1. Home
    2. Security Operations
    3. Cortex XSOAR
    4. Cortex XSOAR Administrator’s Guide
    5. Manage Indicators
    6. Understand Indicators
    7. Threat Intel Page

    Threat Intel Page

    Perform actions (create, edit, export, delete) and search for indicators on the Cortex XSOAR Threat Intel page.
    The Threat Intel page displays a table or summary view of all indicators, and enables you to perform several indicator actions.
    Indicator actions
    You can perform the following actions on the Indicators page.
    Action
    Description
    Create a new indicator
    Manually create a new indicator in the system.
    Create incident
    Create an incident from the selected indicators and populate relevant incident fields with indicator data.
    Edit
    Edit a single indicator or select multiple indicators to perform a bulk edit.
    Delete and Exclude
    Delete and exclude one or more indicators from all indicator types or from a subset of indicator types.
    If you select the
    Do not add to exclusion list
     check box, the selected indicators are only deleted.
    Export
    Export the selected indicators to a CSV file. You can Export an Indicator to CSV Using the UTF8-BOM Format.
    Export (STIX)
    Export the selected indicators to a STIX file.
    Upload a STIX file
    Upload a STIX file and add the indicators from the file to the system.
    Indicator query
    You can search for indicators using any of the available search fields. There are several search fields specific to indicators.
    Field
    Description
    type
    The type of the indicator, such as File, Email, etc.
    verdict
    The reputation of the indicator:
    • Malicious
    • Suspicious
    • Benign
    • Unknown
    aggregatedReliability
    Searches for indicators based on a reliability score such as
    A - Completely reliable
    .
    sourceBrands
    Indicator feed or enrichment integrations.
    sourceInstances
    A specific instance of an indicator feed or enrichment integration.
    expirationSource
    The source (script, manual, etc.) which last set the indicator's expiration status.
    tags
    Tags applied to indicators.
    comments
    Search for keywords within indicators’ comments.
    isShared
    (
    Multi-tenant
    ) Whether the indicator is shared to tenant
    You can use a wildcard query, which finds indicators containing terms that match the specified wildcard. For example, the
    *
     pattern matches any sequence of 0 or more characters, and
    ?
     matches any single character. For a regex query, use the following value:
    "/.*\\?.*/"

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2022 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo