05-18-2026 08:13 AM - edited 05-18-2026 08:14 AM
Hello @A.Velusamy ,
Greetings for the day.
Utilizing a Threat Intelligence Management (TIM) license in Cortex XSIAM allows you to transform passive threat data into actionable security logic. The license unlocks the ability to manage indicator lifecycles, automate enrichment from third-party sources, and create active detection rules based on ingested Indicators of Compromise (IOCs).
Enrichment in XSIAM involves adding context (reputation, tags, related incidents) to indicators like IPs, domains, hashes, and URLs.
-Unit 42 Intel is a continuous feed integrated into the XSIAM data lake. It functions in the background for automated threat matching and incident scoring.
To manually pull the latest Unit 42 data for a specific indicator:
By default, ingested indicators are not automatically enriched by external services (for example, VirusTotal). You should automate this process to scale SOC operations.
Configure a job triggered by a "delta in feed" to run an enrichment playbook.
Use the following command within your automation playbooks to batch-enrich indicators: !enrichIndicators
To manage API quotas and prevent noise, use the Exclusion List feature (unlocked by the TIM license) to prevent the auto-enrichment of private IP ranges (RFC 1918) and internal domains.
Ingested indicators are stored passively in the TIM Indicators table and do not automatically trigger alerts in the general Analytics or BIOC engines.
This is the primary method for generating alerts from TIM data. These rules actively check ingested event data against your stored IOCs.
For advanced logic (for example, joining network traffic with specific threat actor indicators), you can use the indicators dataset in XQL.
Ensure your platform is version 3.2+ to access this dataset. You can verify availability with:
dataset = indicators
| fields *
| limit 10
Distinguish between:
For SOC analysts to effectively use TIM during investigations, they must have:
Be aware that XSIAM uses merging logic to deduplicate indicators. If a third-party vendor provides incorrect hash correlation data, it may overwrite fields (for example, linking different SHA256 hashes to the same file via a shared MD5).
IOCs managed via Indicator Rules are primarily for detection (post-execution).
For real-time prevention (blocking), use:
If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".
Thanks & Regards,
S. Subashkar Sekar
05-18-2026 08:13 AM - edited 05-18-2026 08:14 AM
Hello @A.Velusamy ,
Greetings for the day.
Utilizing a Threat Intelligence Management (TIM) license in Cortex XSIAM allows you to transform passive threat data into actionable security logic. The license unlocks the ability to manage indicator lifecycles, automate enrichment from third-party sources, and create active detection rules based on ingested Indicators of Compromise (IOCs).
Enrichment in XSIAM involves adding context (reputation, tags, related incidents) to indicators like IPs, domains, hashes, and URLs.
-Unit 42 Intel is a continuous feed integrated into the XSIAM data lake. It functions in the background for automated threat matching and incident scoring.
To manually pull the latest Unit 42 data for a specific indicator:
By default, ingested indicators are not automatically enriched by external services (for example, VirusTotal). You should automate this process to scale SOC operations.
Configure a job triggered by a "delta in feed" to run an enrichment playbook.
Use the following command within your automation playbooks to batch-enrich indicators: !enrichIndicators
To manage API quotas and prevent noise, use the Exclusion List feature (unlocked by the TIM license) to prevent the auto-enrichment of private IP ranges (RFC 1918) and internal domains.
Ingested indicators are stored passively in the TIM Indicators table and do not automatically trigger alerts in the general Analytics or BIOC engines.
This is the primary method for generating alerts from TIM data. These rules actively check ingested event data against your stored IOCs.
For advanced logic (for example, joining network traffic with specific threat actor indicators), you can use the indicators dataset in XQL.
Ensure your platform is version 3.2+ to access this dataset. You can verify availability with:
dataset = indicators
| fields *
| limit 10
Distinguish between:
For SOC analysts to effectively use TIM during investigations, they must have:
Be aware that XSIAM uses merging logic to deduplicate indicators. If a third-party vendor provides incorrect hash correlation data, it may overwrite fields (for example, linking different SHA256 hashes to the same file via a shared MD5).
IOCs managed via Indicator Rules are primarily for detection (post-execution).
For real-time prevention (blocking), use:
If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".
Thanks & Regards,
S. Subashkar Sekar
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
