Configure File Indicators - Threat Intel Management Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Threat Intel Management Guide

Cortex XSOAR
Creation date
Last date published
Threat Intel Management Guide

You can have a single file indicator for file objects in Cortex XSOAR or each file can have a hash as its own indicator.

By default, Cortex XSOAR uses a single File indicator for file objects. As a result, files that appear with their SHA256 hash and all other hashes associated with the file, (MD5, SHA1, and SSDeep) are listed as properties of the same indicator. In addition, when ingesting an incident through an integration, all file information is presented as one object.

If the file appears in a different incident with a different name, and has any of the same hash values, it automatically associates with the original indicator.

If you want to have each file hash appear as its own indicator, do the following:

  1. Go to Settings & InfoSettingsObjects SetupIndicatorsTypes.

  2. Select the checkbox for Show Disabled.

  3. Select the File indicator and click Disable.

  4. Select the following required hashes:

    • File SHA-256

    • File SHA-1

    • File MD5

    • SSDeep

  5. Click Enable.