Cortex® XDR™ enables you to integrate external threat
intelligence service verdicts to aid in your incident investigation.
aid you with threat investigation, Cortex XDR displays the WildFire-issued
verdict for each Key Artifact in an incident. To provide additional
verification sources, you can integrate an external threat intelligence
service with Cortex XDR. The threat intelligence services the app
groups conditions and indicators related to a threat with a tag.
Tags can be user-defined or come from threat-research team publications
and are divided into classes, such as exploit, malware family, and malicious
behavior. When you add the service, the relevant tags display
in the incident details page under
Without an AutoFocus license key,
you can still pivot from Cortex XDR to the service to initiate a
query for the artifact.
—VirusTotal provides aggregated
results from over 70 antivirus scanners, domain services included
in the block list, and user contributions. The VirusTotal score
is represented as a fraction, where, for example, a score of 34/52 means
out of 52 queried services, 34 services determined the artifact
to be malicious. When you add the service, the relevant VirusTotal
score displays in the incident details page under
VirusTotal license key, you can still pivot from Cortex XDR to the
service to initiate a query for the artifact.
—WildFire detects known and
unknown threats, such as malware. The WildFire verdict contains
detailed insights into the behavior of identified threats. The WildFire verdict displays next to relevant
in the incidents details page
, the causality
view, and within the Live Terminal view of processes
provides verdicts and analysis reports to Cortex XDR users without
requiring a license key. Using WildFire for next-generation firewalls
or other use-cases continues to require an active license.
you can view external threat intelligence in Cortex XDR incidents,
you must obtain the license key for the service and add it to the
. If there is an issue,
an error message provides more details.
Verify the service integration in an incident.
After adding the license key, you should see the additional
verdict information from the service included in the
of an incident. You can right-click the service,
such as VirusTotal (VT) or AutoFocus (AF), to see the entire verdict.
See Manage Incidents for
more information on where these services are used within the Cortex