Perform actions (create, edit, export, delete) and search for indicators on the Cortex XSOAR Indicators (no TIM license).
After you start ingesting indicators into Cortex XSOAR, you can start your investigation, including extracting indicators, creating indicators, adding indicators to an incident, and exporting indicators.
Note
You need a TIM license to investigate the indicator on the Indicator page, and use the Unit 42 features such as Sample Analysis, and Sessions and Submissions. For more information, see Indicator investigation with a TIM license.
The Indicators page displays a list of indicators added to Cortex XSOAR, where you can perform the following indicator actions:
Action | Description |
---|---|
Create an indicator | Indicators are added to the Indicators table from incoming incidents, feed integrations, or manually creating a new indicator. When creating an indicator, in the Verdict field, you can either select a verdict or leave it blank to calculate it by clicking Save & Enrich, which updates the indicator from enrichment sources. After you select an indicator type, you can add any custom field data. |
Create an incident | Create an incident from the selected indicator and populate relevant incident fields with indicator data. |
Edit | Edit a single indicator or select multiple indicators to perform a bulk edit. |
Delete and Exclude | Delete and exclude one or more indicators from all indicator types or a subset of indicator types. For more information, see Delete and exclude indicators. If you select the Do not add to exclusion list checkbox, the selected indicators are only deleted. |
Export CSV | Export the selected indicators to a CSV file. By default, the CSV file is generated in UTF8 format. You need administrator permission to change server configurations including the format. To change the format, see Export incidents and indicators to CSV using the UTF8-BOM format. |
Export STIX | Export the selected indicators to a STIX file. |
Upload a STIX file | To upload a STIX file, click the upload button (top right of the page) and add the indicators from the file. |
Note
By default, when editing a list or text values in an incident/indicator, the changes are not saved until you confirm your changes (clicking the checkmark icon in the value field). These icons are designed to give you additional security when updating fields in incidents and indicators.
You can change this default behavior by updating the server configuration. You need administrator permission to update server configurations. For more information, see Configure inline value fields.
You can also undertake various actions on the indicator, such as:
Action | Description |
---|---|
Enrich an indicator | You can view detailed information about the indicator (WHOIS information for example), using third-party integrations such as VirusTotal and IPinfo. For more information, see Extract and enrich an indicator. |
Expire an indicator | You may want to expire an indicator to filter out less relevant alerts, allowing analysts to focus on active threats. For more information, see Expire an indicator. |
View indicator relationships | Relationships enable you to enhance investigations with information about indicators and how they might be connected to other incidents or indicators. You can't create, edit, or delete relationships unless you have a TIM license. For more information, see View indicator relationships in an investigation. |