Add Unit 42 Intel Data - Threat Intel Management Guide - 6.9 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Threat Intel Management Guide

Product
Cortex XSOAR
Version
6.9
Creation date
2022-09-29
Last date published
2024-02-22
End_of_Life
EoL
Category
Threat Intel Management Guide
Abstract

Add indicator data from Unit 42 Intel into Cortex XSOAR.

When you add indicators to the Cortex XSOAR threat intel library from Unit 42 Intel, the indicators are available for use in automations and playbooks.

Unit 42 Intel data is not automatically added to the Cortex XSOAR indicator database. When you query for an indicator on the Threat Intel page, in some cases the indicator is not in the Cortex XSOAR threat intel library, but exists in Unit 42 Intel. In other cases, the indicator may already be in the Cortex XSOAR threat intel library, but more in depth information is available from Unit 42 Intel.

  • If the indicator does not exist in Cortex XSOAR, there are two options when adding the data from Unit 42 Intel.

    • Click on Add to XSOAR

      The indicator is added to Cortex XSOAR. If the indicator is related to one or more Unit 42 threat intel objects already in Cortex XSOAR (brought in through the Unit 42 Feed integration), relationships are created in the database between the Unit 42 threat intel objects and the file indicator. No third-party enrichments are run on the indicator. We recommend using this option if, for security reasons, you do not want to expose the indicator to any third-party services.

    • Click on Add to XSOAR & Enrich

      The indicator is added to Cortex XSOAR. If the indicator is related to one or more Unit 42 threat intel objects already in Cortex XSOAR (brought in through the Unit 42 Feed integration), relationships are created in the database between the Unit 42 threat intel objects and the file indicator. Your configured third-party enrichments are run on the indicator.

Update an Indicator with Unit 42 Intel

  • If the indicator already exists in Cortex XSOAR, but more information is available from Unit 42 Intel, the following options are available:

    • Click on Update

      Updated Unit 42 Intel for the indicator is added to Cortex XSOAR. If the indicator is related to one or more Unit 42 threat intel objects already in Cortex XSOAR (brought in through the Unit 42 Feed integration), relationships are created in the database between the Unit 42 threat intel objects and the file indicator. No third-party enrichments are run on the indicator. We recommend using this option if, for security reasons, you do not want to expose the indicator to any third-party services.

    • Click on Update & Enrich

      Updated Unit 42 Intel for the indicator is added to Cortex XSOAR. If the indicator is related to one or more Unit 42 threat intel objects already in Cortex XSOAR (brought in through the Unit 42 Feed integration), relationships are created in the database between the Unit 42 threat intel objects and the file indicator. Your configured third-party enrichments are run on the indicator.