When you add indicators to the Cortex XSOAR threat intel library from Unit 42 Intel, the indicators are available for use in automations and playbooks.
Unit 42 Intel data is not automatically added to the Cortex XSOAR indicator database. When you query for an indicator on the Threat Intel page, in some cases the indicator is not in the Cortex XSOAR threat intel library, but exists in Unit 42 Intel. In other cases, the indicator may already be in the Cortex XSOAR threat intel library, but more in depth information is available from Unit 42 Intel.
If the indicator does not exist in Cortex XSOAR, there are two options when adding the data from Unit 42 Intel.
Click on Add to XSOAR
The indicator is added to Cortex XSOAR. If the indicator is related to one or more Unit 42 threat intel objects already in Cortex XSOAR (brought in through the Unit 42 Feed integration), relationships are created in the database between the Unit 42 threat intel objects and the file indicator. No third-party enrichments are run on the indicator. We recommend using this option if, for security reasons, you do not want to expose the indicator to any third-party services.
Click on Add to XSOAR & Enrich
The indicator is added to Cortex XSOAR. If the indicator is related to one or more Unit 42 threat intel objects already in Cortex XSOAR (brought in through the Unit 42 Feed integration), relationships are created in the database between the Unit 42 threat intel objects and the file indicator. Your configured third-party enrichments are run on the indicator.
Update Indicator with Unit 42 Intel
If the indicator already exists in Cortex XSOAR, but more information is available from Unit 42 Intel, the following options are available:
Click on Update
Updated Unit 42 Intel for the indicator is added to Cortex XSOAR. If the indicator is related to one or more Unit 42 threat intel objects already in Cortex XSOAR (brought in through the Unit 42 Feed integration), relationships are created in the database between the Unit 42 threat intel objects and the file indicator. No third-party enrichments are run on the indicator. We recommend using this option if, for security reasons, you do not want to expose the indicator to any third-party services.
Click on Update & Enrich
Updated Unit 42 Intel for the indicator is added to Cortex XSOAR. If the indicator is related to one or more Unit 42 threat intel objects already in Cortex XSOAR (brought in through the Unit 42 Feed integration), relationships are created in the database between the Unit 42 threat intel objects and the file indicator. Your configured third-party enrichments are run on the indicator.