After you have customized indicators and started ingesting indicators into Cortex XSOAR, you can create indicators, add indicators, extract indicators, export indicators, etc. If you have a TIM license you can use Threat Intel Reports and use the Unit 42 feature.
The Threat Intel page displays a table or summary view of all indicators, and enables you to perform several indicator actions. If you do not have a TIM license, the page is called Indicators.
You can perform the following actions on the Indicators page.
Action | Description |
---|---|
Create a new indicator | Manually create a new indicator in the system. |
Create incident | Create an incident from the selected indicators and populate relevant incident fields with indicator data. |
Edit | Edit a single indicator or select multiple indicators to perform a bulk edit. |
Delete and Exclude | Delete and exclude one or more indicators from all indicator types or from a subset of indicator types. If you select the Do not add to exclusion list checkbox, the selected indicators are only deleted. |
Export | Export the selected indicators to a CSV file. You can also Export an Indicator to CSV Using the UTF8-BOM Format. |
Export (STIX) | Export the selected indicators to a STIX file. |
Upload a STIX file | Upload a STIX file and add the indicators from the file to the system. |
Indicator Query
You can search for indicators using any of the available search fields. This is a partial list of the available search fields.
You can use a wildcard query, which finds indicators containing terms that match the specified wildcard. For example, the *
pattern matches any sequence of 0 or more characters, and ?
matches any single character. For a regex query, use the following value:
"/.*\\?.*/"