Query indicators - Administrator Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Cloud Documentation

Product
Cortex XSOAR
Version
8
Creation date
2024-03-07
Last date published
2025-02-18
Category
Administrator Guide
Solution
Cloud
Abstract

How to query indicators in the threat intel library (without a TIM license).

You can search for indicators using any of the available search fields. This is a partial list of the available search fields.

Field

Description

type

The type of the indicator, such as File or Email.

verdict

The reputation of the indicator:

  • Malicious

  • Suspicious

  • Benign

  • Unknown

aggregatedReliability

Searches for indicators based on a reliability score such as A - Completely reliable.

sourceBrands

Indicator feed or enrichment integrations.

sourceInstances

A specific instance of an indicator feed or enrichment integration.

expirationSource

The source (such as script or manual.) that last set the indicator's expiration status.

tags

Tags applied to indicators.

comments

Search for keywords within indicators’ comments.

You can use a wildcard query, which finds indicators containing terms that match the specified wildcard. For example, the * pattern matches any sequence of 0 or more characters, and ? matches any single character. For a regex query, use the following value:

"/.*\\?.*/"