An overview of working with threat intel reports in Cortex XSOAR.
Threat Intel Reports gives you the ability to create, review, publish, and generate threat intelligence reports.
Threat intel reports summarize and share threat intelligence research conducted within your organization by threat analysts and threat hunters. Threat intelligence reports help you communicate the current threat landscape to internal and external stakeholders, whether in the form of high-level summary reports for C-level executives, or detailed, tactical reports for the SOC and other security stakeholders.
Note
If users are unable to see the Threat Intel page, ensure that users have access, by verifying that their user role is assigned the Threat Intel permission (Page Access).
The Threat Intel Reports page shows all the types of reports created. You can do the following:
Create a report
After you create a report, edit the report as required. The core of the report is the Overview/Summary section, which is used to enter freeform text. By default, users with Administrator or Analyst roles have read/write access to the reports. When creating a report, you can restrict the report to specific user roles. When you finish a section, select the checkmark to save. If you navigate away and return to the Threat Intel Reports page, the report appears in the Threat Intel Reports table. Select the report to continue working on it. When finished, you can send it for review, publish it, and generate a PDF version. When published, it creates a read-only version of the report for you to share.
Edit a report
You can edit the report when you create the report or from the Threat Intel Reports table (if you navigate away and return to the Threat Intel Reports page).
Delete a report
Rule-based Access Control
By default, all roles have read/write access to the reports. To grant read and read/write access only to specific roles, you can define access to reports by doing one of the following:
When you create a report, choose one or more roles in the Permissions section of the new report dialog.
After you create a report, choose one or more roles in the Access section of the report layout.
If a role has not been added to either the Access or Permissions section, the role does not have read and read/write access to the Threat Intel report.