Cortex XSOAR Threat Intel includes access to the Unit 42 Intel service, enabling you to identify threats in your network and discover and contextualize trends. Unit 42 Intel provides data from WildFire (Palo Alto Networks’ cloud based malware sandbox), the PAN-DB URL Filtering database, Palo Alto Networks’ Unit 42 threat intelligence team, and from third-party feeds (including both closed and open-source intelligence). Unit 42 Intel data is continually updated to include the most recent threat samples analyzed by Palo Alto Networks, enabling you to keep up with threat trends and take a proactive approach to securing your network.
Unit 42 Intel data is cloud based and remotely maintained, so that you can view data from Unit 42 Intel and add only the information you need to your Cortex XSOAR threat intel library. When you search for an IP address, domain, URL, or file in the Threat Intel page, you are able to view the indicator in Cortex XSOAR as well as the additional information provided by Unit 42 Intel. When an indicator does not yet exist in Cortex XSOAR, but does exist in Unit 42 Intel, you are able to add the indicator to the Cortex XSOAR threat intel library. You have the option to add the indicator and enrich it with your existing integrations, or add the indicator without enrichment. When the indicator already exists in Cortex XSOAR, but there is additional information available from Unit 42 Intel, you can update your indicator with the most recent data from Unit 42 Intel.
For IP addresses, domains, URLs, and files, the following information is available:
For files, Unit 42 Intel also provides sample analysis that helps you conduct in-depth investigations, find links between attacks, and analyze threat patterns. If the file indicator is in the Unit 42 Intel service, you have access to a full report on activities, properties, and behaviors associated with the file. In addition, you can see how many other malicious, suspicious, or unknown file samples included the same activities, properties, and behaviors, and also build queries to find related samples.
Sessions & Submissions
Cortex XSOAR customers can use their Sessions & Submissions data for investigation and analysis in Cortex XSOAR. Sessions & Submissions data is available for customers with a TIM license and one or more of the following products:
Firewall - Samples that a Palo Alto Networks firewall forwarded to WildFire.
WF Appliance - Samples that a WildFire appliance submitted to the WildFire public cloud.
Cortex XDR - Samples submitted through Cortex XDR.
Prisma SaaS - Samples submitted through Prisma SaaS.
Prisma Access - Samples submitted through Prisma Access.
While the Sample Analysis tab provides information on what a file did, the Sessions & Subscriptions tab provides in-depth information on communication between devices. For example, you have a file indicator that has been determined to be malicious, and you have a Palo Alto Networks Firewall and Cortex XDR. In the Sessions & Submissions tab, you can see where this file came from and where it has gone in your network by viewing the firewall sessions this file passed through. You can see which XDR agents in your system reported the file, which tells you which machines might be infected. You can block the external IP address with your firewall, and, if needed, isolate the affected machines to contain the attack. If the source is internal, you can investigate that endpoint.
The Threat Intel Management system in Cortex XSOAR includes a feed that brings in a collection of threat intel objects as indicators. These indicators are stored in the Cortex XSOAR threat intel library and include Malware, Attack Patterns, Campaigns and Threat Actors.
When you add or update an indicator from Unit 42 Intel, a relationship is formed in the database between the relevant threat intel object and the new, or updated, indicator.
Unit 42 Intel is available from Cortex XSOAR v6.5, for customers with a TIM license. When upgrading from an earlier Cortex XSOAR version, the TIM license must be updated. Contact Cortex XSOAR Customer Support to receive the updated license file.
When upgrading from an earlier version to Cortex XSOAR v6.5 or later or adding a TIM license to an existing Cortex XSOAR v6.5 or later deployment, the TIM license must be updated to enable full access to Unit 42 Intel features.
Unit 42 Intel includes indicator relationship data provided as part of the Unit 42 Intel Objects Feed. To access in-depth information about related indicators, the Unit 42 Intel Objects Feed integration must be installed and enabled. The feed integration instance is automatically configured for new Cortex XSOAR v6.5 or later installations with a TIM license, or installations with a TIM license upgraded from 6.5 or later.
The Palo Alto Networks Wildfire Reports integration provides a PDF of the Wildfire report for a file sample. The PDF is available for download from the file’s Unit 42 Intel tab. The integration instance is automatically configured for new Cortex XSOAR v6.5 or later installations with a TIM license, or installations with a TIM license upgraded from 6.5 or later.
If you have an existing TIM license, and are upgrading from Cortex v6.2 or earlier to Cortex XSOAR v6.5 or later:
Contact Cortex XSOAR Customer support to receive the updated TIM license file. Confirm the Unit 42 Intel Objects Feed and Palo Alto Networks Wildfire Reports integrations are installed and enabled.
If you have an existing Cortex XSOAR license for v6.5 or later (without TIM), and are adding a TIM license:
After adding the TIM license, confirm the Unit 42 Intel Objects Feed and Palo Alto Networks Wildfire Reports integrations are installed and enabled.
Tenants accounts have access to Unit 42 Intel, with the following limitations:
On the Sample Analysis page, only Public Samples are available. My Samples data is not available for multi-tenant deployments.
Sessions & Submissions data is not available for multi-tenant deployments.
For tenant accounts, the API key must be manually entered for the Unit 42 Intel Objects Feed integration and the Palo Alto Networks WildFire Reports integration. Enter the API key in the instance configuration.