Threat Intel Page
Perform actions (create, edit, export, delete) and search
for indicators on the Cortex XSOAR Threat Intel page.
The Threat Intel page displays a table
or summary view of all indicators, and enables you to perform several
indicator actions.
Indicator actions
You can perform the following actions on the Indicators
page.
Action | Description |
|---|---|
View and take action on an indicator | Click on an indicator to view and take action
on indicator. You can view in detail the verdict, relationships,
timeline, enrich indicators, add tags, etc. By default, when
editing the following inline values in an incident/indicator, the
changes are not saved until you confirm your changes (clicking the
check mark icon in the value field).
These icons are
designed to let you have an additional level of security before
you make changes to the fields in incidents/indicators. To
change this default behavior, set the inline.edit.on.blur to true to
enable you to make changes to the inline fields without clicking
the check mark. The changes are automatically saved when clicking
anywhere on the page or when navigating to another page. For text
values you can also click anywhere in the value field to edit. |
Create a new indicator | Manually create a new indicator in the system. |
Create incident | Create an incident from the selected indicators
and populate relevant incident fields with indicator data. |
Edit | Edit a single indicator or select multiple
indicators to perform a bulk edit. |
Delete and Exclude | Delete and exclude one or more indicators from
all indicator types or from a subset of indicator types. If you
select the Do not add to exclusion list check
box, the selected indicators are only deleted. |
Export | Export the selected indicators to a CSV file.
You can Export an Indicator to CSV Using the UTF8-BOM Format. |
Export (STIX) | Export the selected indicators to a STIX file. |
Upload a STIX file | Upload a STIX file and add the indicators from
the file to the system. |
Indicator query
You can search for indicators using any of the available search
fields. There are several search fields specific to indicators.
Field | Description |
|---|---|
type | The type of the indicator, such as File, Email,
etc. |
verdict | The reputation of the indicator:
|
aggregatedReliability | Searches for indicators based on a reliability
score such as A - Completely reliable . |
sourceBrands | Indicator feed or enrichment integrations. |
sourceInstances | A specific instance of an indicator feed or
enrichment integration. |
expirationSource | The source (script, manual, etc.) which last
set the indicator's expiration status. |
tags | Tags applied to indicators. |
comments | Search for keywords within indicators’ comments. |
isShared | ( Multi-tenant ) Whether the indicator
is shared to tenant |
You can use a wildcard query, which finds indicators containing
terms that match the specified wildcard. For example, the
*
pattern matches
any sequence of 0 or more characters, and ?
matches any
single character. For a regex query, use the following value:"/.*\\?.*/"
Recommended For You
Recommended Videos
Recommended videos not found.
