search for indicators using any of the available search fields. This is a partial list of the available search fields.
You can use a wildcard query, which finds indicators containing terms that match the specified wildcard. For example, the *
pattern matches any sequence of 0 or more characters, and ?
matches any single character. For a regex query, use the following value:
"/.*\\?.*/"