Export Indicators Playbooks - Threat Intel Management Guide - 6.9 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Threat Intel Management Guide

Product
Cortex XSOAR
Version
6.9
Creation date
2022-09-29
Last date published
2024-03-05
End_of_Life
EoL
Category
Threat Intel Management Guide
Abstract

There are several generic playbooks and several vendor-specific playbooks you can use to process indicators in Cortex XSOAR.

We provide numerous out-of-the-box playbooks for TIM, including playbooks that enable you to export indicators. All TIM related playbooks have the 'TIM' prefix. There are some that are generic (for example, TIM - Process Indicators - Fully Automated), and some that are dedicated for a specific vendor, like QRadar (for example, TIM - QRadar Add Domain Indicators) and ArcSight (for example, TIM- Arcsight Add IP Indicators).

If you define a playbook task input that pulls from indicators, the entire playbook runs in Quiet Mode. This means the task or playbook information is not written to the War Room, and inputs and outputs are not displayed in the playbook. However, errors and warnings are still written to the War Room.

Caution

You should not run a query on a field that you might change in the playbook flow. For example, you shouldn’t have a playbook with query Verdict:Malicious and then change the indicator verdict as a part of the playbook.