Indicator management on the Main Tenant - Administrator Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Cloud Documentation

Product
Cortex XSOAR
Version
8
Creation date
2024-03-07
Last date published
2024-12-12
Category
Administrator Guide
Solution
Cloud
Abstract

View and take action on indicators on the Main Tenant.

From the Main Tenant, on the Threat Intel page, you can see the following tabs:

  • Indicators

  • Threat Intel Management (TIM) reports

The Threat Intel page shows all indicators and TIM reports across all child tenants.

Note

If you don't have a TIM license you can only view the Indicators tab.

You can't create indicators/TIM reports on the Main Tenant.

Although you can't investigate indicators directly, you can pivot to the indicator on the child tenant by clicking the indicator. You can also go to the child tenant's indicator page by clicking Main Tenant (top left of the window) and selecting the relevant child tenant.

By default, the Indicators page displays open indicators (from all child tenants) in the last seven days. You can filter this by changing the date and selecting the relevant tenant.

In the Indicators tab, you can do the following:

Action

Description

Export CSV

Export the selected indicators to a CSV file. By default, the CSV file is generated in UTF8 format. Administrator permission is required to update server configurations, including changing the format, see Export incidents and indicators to CSV using the UTF8-BOM forma .

Export STIX

Export the selected indicators to a STIX file