Skip to main content

View Intel Exchange Data in Cortex XSOAR

After you configure the Intel Exchange integration and enable data retrieval, Cortex XSOAR ingests threat intelligence from Cyware Intel Exchange. You can view the retrieved indicators and incidents directly in the Cortex XSOAR interface and use them during investigations and response workflows.

Intel Exchange data is mapped to the corresponding Indicator and Incident layouts in Cortex XSOAR, where analysts can review contextual information such as confidence scores, tags, and source details.

View Indicators

View indicators retrieved from Intel Exchange along with contextual information such as confidence score, source details, and associated tags.

Steps

To view the indicators fetched from Intel Exchange, follow these steps:

  1. Sign in to Cortex XSOAR.

  2. From the left navigation pane, go to Indicators.

  3. Select an indicator retrieved from Intel Exchange.

  4. Review the Indicator Summary layout to view the Intel Exchange context.

View Incidents

View incidents retrieved from Intel Exchange along with contextual information such as confidence score, source details, and associated tags.

Steps

To view the incidents fetched from Intel Exchange, follow these steps:

  1. Sign in to Cortex XSOAR.

  2. From the left navigation pane, go to Incidents.

  3. Select an incident generated from Intel Exchange data.

  4. Open the War Room to view:

    • Results of automated enrichment playbooks.

    • Command outputs from Intel Exchange integration actions.

    • Investigation notes and analyst activity.

View Ingested Data in Cortex XSOAR

You can also view raw threat intelligence data retrieved from Intel Exchange in the Context Data panel during an investigation.

Steps

To view the data, follow these steps:

  1. Open an incident in Cortex XSOAR.

  2. In the War Room, click the Context icon in the upper-right corner.

  3. Search for the CTIX prefix to view the raw context data retrieved from Intel Exchange, including scores, relationships, and enrichment metadata.

The incidents triggered from Intel Exchange appear in this section. You can open an incident to view the associated intelligence and playbook execution details.

Configure Custom Fields in Cortex XSOAR

You can configure custom fields in Cortex XSOAR to store additional attributes retrieved from Intel Exchange. Custom fields allow you to map additional data points from the Intel Exchange API to indicator or incident layouts. If the required fields are not configured, the incoming data may not appear in the incident record.

The process for creating custom fields is the same for both Indicators and Incidents.

Steps

To create custom fields, follow these steps:

  1. Sign in to your Cortex XSOAR instance.

  2. Go to Settings > Settings & Info > Object Setup.

  3. Select Incidents or Indicators, depending on where you want to create the field.

  4. Open the respective Fields tab. Click +New Field.

  5. Enter the required field details, such as the Field Type, Field name, and other configuration options based on your requirements.

  6. Under the Attributes tab, ensure that the field is set to Editable.

  7. Click Save.