Indicator management - Administrator Guide - Threat Intel Management Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Cloud Documentation

Cortex XSOAR
Creation date
Last date published
Administrator Guide

Perform actions (create, edit, export, delete) and search for indicators on the Cortex XSOAR Threat Intel page.

Indicators are artifacts associated with security incidents and are an essential part of the incident management and remediation process. They help correlate incidents, create hunting operations, and enable you to easily analyze incidents and reduce Mean Time to Response (MTTR).

If you have a TIM license, Cortex XSOAR Threat Intel includes access to the Unit 42 Intel service, enabling you to identify threats in your network and discover and contextualize trends. Unit 42 Intel provides data from WildFire (Palo Alto Networks’ cloud-based malware sandbox), the PAN-DB URL Filtering database, Palo Alto Networks’ Unit 42 threat intelligence team, and third-party feeds (including both closed and open-source intelligence). Unit 42 Intel data is continually updated to include the most recent threat samples analyzed by Palo Alto Networks, enabling you to keep up with threat trends and take a proactive approach to securing your network.

The Threat Intel page is split into the following tabs:

  • Indicators

  • Sample Analysis

  • Sessions and Submissions

  • Threat Intel Reports


If you don't have a TIM license, you can only view the Indicators tab. For more information, see Manage indicators.


Displays a list of indicators added to Cortex XSOAR, where you can perform several indicator actions, including adding Unit 42 data.


If you are unable to perform a specific action or view data, you may not have sufficient user role permissions. Contact your Cortex XSOAR administrator for more details.

You can perform the following actions on the Threat Intel page.



Investigate an indicator

Click on an indicator to view and take action on the indicator.

Create an indicator

Indicators are added to the Indicators table from incoming incidents, feed integrations, adding Unit 42 data, or manually creating a new indicator.

When creating an indicator, in the Verdict field, you can either select a verdict or leave it blank to calculate it by clicking Save & Enrich, which updates the indicator from enrichment sources. After you select an indicator type, you can add any custom field data.


In the CLI, you can run the !createNewIndicator command.

Create an incident

Create an incident from the selected indicator and populate relevant incident fields with indicator data.


Edit a single indicator or select multiple indicators to perform a bulk edit.

Delete and Exclude

Delete and exclude one or more indicators from all indicator types or a subset of indicator types.

If you select the Do not add to exclusion list checkbox, the selected indicators are only deleted.

Export CSV

Export the selected indicators to a CSV file. By default, the CSV file is generated in UTF8 format. Administrator permission is required to update server configurations, including changing the format, see Export incidents and indicators to CSV using the UTF8-BOM format.

Export STIX

Export the selected indicators to a STIX file.

Upload a STIX file

To upload a STIX file, click the upload button (top right of the page) and add the indicators from the file.


By default, when editing a list or text values in an incident/indicator, the changes are not saved until you confirm your changes (clicking the checkmark icon in the value field). These icons are designed to give you additional security when updating fields in incidents, indicators, and Threat Intel Reports.

You can change this default behavior by updating the server configuration. You need administrator permission to update server configurations. For more information, see Configure inline value fields.

Sample analysis

Unit 42 Intel provides sample analysis for files. This helps you conduct in-depth investigations, find links between attacks, and analyze threat patterns. If the file indicator is in the Unit 42 Intel service, you have access to a full report on activities, properties, and behaviors associated with the file. In addition, you can see how many other malicious, suspicious, or unknown file samples included the same activities, properties, and behaviors, and also build queries to find related samples. For more information, see Investigate files using sample analysis.

Sessions and Submissions

Unit 42 Intel provides in-depth information on device communication.

Cortex XSOAR users can use their sessions and submissions data for investigation and analysis. Sessions and Submissions data are available for users with the following products:

  • Firewall - Samples that a Palo Alto Networks firewall forwarded to WildFire.

  • WildFire Appliance - Samples that a WildFire appliance submitted to the WildFire public cloud.

  • Cortex XDR - Samples submitted through Cortex XDR.

  • Prisma SaaS - Samples submitted through Prisma SaaS.

  • Prisma Access - Samples submitted through Prisma Access.

For example, if you have a file indicator that has been determined as malicious, and you have a Cortex XDR integration configured, in the Sessions & Submissions tab, you can see where this file came from and where it is in your network by viewing the firewall sessions this file passed through. You can see which XDR agents in your system reported the file, which tells you which machines might be infected. You can block the external IP address with your firewall, and, if needed, isolate the affected machines to contain the attack. If the source is internal, you can investigate that endpoint. For more information, see Use sessions and submissions in your investigation.

Threat Intel Reports

Threat Intel Reports summarize and share threat intelligence research conducted within your organization by threat analysts and threat hunters. Threat Intel Reports help you communicate the current threat landscape to internal and external stakeholders, whether in the form of high-level summary reports for C-level executives, or detailed, tactical reports for the SOC and other security stakeholders. For more information, see Manage Threat Intel Reports.