You can have a single file indicator for file objects
in Cortex XSOAR or each file can have a hash as its own indicator.
Cortex XSOAR uses a single
for file objects. As a result, files appear with their SHA256 hash
and all other hashes associated with the file, (MD5, SHA1, and SSDeep)
are listed as properties of the same indicator. In addition, when
ingesting an incident through an integration, all file information
is presented as one object.
For example, when investigating an incident, in the
click on a
indicator. You can see additional
information for that indicator, including all of the other known
hashes associated with this file:
If the file appears in a different incident with a different
name, and has any of the same hash values, it automatically associates
with the original indicator.
indicator only affects
new indicators ingested to the Cortex XSOAR platform. Indicators
that were already in Cortex XSOAR continue to appear as their respective
If you want to have each file hash appear as its own indicator,
do the following: