XSIAM Threat Intelligence Management Module

A.Velusamy — Fri, 15 May 2026 11:40:51 GMT

Hi ,

We have Threat Intel license in XSIAM. I need some guidance on how it can be effectively utilized in improving enrichment and detection.

Please share your experience and learnings. Thank you!

Re: XSIAM Threat Intelligence Management Module

susekar — Mon, 18 May 2026 15:14:36 GMT

Hello @A.Velusamy ,

Greetings for the day.

Utilizing a Threat Intelligence Management (TIM) license in Cortex XSIAM allows you to transform passive threat data into actionable security logic. The license unlocks the ability to manage indicator lifecycles, automate enrichment from third-party sources, and create active detection rules based on ingested Indicators of Compromise (IOCs).

1. Effectively Utilizing Enrichment:

Enrichment in XSIAM involves adding context (reputation, tags, related incidents) to indicators like IPs, domains, hashes, and URLs.

Native Unit 42 Enrichment:

-Unit 42 Intel is a continuous feed integrated into the XSIAM data lake. It functions in the background for automated threat matching and incident scoring.

Manual Update

To manually pull the latest Unit 42 data for a specific indicator:

Navigate to the indicator view.
Select the Unit 42 Intel tab.
Click Update & Enrich.

Automated Enrichment via Playbooks/Jobs

By default, ingested indicators are not automatically enriched by external services (for example, VirusTotal). You should automate this process to scale SOC operations.

Jobs Engine

Configure a job triggered by a "delta in feed" to run an enrichment playbook.

Enrichment Command

Use the following command within your automation playbooks to batch-enrich indicators: !enrichIndicators

Indicator Exclusion Lists

To manage API quotas and prevent noise, use the Exclusion List feature (unlocked by the TIM license) to prevent the auto-enrichment of private IP ranges (RFC 1918) and internal domains.

2. Improving Detection and Alerting:

Ingested indicators are stored passively in the TIM Indicators table and do not automatically trigger alerts in the general Analytics or BIOC engines.

Method 1: Indicator Rules (Active Detection)

This is the primary method for generating alerts from TIM data. These rules actively check ingested event data against your stored IOCs.

Path: Detection & Threat Intel → Threat Intel Management → Indicator Rules
When a match occurs, XSIAM generates a Threat Intelligence alert.

Method 2: Custom Correlation Rules (XQL)

For advanced logic (for example, joining network traffic with specific threat actor indicators), you can use the indicators dataset in XQL.

XQL Dataset Verification

Ensure your platform is version 3.2+ to access this dataset. You can verify availability with:

dataset = indicators

| fields *

| limit 10

3. Key Learnings and Best Practices:

Feed Management

Distinguish between:

Unit 42 proprietary feeds (included), and
Third-party feeds (which require separate commercial agreements with the vendor).

Permissions:

For SOC analysts to effectively use TIM during investigations, they must have:

View/Edit permissions for:
- Threat Intelligence → Indicators
- Detection Rules

Indicator Merging:

Be aware that XSIAM uses merging logic to deduplicate indicators. If a third-party vendor provides incorrect hash correlation data, it may overwrite fields (for example, linking different SHA256 hashes to the same file via a shared MD5).

Prevention vs. Detection:

IOCs managed via Indicator Rules are primarily for detection (post-execution).

For real-time prevention (blocking), use:

Global Block List (GBL) for hashes, or
External Dynamic Lists (EDL) for IPs and domains.

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".

Thanks & Regards,
S. Subashkar Sekar

topic Re: XSIAM Threat Intelligence Management Module in Cortex XSIAM Discussions