Understanding Indicator Queries - Threat Intel Management Guide - 6.9 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Threat Intel Management Guide

Product
Cortex XSOAR
Version
6.9
Creation date
2022-09-29
Last date published
2024-03-05
End_of_Life
EoL
Category
Threat Intel Management Guide
Abstract

Query indicators in the Cortex XSOAR threat intel library and in Unit 42 Intel.

There are two ways to access Threat Intel data.

  • When investigating an incident, you can click on an extracted indicator. The Quick View shows basic information about the indicator in Cortex XSOAR and Unit 42 (if available). Clicking on Full view shows the full Cortex XSOAR indicator summary. If the indicator also exists in Unit 42 Intel, the Unit 42 Intel tab is available.

  • You can query for an indicator, which may or may not already be in the Cortex XSOAR threat intel library, from the search box on the Threat Intel page.

Note

"Search" and "lookup" are different actions with different results. A search, which can include wildcards and complex queries, can return multiple results. Searches are only performed in Cortex XSOAR. Lookups are exact values, are performed in both Cortex XSOAR and Unit 42 Intel data, and can only return one result.

When querying directly on the Threat Intel page, the following considerations apply:

  • Querying for an IP address, domain, URL, or SHA256 file hash, without a wildcard or complex search (Boolean search, type:file, etc.), will query both the Cortex XSOAR threat intel library and Unit 42 Intel, with no date range limit.

  • If you enter an indicator type that is not an IP address, domain, URL, or SHA256 file hash, or you enter a wildcard or complex option (Boolean search, type:file, etc.), no lookup is performed in Unit 42. In Cortex XSOAR, a search is performed. By default, the search is for the last 7 days, but you can adjust the date range.

  • Wildcard searches can only be performed in the local Cortex XSOAR threat intel library, and not in Unit 42 Intel data. Example: *xample.com

  • Complex searches are only conducted in the local Cortex XSOAR threat intel library, and not in Unit 42 Intel data. Example: type:URL and verdict:Malicious

  • For files, only the SHA256 hash returns Unit 42 Intel data.

  • For a query to include Unit 42 Intel results, it must be a lookup for an exact match.

When a query is performed in both Cortex XSOAR and Unit 42 Intel, there are four possible results:

  • The indicator exists in Cortex XSOAR but does not exist in Unit 42 Intel.

    The Cortex XSOAR search result is displayed in a table. Click on the value to reach the Summary tab. The Summary tab presents information about the indicator stored in Cortex XSOAR. The Unit 42 Intel tab is greyed out.

    unit42-xsoar-data-only.png
  • The indicator exists in Unit 42 Intel, but does not exist in the Cortex XSOAR threat intel library.

    To view the Unit 42 Intel data for this indicator, click on the indicator search term in blue.

    unit42-search-not-in-xsoar.png

    From the Unit 42 Intel tab, you have the option to add the indicator to Cortex XSOAR or to Add & Enrich.

  • The indicator exists in Cortex XSOAR and in Unit 42 Intel.

    The Cortex XSOAR result is displayed in a table.

    unit42-and-xsoar-results.png

    Click on the value to reach the Summary tab. The Summary tab presents information about the indicator stored in Cortex XSOAR. Click on the Unit 42 Intel tab to view Unit 42 data. From the Unit 42 Intel tab, you have the option to update the indicator in Cortex XSOAR with additional information from Unit 42 Intel, or to Update & Enrich.

  • The indicator does not exist in Cortex XSOAR or in Unit 42 Intel.

    If the query was for an indicator type that is not an IP address, domain, URL, or SHA256 file hash OR if the query included a wildcard or a complex search, the search was performed on Cortex XSOAR data from the last 7 days. You can extend the date range to see if the indicator is in Cortex XSOAR but is older than 7 days.

    unit42-no-data.png