Manage Threat Intel Reports - Administrator Guide - Threat Intel Management Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Cloud Documentation

Product
Cortex XSOAR
Version
8
Creation date
2024-03-07
Last date published
2024-07-17
Category
Administrator Guide
Solution
Cloud
Abstract

An overview of working with threat intel reports in Cortex XSOAR.

Threat Intel Reports gives you the ability to create, review, publish, and generate threat intelligence reports.

Threat intel reports summarize and share threat intelligence research conducted within your organization by threat analysts and threat hunters. Threat intelligence reports help you communicate the current threat landscape to internal and external stakeholders, whether in the form of high-level summary reports for C-level executives, or detailed, tactical reports for the SOC and other security stakeholders.

Note

If users are unable to see the Threat Intel page, ensure that users have access, by verifying that their user role is assigned the Threat Intel permission (Page Access).

The Threat Intel Reports page shows all the types of reports created. You can do the following:

  • Create a report

    After you create a report, edit the report as required. The core of the report is the Overview/Summary section, which is used to enter freeform text. By default, users with Administrator or Analyst roles have read/write access to the reports. When creating a report, you can restrict the report to specific user roles. When you finish a section, select the checkmark to save. If you navigate away and return to the Threat Intel Reports page, the report appears in the Threat Intel Reports table. Select the report to continue working on it. When finished, you can send it for review, publish it, and generate a PDF version. When published, it creates a read-only version of the report for you to share.

  • Edit a report

    You can edit the report when you create the report or from the Threat Intel Reports table (if you navigate away and return to the Threat Intel Reports page).

  • Delete a report

Rule-based Access Control

By default, all roles have read/write access to the reports. To grant read and read/write access only to specific roles, you can define access to reports by doing one of the following:

  • When you create a report, choose one or more roles in the Permissions section of the new report dialog.

  • After you create a report, choose one or more roles in the Access section of the report layout.

If a role has not been added to either the Access or Permissions section, the role does not have read and read/write access to the Threat Intel report.

You can create a threat intel report by choosing a type and defining other basic report information. To customize the threat Intel report such as creating new types and layouts, see Customize Threat Intel Reports.

When you create a report, Cortex XSOAR creates a blank report based on the type you choose. Once created, edit the report to populate it with relevant content before generating or sharing a report.

In the Overview/Summary section, enter freeform text using the Markdown editor, which enables you to apply formatting options to the body text, including text sizing, coloring, formatting, pictures/icons, logo, and section headers.

  1. Select Threat IntelThreat Intel ReportsNew Threat Intel Report

  2. Enter a Name and configure any other relevant fields.

    You can edit any fields after you create the report.

  3. Create new Threat Intel Report.

    The report is automatically in draft report status.

  4. Edit report fields as needed and add any information about the specific report.

  5. In the Overview/Summary section, to use the Markdown editor, click M.

    When finished, select Preview and then save.

  6. (Optional) Change the status as required.

    For example, if you want to send to another user to check before you publish, select Review.

  7. Publish and generate a report.

When you have finished drafting a report, you can publish the report, which means all user roles have read-only access to the report to prevent other users from making changes. If you unpublish a report, that access is reverted. Publish/unpublish does not revert any read/write access that you granted to a specific role.

  1. Navigate to the Threat Intel Reports table and click the Name of the report you want to share.

  2. From the Access section, Publish the report.

    Once published, anyone you give the report link can see the report (provided they have access to your Cortex XSOAR tenant. To remove read-only access, unpublish the report.

If you want to send the report to a larger audience other than Cortex XSOAR users, you can generate a report in PDF. Before generating the report you can save the report as a template, so you don't need to define the settings again. To see a TIM report use case, go to Weekly OSINT (Open Source Intelligence) Report.

  1. Navigate to the Threat Intel Reports table and click the Name of the report you want to generate.

  2. Click the vertical ellipsis icon at the top right of the report and click Report.

  3. (Optional) If you want to generate a report from a specific tab, Select a tab to generate report from and then select the relevant tab..

  4. From the Properties section, choose a Format, Orientation, and Paper Size for the report.

  5. (Optional) Save the report as a template.

  6. Generate the report.