File Indicator Merging Strategy - Threat Intel Management Guide - 6.8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Threat Intel Management Guide

Product
Cortex XSOAR
Version
6.8
Creation date
2022-09-29
Last date published
2023-12-12
End_of_Life
EoL
Category
Threat Intel Management Guide

When a file is created in the system, whether from a feed, indicator extraction, or manually added, its original value is created as the indicator’s value, while its complementing hashes are saved as fields.

For example, if a SHA256 indicator is extracted from an email and enriched, an indicator with the SHA256 as the value will be created, and any other hash that is found in the enrichment phase (such as MD5, SHA1) will be attributed to it as a field. If, in the future, a file with the then-attributed MD5 is created in the system, Cortex XSOAR automatically identifies it and merges the two indicators together into one.

In a more specific example, the executable cmd.exe’s SHA256 FF79D3C4A0B7EB191783C323AB8363EBD1FD10BE58D8BCC96B07067743CA81D5 was found in an incident and extracted. It also went through enrichment, which provided the information that the file’s MD5 is D7AB69FAD18D4A643D84A271DFC0DBDF.

The file indicator includes:

ID: 1
Type: File
Value: FF79D3C4A0B7EB191783C323AB8363EBD1FD10BE58D8BCC96B07067743CA81D5
SHA256: FF79D3C4A0B7EB191783C323AB8363EBD1FD10BE58D8BCC96B07067743CA81D5
MD5: D7AB69FAD18D4A643D84A271DFC0DBDF

Afterwards, through a custom feed, the cmd.exe’s MD5 D7AB69FAD18D4A643D84A271DFC0DBDF hash is brought in, and Cortex XSOAR creates an indicator of type File with the MD5 as its value.

A new file indicator is created:

ID: 2
Type: File
Value: D7AB69FAD18D4A643D84A271DFC0DBDF
MD5: D7AB69FAD18D4A643D84A271DFC0DBDF

The automatic merging flow for the File indicator type identifies that the two indicators are the same file and merges them together.

The final File indicator, consolidating the two, is the same as the first example above:

ID: 1
Type: File
Value: FF79D3C4A0B7EB191783C323AB8363EBD1FD10BE58D8BCC96B07067743CA81D5
SHA256: FF79D3C4A0B7EB191783C323AB8363EBD1FD10BE58D8BCC96B07067743CA81D5
MD5: D7AB69FAD18D4A643D84A271DFC0DBDF