Query indicators in the Cortex XSOAR threat intel library
and in Unit 42 Intel.
There are two ways to access Threat Intel
data.
When investigating an incident, you can click on an extracted indicator.
The
Quick View
shows basic information about the
indicator in Cortex XSOAR and Unit 42 (if available). Clicking on
Full
view
shows the full Cortex XSOAR indicator summary. If
the indicator also exists in Unit 42 Intel, the
Unit
42 Intel
tab is available.
You can query for an indicator, which may or may not already
be in the Cortex XSOAR threat intel library, from the search box
on the
Threat Intel
page.
"Search" and "lookup" are different actions with different
results. A search, which can include wildcards and complex queries,
can return multiple results. Searches are only performed in Cortex
XSOAR. Lookups are exact values, are performed in both Cortex XSOAR
and Unit 42 Intel data, and can only return one result.
When querying directly on the
Threat Intel
page,
the following considerations apply:
Querying for an IP address, domain, URL, or SHA256 file
hash, without a wildcard or complex search (Boolean search, type:file,
etc.), will query both the Cortex XSOAR threat intel library and
Unit 42 Intel, with no date range limit.
If you enter an indicator type that is not an IP address,
domain, URL, or SHA256 file hash, or you enter a wildcard or complex
option (Boolean search, type:file, etc.), no lookup is performed
in Unit 42. In Cortex XSOAR, a search is performed. By default,
the search is for the last 7 days, but you can adjust the date range.
Wildcard searches can only be performed in the local Cortex
XSOAR threat intel library, and not in Unit 42 Intel data. Example: *xample.com
Complex searches are only conducted in the local Cortex XSOAR threat
intel library, and not in Unit 42 Intel data. Example: type:URL
and verdict:Malicious
For files, only the SHA256 hash returns Unit 42 Intel data.
For a query to include Unit 42 Intel results, it must be
a lookup for an exact match.
When a query is performed in both Cortex XSOAR and Unit 42 Intel,
there are four possible results:
The indicator exists in Cortex XSOAR but does not exist
in Unit 42 Intel.
The Cortex XSOAR search result is
displayed in a table. Click on the value to reach the
Summary
tab.
The
Summary
tab presents information about
the indicator stored in Cortex XSOAR. The
Unit 42 Intel
tab
is greyed out.
The indicator exists in Unit 42 Intel, but does not exist
in the Cortex XSOAR threat intel library.
To view the
Unit 42 Intel data for this indicator, click on the indicator search
term in blue.
From
the
Unit 42 Intel
tab, you have the option
to Add the indicator
to Cortex XSOAR or to
Add & Enrich
.
The indicator exists in Cortex XSOAR and in Unit 42 Intel.
The
Cortex XSOAR result is displayed in a table.
Click
on the value to reach the
Summary
tab. The
Summary
tab
presents information about the indicator stored in Cortex XSOAR.
Click on the
Unit 42 Intel
tab to view Unit
42 data. From the
Unit 42 Intel
tab, you
have the option to Update the
indicator in Cortex XSOAR with additional information from Unit
42 Intel, or to
Update & Enrich
.
The indicator does not exist in Cortex XSOAR or in Unit
42 Intel.
If the query was for an indicator type that
is not an IP address, domain, URL, or SHA256 file hash OR if the
query included a wildcard or a complex search, the search was performed
on Cortex XSOAR data from the last 7 days. You can extend the date
range to see if the indicator is in Cortex XSOAR but is older than
7 days.