How to query indicators in the threat intel library
You can access threat intel data through the following methods:
On the Threat Intel page, select an indicator to start investigating.
When investigating an incident, select an extracted indicator. The Quick View shows basic information about the indicator in Cortex XSOAR. Full view shows the full Cortex XSOAR indicator summary.
On the Threat Intel page, query an indicator.
The Threat Intel library is a centralized space for all indicators, whether they are found in an incident, brought in as a feed, or added manually. You can view in-depth information on collected indicators and filter the library based on common attributes.
Note
You can search or look up indicators. A search, which can include wildcards and complex queries, can return multiple results. Lookups are exact values and can only return one result.
Indicator query fields
You can search for indicators using any of the available search fields. This is a partial list of the available search fields.
Field | Description |
|---|---|
| The type of the indicator, such as File or Email. |
| The reputation of the indicator:
|
| Searches for indicators based on a reliability score such as |
| Indicator feed or enrichment integrations. |
| A specific instance of an indicator feed or enrichment integration. |
| The source (such as script or manual.) that last sets the indicator's expiration status. |
| Tags applied to indicators. |
| Search for keywords within indicators’ comments. |
You can use a wildcard query, which finds indicators containing terms that match the specified wildcard. For example, the * pattern matches any sequence of 0 or more characters, and ? matches any single character. For a regex query, use the following value:
"/.*\\?.*/"