Set up and customize threat intel report types in Cortex XSOAR.
Threat intel reports summarize and share threat intelligence research conducted within your organization by threat analysts and threat hunters. Threat intelligence reports help you communicate the current threat landscape to internal and external stakeholders, whether in the form of high-level summary reports for C-level executives, or detailed, tactical reports for the SOC and other security stakeholders.
Note
To customize and manage Threat Intel Reports, you must have a TIM license.
Threat intel reports help address multiple relevant reporting use cases:
Global cybersecurity threats
Report to colleagues and executives if, and how, such threats affected your organization, and what was done to remediate and prevent future attacks.
Periodic monitoring
Keep track of infiltration attempts by adversaries within your industry vertical, and publish periodic status updates on any new behaviors.
Open-source intelligence (OSINT) reports
Aggregate highlights of external publications that should be actively brought to the attention of your SOC. This is usually done to ensure that relevant employees are up-to-date with the latest security trends so they can make more informed decisions. For a practical example, see Weekly OSINT (Open Source Intelligence) Report.
Threat hunting
Report to colleagues, and the larger threat intelligence community about proactive searches and detection of advanced threats not found by traditional prevention and detection tools.
Each report consists of the following:
Report type: Determines which report types your organization needs. Each type has an associated layout. You can create report types and report layouts, or customize existing ones. When analysts create a report, they select the report type.
Report layout: Ensures the most relevant information is shown for each report type. The layout includes customizable fields for your use case.
Report fields: Create fields or add existing fields to report layouts. After a report is created, the analyst can populate the report with relevant data.
Cortex XSOAR Threat Intel Management comes out-of-the-box with the following report types and layouts:
Report type | Report layout | Description |
---|---|---|
Campaign | Campaign Report | Describes a campaign run by a threat actor. Includes fields such as Campaign Details and a free text field to add the threat type, origin, etc. |
Executive Brief | Executive Brief Report | Used for an executive summary or any kind of generic report. |
Malware | Malware Report | A report tailored for malware such as Operating System, Aliases, and Malware type. |
Threat Actor | Threat Actor Report | A report tailored for Threat Actors with a special section for Threat Actor metadata, such as the Threat Actor's name, goals, and motivation. |
Vulnerability | Vulnerability Report | A report tailored for vulnerability with a special section for vulnerability details such as CVE and CVSS. |
These report types, layouts, and fields are part of the Threat Intel Reports (Beta). For more details including screenshots, see Threat Intel Reports (BETA).
Note
By default, when editing the dropdown or text values in a threat intel report, the changes are not saved until you confirm your changes (clicking the checkmark icon in the value field).
These icons are designed to let you have an additional level of security before you make changes to the fields in threat intel reports, incidents, and indicators.
To change the default behavior set the inline.edit.on.blur
server configuration to true
, which enables you to make changes to inline fields without clicking the checkmark. The changes are automatically saved when clicking anywhere on the page or when navigating to another page. For text values, you can also click anywhere in the value field to edit.