Configure the indicator timeline - Administrator Guide - Threat Intel Management Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Cloud Documentation

Product
Cortex XSOAR
Version
8
Creation date
2024-03-07
Last date published
2024-09-19
Category
Administrator Guide
Solution
Cloud
Abstract

Add a server configuration to manage the indicator timeline in Cortex XSOAR and improve indicator timeline performance.

To effectively investigate an incident and analyze associated indicators, the SOC analyst must have access to up-to-date data and a clear view of the most recent changes made to the relevant indicators, as well as earlier entries of indicator changes. The indicator timeline provides access to recent and earlier indicator activity data, facilitating quicker threat detection and response actions.

Note

You must have the Cortex XSOAR Threat Intel Management (TIM) license to access the indicator timeline.

Enable or disable the indicator timeline

You can configure server configurations to disable the indicator timeline display or disable indicator extraction to the indicator timeline.

  1. Select Settings & InfoSettingsSystemServer SettingsServer ConfigurationAdd Server Configuration.

  2. Add the following server configurations.

    Key

    Value

    Description

    indicator.timeline.enabled

    true or false

    Enables the indicator timeline to be displayed in the Indicator Summary layout. The default is true.

    indicator.timeline.auto.extract.enabled

    true or false

    Enables extracting indicator data to display in the indicator timeline. The default is true.

View indicator timeline entries

To see the indicator timeline entries, from the Threat Intel page select an indicator to go to the Indicator Summary page. If it does not contain the indicator timeline, you can edit the indicator layout and add the Timeline section.

By default, the indicator timeline table displays dates, events, and sources that affect indicators, such as change of verdict and traffic light protocol. Click cog-wheel-8.png to edit the table settings to also display category and indicator ID, or to search the table columns.

The indicator timeline contains two tabs:

  • Latest events: Shows a table listing the most recent indicator timeline entries. This ensures continuous monitoring of security threats and provides access to the latest activity data.

  • Initial events: Shows a table listing the first indicator timeline entries.

The maximum number of entries the tabs display is by default 100. The first 100 entries are displayed in both tabs. If there are more than 100 entries, the Initial events table displays the first 100 entries, and the Latest events table displays the 100 latest entries. For example, if there are 105 entries, the Latest table displays the five latest entries plus the 95 entries that occurred chronologically before them.