Learn how to use TIM in your investigation, utilizing Unit 42 Intel in your investigation.
Before diving in, you should understand the Cortex XSOAR Threat Intelligence Management's functionality and how it integrates with your needs. Review the use cases and key details to optimize your Cortex XSOAR experience from the start. Threat Intel management includes the following features:
Access to Unit 42 Intel data
Investigate files using sample analysis
Submit Sessions and Submissions
Manage Indicator Relationships
Deep dive into an indicator on the Threat Intel page.
Customize an indicator layout
Manage TIM reports
Note
Although some features are available without a TIM license such as indicator customization, you must have the Cortex XSOAR Threat Intel Management (TIM) license to use the TIM features.
Licenses
Cortex XSOAR requires a yearly license per user. Multi-year licenses are available.
License usage
This table describes the types of Cortex XSOAR licenses which are used in the following circumstances:
Version | Usage | License |
---|---|---|
Cortex XSOAR (Enterprise) Edition | Built for customers who need a complete security automation solution. | Includes the SOAR Enterprise and TIM Enterprise licenses. |
Cortex XSOAR Threat Intel Management Edition | Built for Threat Intelligence and Security Operations teams who need threat intelligence-based automation. | Includes the TIM Enterprise license only. |
Cortex XSOAR Starter Edition | Built for Security Operations and Incident Response customers who need case management with collaboration and playbook-driven automation. | Includes the SOAR Enterprise license only. |
License quota
The following table describes the license quotas of each version in Cortex XSOAR.
XSOAR TIM (TIM only) | XSOAR Starter Edition (SOAR only) | XSOAR (SOAR + TIM) | |
---|---|---|---|
Integrations | Unlimited | Unlimited | Unlimited |
Incident Management | 30-day history | ||
Incident Triggered Automations | 166 daily | Unlimited | Unlimited |
Job Triggered Automations | Unlimited | Unlimited | Unlimited |
Intel Feeds | Unlimited | 5 active feeds, 100 indicators/fetch | Unlimited |
Threat Intel Library | Unlimited | Intelligence detail view and relationship data are not included | Unlimited |
Unit 42 Intelligence | Unlimited UI access, 5k/day API points | Not included | Unlimited UI access, 5k/day API points |
Note
Intel feed quotas are based on the selected Fetches Indicators field in the integration instance settings, not the enabled status. Disabling an integration instance does not affect the Intel feed quota. For example, if the AWS Feed is enabled and is fetching indicators and you don't want to include this in your quota, open the integration settings and clear the Fetches Indicators checkbox.