File Indicators

You can have a single file indicator for file objects or each file can have a hash as its own indicator.
Cortex XSOAR uses a single File indicator for file objects. As a result, files appear with their SHA256 hash and all other hashes associated with the file, (MD5, SHA1, and SSDeep) are listed as properties of the same indicator. In addition, when ingesting an incident through an integration, all file information is presented as one object.
For example, when looking at an incident, there is a file indicator with a
Bad
Reputation value:
When clicking at the indicator, you can see additional information for that indicator, including all of the other known hashes associated with this file:
If the file appears in a different incident with a different name, and has any of the same hash values, it automatically associates with the original indicator.
The new File indicator only affects new indicators ingested to the Cortex XSOAR platform. Indicators that were already in Cortex XSOAR continue to appear as their respective hash-related indicators.
If you want to have each file hash appear as its own indicator, do the following:
  1. Go to
    Settings
    Advanced
    Indicator Types
    .
  2. Select the
    File
    indicator and click
    Disable
    .
  3. Select the following required hashes:
    • File SHA-256
    • File SHA-1
    • File MD5
    • SSDeep
  4. Click
    Enable
    .

Recommended For You