Understanding Indicator Queries

Query indicators in the Cortex XSOAR threat intel library and in Unit 42 Intel.
There are two ways to access Threat Intel data.
  • When investigating an incident, you can click on an extracted indicator. The
    Quick View
    shows basic information about the indicator in Cortex XSOAR and Unit 42 (if available). Clicking on
    Full view
    shows the full Cortex XSOAR indicator summary. If the indicator also exists in Unit 42 Intel, the
    Unit 42 Intel
    tab is available.
  • You can query for an indicator, which may or may not already be in the Cortex XSOAR threat intel library, from the search box on the
    Threat Intel
    page.
"Search" and "lookup" are different actions with different results. A search, which can include wildcards and complex queries, can return multiple results. Searches are only performed in Cortex XSOAR. Lookups are exact values, are performed in both Cortex XSOAR and Unit 42 Intel data, and can only return one result.
When querying directly on the
Threat Intel
page, the following considerations apply:
  • Querying for an IP address, domain, URL, or SHA256 file hash, without a wildcard or complex search (Boolean search, type:file, etc.), will query both the Cortex XSOAR threat intel library and Unit 42 Intel, with no date range limit.
  • If you enter an indicator type that is not an IP address, domain, URL, or SHA256 file hash, or you enter a wildcard or complex option (Boolean search, type:file, etc.), no lookup is performed in Unit 42. In Cortex XSOAR, a search is performed. By default, the search is for the last 7 days, but you can adjust the date range.
  • Wildcard searches can only be performed in the local Cortex XSOAR threat intel library, and not in Unit 42 Intel data. Example: *xample.com
  • Complex searches are only conducted in the local Cortex XSOAR threat intel library, and not in Unit 42 Intel data. Example: type:URL and verdict:Malicious
  • For files, only the SHA256 hash returns Unit 42 Intel data.
  • For a query to include Unit 42 Intel results, it must be a lookup for an exact match.
When a query is performed in both Cortex XSOAR and Unit 42 Intel, there are four possible results:
  • The indicator exists in Cortex XSOAR but does not exist in Unit 42 Intel.
    The Cortex XSOAR search result is displayed in a table. Click on the value to reach the
    Summary
    tab. The
    Summary
    tab presents information about the indicator stored in Cortex XSOAR. The
    Unit 42 Intel
    tab is greyed out.
  • The indicator exists in Unit 42 Intel, but does not exist in the Cortex XSOAR threat intel library.
    To view the Unit 42 Intel data for this indicator, click on the indicator search term in blue.
    From the
    Unit 42 Intel
    tab, you have the option to Add the indicator to Cortex XSOAR or to
    Add & Enrich
    .
  • The indicator exists in Cortex XSOAR and in Unit 42 Intel.
    The Cortex XSOAR result is displayed in a table.
    Click on the value to reach the
    Summary
    tab. The
    Summary
    tab presents information about the indicator stored in Cortex XSOAR. Click on the
    Unit 42 Intel
    tab to view Unit 42 data. From the
    Unit 42 Intel
    tab, you have the option to Update the indicator in Cortex XSOAR with additional information from Unit 42 Intel, or to
    Update & Enrich
    .
  • The indicator does not exist in Cortex XSOAR or in Unit 42 Intel.
    If the query was for an indicator type that is not an IP address, domain, URL, or SHA256 file hash OR if the query included a wildcard or a complex search, the search was performed on Cortex XSOAR data from the last 7 days. You can extend the date range to see if the indicator is in Cortex XSOAR but is older than 7 days.

Recommended For You