Indicator investigation - Learn how to use TIM in your use case, such as creating a TIM report, investigating an indicator and creating indicator relationships. - Threat Intel Management Guide - Administrator Guide - 8 - Cortex XSOAR - Cortex

Indicator investigation - Learn how to use TIM in your use case, such as creating a TIM report, investigating an indicator and creating indicator relationships. - Threat Intel Management Guide - Administrator Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR SaaS Documentation

Product

Cortex XSOAR

Version

Creation date

2024-03-07

Last date published

2025-12-14

Category

Administrator Guide

Solution

SaaS

Abstract

Learn how to use TIM in your use case, such as creating a TIM report, investigating an indicator and creating indicator relationships.

Cortex XSOAR enables you to centralize and manage every aspect of your TIM investigation. Create, extract, and enrich indicators and explore their relationships to gain deeper insights.

After you start ingesting indicators into Cortex XSOAR, you can start your investigation, including creating indicators, adding indicators to an incident, extracting indicators, exporting indicators, etc.

When investigating an indicator, you can see the following tabs:

Summary
View verdict, enrich, expire, delete and exclude the indicator, add relationships, view related incidents, and add comments. Add or remove tags, which can help classify known threats. For example, you may want to group specific malware indicators that are part of ransomware, such as trojan or loader.
Additional Details
Add or view any community notes for sharing and any custom details.

When investigating an indicator, you can perform actions on the indicator, such as:

Action	Description
Enrich an indicator	You can view detailed information about the indicator (WHOIS information for example), using third-party integrations such as VirusTotal and IPinfo. For more information, see Extract and enrich an indicator.
Expire an indicator	You may want to expire an indicator to filter out less relevant alerts, allowing analysts to focus on active threats. For more information, see Expire an indicator.
Manage indicator relationships	Indicator relationships are connections between different indicators. These relationships can be IP addresses related to one another, domains impersonating legitimate domains, etc. Relationships are created from threat intel feeds and enrichment integrations that support the automatic creation of relationships. For more information, see Manage indicator relationships.
Delete and exclude indicators	Indicators added to an exclusion list are disregarded by the system and are not created or involved in automated flows. For more information, see Delete and exclude indicators.