Export Indicators Playbooks - Threat Intel Management Guide - 6.9 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Threat Intel Management Guide

Cortex XSOAR
Creation date
Last date published
Threat Intel Management Guide

There are several generic playbooks and several vendor-specific playbooks you can use to process indicators in Cortex XSOAR.

We provide numerous out-of-the-box playbooks for TIM, including playbooks that enable you to export indicators. All TIM related playbooks have the 'TIM' prefix. There are some that are generic (for example, TIM - Process Indicators - Fully Automated), and some that are dedicated for a specific vendor, like QRadar (for example, TIM - QRadar Add Domain Indicators) and ArcSight (for example, TIM- Arcsight Add IP Indicators).

If you define a playbook task input that pulls from indicators, the entire playbook runs in Quiet Mode. This means the task or playbook information is not written to the War Room, and inputs and outputs are not displayed in the playbook. However, errors and warnings are still written to the War Room.


You should not run a query on a field that you might change in the playbook flow. For example, you shouldn’t have a playbook with query Verdict:Malicious and then change the indicator verdict as a part of the playbook.