Unit 42 Intel Overview - Threat Intel Management Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Threat Intel Management Guide

Product
Cortex XSOAR
Version
8
Creation date
2023-11-02
Last date published
2024-02-22
Category
Threat Intel Management Guide
Abstract

Provides Unit 42 Intel data for additional indicator information, sample analysis, and sessions & submissions analysis.

Cortex XSOAR Threat Intel includes access to the Unit 42 Intel service, enabling you to identify threats in your network and discover and contextualize trends. Unit 42 Intel provides data from WildFire (Palo Alto Networks’ cloud based malware sandbox), the PAN-DB URL Filtering database, Palo Alto Networks’ Unit 42 threat intelligence team, and from third-party feeds (including both closed and open-source intelligence). Unit 42 Intel data is continually updated to include the most recent threat samples analyzed by Palo Alto Networks, enabling you to keep up with threat trends and take a proactive approach to securing your network.

Unit 42 Intel data is cloud based and remotely maintained, so that you can view data from Unit 42 Intel and add only the information you need to your Cortex XSOAR threat intel library. When you search for an IP address, domain, URL, or file in the Threat Intel page, you are able to view the indicator in Cortex XSOAR as well as the additional information provided by Unit 42 Intel. When an indicator does not yet exist in Cortex XSOAR, but does exist in Unit 42 Intel, you are able to add the indicator to the Cortex XSOAR threat intel library. You have the option to add the indicator and enrich it with your existing integrations, or add the indicator without enrichment. When the indicator already exists in Cortex XSOAR, but there is additional information available from Unit 42 Intel, you can update your indicator with the most recent data from Unit 42 Intel.

For IP addresses, domains, URLs, and files, the following information is available:

Indicator Type

Layout Sections

IP address

  • Verdict

  • Source

  • Relationships

  • PAN-DB Categorization

  • Passive DNS

URL

  • Verdict

  • Source

  • Relationships

  • PAN-DB Categorization

  • WHOIS

Domain

  • Verdict

  • Source

  • Relationships

  • PAN-DB Categorization

  • Passive DNS

  • WHOIS

File

  • Verdict

  • Source

  • Relationships

  • Summary

  • WildFire Analysis

  • Related Sessions & Submissions

Sample Analysis

For files, Unit 42 Intel also provides sample analysis that helps you conduct in-depth investigations, find links between attacks, and analyze threat patterns. If the file indicator is in the Unit 42 Intel service, you have access to a full report on activities, properties, and behaviors associated with the file. In addition, you can see how many other malicious, suspicious, or unknown file samples included the same activities, properties, and behaviors, and also build queries to find related samples.

Sessions & Submissions

Cortex XSOAR customers can use their Sessions & Submissions data for investigation and analysis in Cortex XSOAR. Sessions & Submissions data is available for customers with a TIM license and one or more of the following products:

  • Firewall - Samples that a Palo Alto Networks firewall forwarded to WildFire.

  • WF Appliance - Samples that a WildFire appliance submitted to the WildFire public cloud.

  • Cortex XDR - Samples submitted through Cortex XDR.

  • Prisma SaaS - Samples submitted through Prisma SaaS.

  • Prisma Access - Samples submitted through Prisma Access.

While the Sample Analysis tab provides information on what a file did, the Sessions & Subscriptions tab provides in-depth information on communication between devices. For example, you have a file indicator that has been determined to be malicious, and you have a Palo Alto Networks Firewall and Cortex XDR. In the Sessions & Submissions tab, you can see where this file came from and where it has gone in your network by viewing the firewall sessions this file passed through. You can see which XDR agents in your system reported the file, which tells you which machines might be infected. You can block the external IP address with your firewall, and, if needed, isolate the affected machines to contain the attack. If the source is internal, you can investigate that endpoint.

Relationships

The Threat Intel Management system in Cortex XSOAR includes a feed that brings in a collection of threat intel objects as indicators. These indicators are stored in the Cortex XSOAR threat intel library and include Malware, Attack Patterns, Campaigns and Threat Actors.

When you add or update an indicator from Unit 42 Intel, a relationship is formed in the database between the relevant threat intel object and the new, or updated, indicator.

Note

Unit 42 Intel is available for customers with a TIM license.