Manage indicators - Administrator Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Cloud Documentation

Product
Cortex XSOAR
Version
8
Creation date
2024-03-07
Last date published
2024-11-04
Category
Administrator Guide
Solution
Cloud
Abstract

Perform actions (create, edit, export, delete) and search for indicators on the Cortex XSOAR Indicators (no TIM license).

After you start ingesting indicators into Cortex XSOAR, you can start your investigation, including extracting indicators, creating indicators, adding indicators to an incident, and exporting indicators.

Note

You need a TIM license to investigate the indicator on the Indicator page, and use the Unit 42 features such as Sample Analysis, and Sessions and Submissions. For more information, see Indicator investigation with a TIM license.

The Indicators page displays a list of indicators added to Cortex XSOAR, where you can perform the following indicator actions:

Action

Description

Create an indicator

Indicators are added to the Indicators table from incoming incidents, feed integrations, or manually creating a new indicator.

When creating an indicator, in the Verdict field, you can either select a verdict or leave it blank to calculate it by clicking Save & Enrich, which updates the indicator from enrichment sources. After you select an indicator type, you can add any custom field data.

Create an incident

Create an incident from the selected indicator and populate relevant incident fields with indicator data.

Edit

Edit a single indicator or select multiple indicators to perform a bulk edit.

Delete and Exclude

Delete and exclude one or more indicators from all indicator types or a subset of indicator types. For more information, see Delete and exclude indicators.

If you select the Do not add to exclusion list checkbox, the selected indicators are only deleted.

Export CSV

Export the selected indicators to a CSV file. By default, the CSV file is generated in UTF8 format.

You need administrator permission to change server configurations including the format. To change the format, see Export incidents and indicators to CSV using the UTF8-BOM format.

Export STIX

Export the selected indicators to a STIX file.

Upload a STIX file

To upload a STIX file, click the upload button (top right of the page) and add the indicators from the file.

Note

By default, when editing a list or text values in an incident/indicator, the changes are not saved until you confirm your changes (clicking the checkmark icon in the value field). These icons are designed to give you additional security when updating fields in incidents and indicators.

You can change this default behavior by updating the server configuration. You need administrator permission to update server configurations. For more information, see Configure inline value fields.

You can also undertake various actions on the indicator, such as:

Action

Description

Enrich an indicator

You can view detailed information about the indicator (WHOIS information for example), using third-party integrations such as VirusTotal and IPinfo. For more information, see Extract and enrich an indicator.

Expire an indicator

You may want to expire an indicator to filter out less relevant alerts, allowing analysts to focus on active threats. For more information, see Expire an indicator.

View indicator relationships

Relationships enable you to enhance investigations with information about indicators and how they might be connected to other incidents or indicators. You can't create, edit, or delete relationships unless you have a TIM license. For more information, see View indicator relationships in an investigation.