You can have a single file indicator for file objects
or each file can have a hash as its own indicator.
Cortex XSOAR uses a single File indicator
for file objects. As a result, files appear with their SHA256 hash
and all other hashes associated with the file, (MD5, SHA1, and SSDeep)
are listed as properties of the same indicator. In addition, when
ingesting an incident through an integration, all file information
is presented as one object.
For example, when looking at an incident, there is a file indicator
When clicking at the indicator, you can see additional information
for that indicator, including all of the other known hashes associated
with this file:
If the file appears in a different incident with a different
name, and has any of the same hash values, it automatically associates
with the original indicator.
The new File indicator only affects new indicators ingested
to the Cortex XSOAR platform. Indicators that were already in Cortex
XSOAR continue to appear as their respective hash-related indicators.
If you want to have each file hash appear as its own indicator,
do the following: