Threat Intel Concepts

These are the key concepts associated with threat intel management in Cortex XSOAR.

Fetch indicators

Cortex XSOAR includes integrations that fetch indicators from either a vendor-specific source, such as AutoFocus, or from a generic source, such as a CSV or JSON file.

Export indicators

You can export indicators as a hosted list, an EDL, or a TAXII collection. This enables your SIEM or firewall to ingest or pull the indicator list to update policy rules. The supported list file types are JSON, CSV, and TXT.

Exclusion list

Indicators added to the exclusion list are ignored by the system and are not considered indicators.

Indicator expiration

When ingesting and processing millions of indicators on a daily basis, it’s important to control whether or not they are active or expired, and to define how and when indicators are expired.
The indicator field
Expiration Status
displays the indicator status, Active or Expired.
The indicator field
displays the method by which and when that indicator is expired. Indicator expiration is applied at the indicator type level. Indicators assigned to a specific indicator type inherit the indicator type’s expiration method.

Indicator smart merge

The same indicator can originate from multiple sources and be enriched with multiple methods (integrations, scripts, playbooks, and so on). Cortex XSOAR employs smart merge logic to make sure indicators are accurately scored and aggregated.

Indicator timeline

The indicator timeline is the default section in the indicator summary layout. The timeline is in table format and displays an indicator’s complete history, including the first seen and last seen timestamp, changes made to indicator fields, and more.

Common indicator data model

When indicators are ingested, regardless of their source, they have a unified, common set of indicator fields, including traffic light protocol (TLP), expiration, and tags.

Feed-based job

You can define a job to trigger a playbook when the specified feed or feeds finish a fetch operation that included a modification to the list. The modification can be a new indicator, a modified indicator, or a removed indicator.

Recommended For You