Threat Intel Concepts - Threat Intel Management Guide - 6.5 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Threat Intel Management Guide

Cortex XSOAR
Creation date
Last date published
Threat Intel Management Guide

Indicators are artifacts associated with incidents, and are an essential part of the incident management and remediation process.

These are the key concepts associated with threat intel management in Cortex XSOAR.

Fetch indicators

Cortex XSOAR includes integrations that fetch indicators from either a vendor-specific source, such as AutoFocus, or from a generic source, such as a CSV or JSON file.

Common indicator data model

When indicators are ingested, regardless of their source, they have a unified, common set of indicator fields, including traffic light protocol (TLP), expiration, verdict, and tags.

Indicator smart merge

The same indicator can originate from multiple sources and be enriched with multiple methods (integrations, scripts, playbooks, and so on). Cortex XSOAR implements a smart merge logic to make sure indicators are accurately scored (verdict) and aggregated.

Indicator fields are merged according to the source reliability hierarchy. When there are two different values for a single indicator field, the field is populated with the value provided by the source with the highest reliability score. In cases where multiple sources with the same reliability score return different values for the indicator, the most recent data is taken.

For multi-select and tag fields, new values are appended, rather than replacing the original values.

In the case of verdicts, if multiple sources with the same reliability score return a different verdict for an indicator, the worst verdict is used.

Indicators enrichment cache (Insightcache)

To avoid exceeding API quotas for third-party services, indicators are only updated after the cache expiration period. By default, the cache expires 4,320 minutes (3 days) after an indicator is updated, and can not be cleared manually. The cache expiration can be set in the indicator type profile. Indicator enrichment cache expiration only applies to automatic enrichment, triggered by the enrichIndicators command, and does not apply when you run reputation commands such as !ip.

Indicator timeline

The indicator timeline is in table format and displays an indicator’s complete history, including the first seen and last seen timestamp, changes made to indicator fields, and more.

Indicator expiration

When ingesting and processing millions of indicators on a daily basis, it’s important to control whether or not they are active or expired, and to define how and when indicators are expired. Cortex XSOAR offers multiple options to set indicator expiration.

Storing indicators

If you plan to ingest and process a large number of indicators, you should consider migrating to Elasticsearch.Elasticsearch Migration Overview

Export indicators

You can export indicators as a hosted list, an EDL, or a TAXII collection. This enables your SIEM or firewall to ingest or pull the indicator list to update policy rules. The supported list file types are JSON, CSV, and TXT.

Exclusion list

Indicators added to the exclusion list are disregarded by the system, and are not created or involved in automated flows such as indicator extraction.

Feed-based job

You can define a job to trigger a playbook when the specified feed or feeds finish a fetch operation that included a modification to the list. The modification can be a new indicator, a modified indicator, or a removed indicator.