1. Home
Location
    Techdocs Logo Techdocs Logo
    • Documentation Home
    • Palo Alto Networks
    • Support
    • Live Community
    • Knowledge Base
    1. Home
    2. Security Operations
    3. Cortex XSOAR
    4. Cortex XSOAR Threat Intel Management Guide
    PDF Cover Image
    Download PDF
    Last Updated:
    Sat May 28 22:57:00 PDT 2022
    Current Version:
    6.8
    • Version 6.8
    • Version 6.6
    • Version 6.5
    • Version 6.2 (EoL)
    • Version 6.0 (EoL)
    • Version 5.5 (EoL)

    Table of Contents


    Search the Table of Contents
    copyright
    Threat Intel Management Overview
    Threat Intel Concepts
    Manage Indicators
    Understand Indicators
    Threat Intel Page
    Export an Indicator to CSV Using the UTF8-BOM Format
    Indicator Verdict
    Indicator Expiration
    Indicator Types
    Create an Indicator Type
    Indicator Type Profile
    File Indicators
    File Indicator Merging Strategy
    Indicator Fields
    Create a Custom Indicator Field
    Configure the HTML Field
    Map Custom Indicator Fields
    Indicator Field Trigger Scripts
    Customize Indicator View Layouts
    Customize an Indicator Type Layout
    Add a Script in the Indicator Layout
    Exclusion List
    Create a Feed-Triggered Job
    Manage the Indicator Timeline
    Indicator Extraction
    Create Indicator Extraction Rules for an Incident Type
    Configure What Indicator Extraction Executes
    Run Indicator Extraction in the CLI
    Create Indicator Extract Rules for a Playbook Task
    Disable Indicator Extraction for Automations or Integrations
    Indicator Relationships
    Create Indicator Relationships
    Leverage Relationships in the Canvas
    Threat Intel Feeds
    Feed Integrations
    Set the Source Reliability of Enrichment Integrations
    Threat Intel Management Playbooks
    Create a TIM Playbook
    Unit 42 Intel
    Unit 42 Intel Overview
    Understanding Indicator Queries
    Add Unit 42 Intel Data
    Sample Analysis
    Sessions and Submissions
    Export Indicators
    Manually Export Indicators
    Export Indicators Integrations
    Export Indicators Playbooks
    Threat Intel Reports
    Threat Intel Reports Overview
    Set Up and Customize Threat Intel Report Types
    Configure Threat Intel Report Types
    Configure Threat Intel Report Fields
    Configure Threat Intel Report Layouts
    Create a Threat Intel Report
    Export or Share a Threat Intel Report
    • copyright
    • Threat Intel Management Overview
      • Threat Intel Concepts
    • Manage Indicators
      • Understand Indicators
        • Threat Intel Page
          • Export an Indicator to CSV Using the UTF8-BOM Format
        • Indicator Verdict
        • Indicator Expiration
        • Indicator Types
          • Create an Indicator Type
          • Indicator Type Profile
          • File Indicators
            • File Indicator Merging Strategy
        • Indicator Fields
          • Create a Custom Indicator Field
            • Configure the HTML Field
          • Map Custom Indicator Fields
          • Indicator Field Trigger Scripts
        • Customize Indicator View Layouts
          • Customize an Indicator Type Layout
          • Add a Script in the Indicator Layout
        • Exclusion List
        • Create a Feed-Triggered Job
        • Manage the Indicator Timeline
      • Indicator Extraction
        • Create Indicator Extraction Rules for an Incident Type
        • Configure What Indicator Extraction Executes
        • Run Indicator Extraction in the CLI
        • Create Indicator Extract Rules for a Playbook Task
        • Disable Indicator Extraction for Automations or Integrations
      • Indicator Relationships
        • Create Indicator Relationships
        • Leverage Relationships in the Canvas
    • Threat Intel Feeds
      • Feed Integrations
      • Set the Source Reliability of Enrichment Integrations
    • Threat Intel Management Playbooks
      • Create a TIM Playbook
    • Unit 42 Intel
      • Unit 42 Intel Overview
      • Understanding Indicator Queries
      • Add Unit 42 Intel Data
      • Sample Analysis
      • Sessions and Submissions
    • Export Indicators
      • Manually Export Indicators
      • Export Indicators Integrations
      • Export Indicators Playbooks
    • Threat Intel Reports
      • Threat Intel Reports Overview
      • Set Up and Customize Threat Intel Report Types
        • Configure Threat Intel Report Types
        • Configure Threat Intel Report Fields
        • Configure Threat Intel Report Layouts
      • Create a Threat Intel Report
      • Export or Share a Threat Intel Report

    Cortex XSOAR Threat Intel Management Guide


    Version 6.8

    PDF Cover Image
    Download PDF
    Last Updated:
    Sat May 28 22:57:00 PDT 2022
    Current Version:
    6.8
    • Version 6.8
    • Version 6.6
    • Version 6.5
    • Version 6.2 (EoL)
    • Version 6.0 (EoL)
    • Version 5.5 (EoL)

    Table of Contents


    Search the Table of Contents
    copyright
    Threat Intel Management Overview
    Threat Intel Concepts
    Manage Indicators
    Understand Indicators
    Threat Intel Page
    Export an Indicator to CSV Using the UTF8-BOM Format
    Indicator Verdict
    Indicator Expiration
    Indicator Types
    Create an Indicator Type
    Indicator Type Profile
    File Indicators
    File Indicator Merging Strategy
    Indicator Fields
    Create a Custom Indicator Field
    Configure the HTML Field
    Map Custom Indicator Fields
    Indicator Field Trigger Scripts
    Customize Indicator View Layouts
    Customize an Indicator Type Layout
    Add a Script in the Indicator Layout
    Exclusion List
    Create a Feed-Triggered Job
    Manage the Indicator Timeline
    Indicator Extraction
    Create Indicator Extraction Rules for an Incident Type
    Configure What Indicator Extraction Executes
    Run Indicator Extraction in the CLI
    Create Indicator Extract Rules for a Playbook Task
    Disable Indicator Extraction for Automations or Integrations
    Indicator Relationships
    Create Indicator Relationships
    Leverage Relationships in the Canvas
    Threat Intel Feeds
    Feed Integrations
    Set the Source Reliability of Enrichment Integrations
    Threat Intel Management Playbooks
    Create a TIM Playbook
    Unit 42 Intel
    Unit 42 Intel Overview
    Understanding Indicator Queries
    Add Unit 42 Intel Data
    Sample Analysis
    Sessions and Submissions
    Export Indicators
    Manually Export Indicators
    Export Indicators Integrations
    Export Indicators Playbooks
    Threat Intel Reports
    Threat Intel Reports Overview
    Set Up and Customize Threat Intel Report Types
    Configure Threat Intel Report Types
    Configure Threat Intel Report Fields
    Configure Threat Intel Report Layouts
    Create a Threat Intel Report
    Export or Share a Threat Intel Report
    • copyright
    • Threat Intel Management Overview
      • Threat Intel Concepts
    • Manage Indicators
      • Understand Indicators
        • Threat Intel Page
          • Export an Indicator to CSV Using the UTF8-BOM Format
        • Indicator Verdict
        • Indicator Expiration
        • Indicator Types
          • Create an Indicator Type
          • Indicator Type Profile
          • File Indicators
            • File Indicator Merging Strategy
        • Indicator Fields
          • Create a Custom Indicator Field
            • Configure the HTML Field
          • Map Custom Indicator Fields
          • Indicator Field Trigger Scripts
        • Customize Indicator View Layouts
          • Customize an Indicator Type Layout
          • Add a Script in the Indicator Layout
        • Exclusion List
        • Create a Feed-Triggered Job
        • Manage the Indicator Timeline
      • Indicator Extraction
        • Create Indicator Extraction Rules for an Incident Type
        • Configure What Indicator Extraction Executes
        • Run Indicator Extraction in the CLI
        • Create Indicator Extract Rules for a Playbook Task
        • Disable Indicator Extraction for Automations or Integrations
      • Indicator Relationships
        • Create Indicator Relationships
        • Leverage Relationships in the Canvas
    • Threat Intel Feeds
      • Feed Integrations
      • Set the Source Reliability of Enrichment Integrations
    • Threat Intel Management Playbooks
      • Create a TIM Playbook
    • Unit 42 Intel
      • Unit 42 Intel Overview
      • Understanding Indicator Queries
      • Add Unit 42 Intel Data
      • Sample Analysis
      • Sessions and Submissions
    • Export Indicators
      • Manually Export Indicators
      • Export Indicators Integrations
      • Export Indicators Playbooks
    • Threat Intel Reports
      • Threat Intel Reports Overview
      • Set Up and Customize Threat Intel Report Types
        • Configure Threat Intel Report Types
        • Configure Threat Intel Report Fields
        • Configure Threat Intel Report Layouts
      • Create a Threat Intel Report
      • Export or Share a Threat Intel Report

    The Cortex XSOAR Threat Intel Management guide provides you with the ability to unify the core components of threat intel, including threat intel aggregation, scoring, and sharing.

    Featured Topics

    Indicator Extraction

    Identifies indicators from different text sources in the system, extracts them and creates indicators in Cortex XSOAR.

    Threat Intel feed integrations

    Cortex XSOAR contains out-of-the-box threat intelligence feed integrations for your use.

    Create a TIM playbook

    Create a TIM (Threat Intelligence Management) playbook to run on an indicator search query.

    Unit 42 Intel

    Unit 42 Intel service enables you to identify threats in your network and discover and contextualize trends.

    Create a Threat Intel report

    Create a threat intel report by choosing a type and defining other basic report information.

    © 2022 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo