Indicator Management - Threat Intel Management Guide - 6.9 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Threat Intel Management Guide

Product
Cortex XSOAR
Version
6.9
Creation date
2022-09-29
Last date published
2024-03-05
End_of_Life
EoL
Category
Threat Intel Management Guide
Abstract

Perform actions (create, edit, export, delete) and search for indicators on the Cortex XSOAR Threat Intel page.

After you have customized indicators and started ingesting indicators into Cortex XSOAR, you can create indicators, add indicators, extract indicators, export indicators, etc. If you have a TIM license you can use Threat Intel Reports and use the Unit 42 feature.

The Threat Intel page displays a table or summary view of all indicators, and enables you to perform several indicator actions. If you do not have a TIM license, the page is called Indicators.

You can perform the following actions:

Action

Description

View and take action on an indicator

Click on an indicator to view and take action on indicator. You can view in detail the verdict, relationships, timeline, enrich indicators, add tags, etc.

By default, when editing the following inline values in an incident/indicator, the changes are not saved until you confirm your changes (clicking the checkmark icon in the value field).

  • Dropdown values, such as Owner, Severity, etc.

  • Text values, such as Asset ID. (You can only edit when you click the pencil in the value field).

These icons are designed to let you have an additional level of security before you make changes to the fields in incidents/indicators.

To change this default behavior, set the inline.edit.on.blur server configuration to true to enable you to make changes to the inline fields without clicking the checkmark. The changes are automatically saved when clicking anywhere on the page or when navigating to another page. For text values you can also click anywhere in the value field to edit.

Create a new indicator

Manually create a new indicator in the system.

Create an incident

Create an incident from the selected indicators and populate relevant incident fields with indicator data.

Edit

Edit a single indicator or select multiple indicators to perform a bulk edit.

Delete and Exclude

Delete and exclude one or more indicators from all indicator types or from a subset of indicator types.

If you select the Do not add to exclusion list checkbox, the selected indicators are only deleted.

Export

Export the selected indicators to a CSV file. You can also Export an Indicator to CSV Using the UTF8-BOM Format.

Export (STIX)

Export the selected indicators to a STIX file.

Upload a STIX file

Upload a STIX file and add the indicators from the file to the system.

Indicator Query

You can search for indicators using any of the available search fields. This is a partial list of the available search fields.

Field

Description

type

The type of the indicator, such as File, Email, etc.

verdict

The reputation of the indicator:

  • Malicious

  • Suspicious

  • Benign

  • Unknown

aggregatedReliability

Searches for indicators based on a reliability score such as A - Completely reliable.

sourceBrands

Indicator feed or enrichment integrations.

sourceInstances

A specific instance of an indicator feed or enrichment integration.

expirationSource

The source (script, manual, etc.) which last set the indicator's expiration status.

tags

Tags applied to indicators.

comments

Search for keywords within indicators’ comments.

isShared

(Multi-tenant) Whether the indicator is shared to tenant

You can use a wildcard query, which finds indicators containing terms that match the specified wildcard. For example, the * pattern matches any sequence of 0 or more characters, and ? matches any single character. For a regex query, use the following value:

"/.*\\?.*/"