arrow_back

Managing Threat Intelligence with Cortex XSOAR

Sign in Join
Get access to 700+ labs and courses

Managing Threat Intelligence with Cortex XSOAR

Lab 1 hour universal_currency_alt 5 Credits show_chart Intermediate
info This lab may incorporate AI tools to support your learning.
Get access to 700+ labs and courses

This lab was developed with our partner, Palo Alto Networks. Your personal information may be shared with Palo Alto Networks, the lab sponsor, if you have opted in to receive product updates, announcements, and offers in your Account Profile.

GSP779

Overview

This lab provides an introduction to Cortex XSOAR Threat Intelligence Management. You will get hands-on experience using XSOAR to investigate and hunt real-world threats. You will also use XSOAR to consolidate threat intelligence feeds and enrich indicators of compromise (IoC) to streamline incident response workflows.

Palo Alto Networks has partnered with Google Cloud to host this lab. As part of the lab you will be given access to a Cortex XSOAR threat intel management instance.

What you'll learn

In this lab, you will perform the following tasks:

  • XSOAR Marketplace & Integrations
  • XSOAR Dashboards & Incidents
  • XSOAR Playbooks
  • XSOAR EDL Generation

Prerequisites

To complete the lab, you will need:≈

  • An internet browser, preferably Google Chrome.
  • Enough time to complete the lab.
  • Once you start the lab, you will not be able to pause and return later.
  • You do NOT need a Google Cloud account or project.
  • The account, project, and associated resources are provided to you as part of this lab.

Setup and requirements

Before you click the Start Lab button

Read these instructions. Labs are timed and you cannot pause them. The timer, which starts when you click Start Lab, shows how long Google Cloud resources are made available to you.

This hands-on lab lets you do the lab activities in a real cloud environment, not in a simulation or demo environment. It does so by giving you new, temporary credentials you use to sign in and access Google Cloud for the duration of the lab.

To complete this lab, you need:

  • Access to a standard internet browser (Chrome browser recommended).
Note: Use an Incognito (recommended) or private browser window to run this lab. This prevents conflicts between your personal account and the student account, which may cause extra charges incurred to your personal account.
  • Time to complete the lab—remember, once you start, you cannot pause a lab.
Note: Use only the student account for this lab. If you use a different Google Cloud account, you may incur charges to that account.

How to start your lab and sign in to the Google Cloud console

  1. Click the Start Lab button. If you need to pay for the lab, a dialog opens for you to select your payment method. On the left is the Lab Details pane with the following:

    • The Open Google Cloud console button
    • Time remaining
    • The temporary credentials that you must use for this lab
    • Other information, if needed, to step through this lab
  2. Click Open Google Cloud console (or right-click and select Open Link in Incognito Window if you are running the Chrome browser).

    The lab spins up resources, and then opens another tab that shows the Sign in page.

    Tip: Arrange the tabs in separate windows, side-by-side.

    Note: If you see the Choose an account dialog, click Use Another Account.
  3. If necessary, copy the Username below and paste it into the Sign in dialog.

    {{{user_0.username | "Username"}}}

    You can also find the Username in the Lab Details pane.

  4. Click Next.

  5. Copy the Password below and paste it into the Welcome dialog.

    {{{user_0.password | "Password"}}}

    You can also find the Password in the Lab Details pane.

  6. Click Next.

    Important: You must use the credentials the lab provides you. Do not use your Google Cloud account credentials. Note: Using your own Google Cloud account for this lab may incur extra charges.
  7. Click through the subsequent pages:

    • Accept the terms and conditions.
    • Do not add recovery options or two-factor authentication (because this is a temporary account).
    • Do not sign up for free trials.

After a few moments, the Google Cloud console opens in this tab.

Note: To access Google Cloud products and services, click the Navigation menu or type the service or product name in the Search field. The lab will take several minutes to provision.

Task 1. XSOAR Marketplace & Integrations

In this task, review the XSOAR marketplace and integrations. The marketplace is a storefront for discovering and exchanging prebuilt SOAR content packs, including integrations, playbooks, dashboards, and subscription services.

Step 1. Review the XSOAR Marketplace

In this step, familarize yourself with to the XSOAR marketplace and content packs.

  1. Access the XSOAR console.

    Key Value
    Console
    Username
    Password
  2. Go to Marketplace → Browse.

  3. Check on Show installed to view the installed marketplace integrations.

    The marketplace is a single place to deploy & manage all SOAR integrations.
  4. Search for the Generic Export Indicators Service content pack.

    Generic Export Indicators Service

    This pack automatically distributes indicators from XSOAR to other products in the network.
  5. Click through the tabs to view more details about the content pack.

    As an example, you can use this content pack to automate firewall allow & block lists with indicators sent by this integration.

Step 2. Manage Marketplace Integrations

In this step, review the Feodo marketplace integration. This integration provides a list of malicious IP addresses from the Feodo Tracker.

  1. Go to Settings → Integrations.

  2. Search for the Feodo marketplace integration.

    Feodo

  3. Click the gear icon to view the Instance settings of the Feodo Tracker IP Blocklist Feed.

    An Instance of an integration represents a specific configuration and connection to an external system or service.
  4. Click Cancel to exit from the integration.

    The Feodo integration is preconfigured to ingest malicious IP addresses. Later in the lab, you will use the integration to populate an EDL.

Task 2. XSOAR Dashboards & Incidents

In this task, review the dashboards within XSOAR along with the Threat Intel user interface. Then, learn how to associate indicators from 3rd party integrations with security incidents.

Step 1. Review the TIM Dashboard

In this step, review Cortex XSOAR's Threat Intel Management (TIM) dashboard. Dashboards provide real-time visualization and analysis of security operations data, enabling comprehensive monitoring and decision-making.

  1. Go to Dashboard & Reports → Threat Intel Management.

    XSOAR automatically collects & maps threat data to security incidents and displays it in the TIM dashboard.
  2. Set the Date Range to All times.

    The TIM dashboard provides a centralized view of all your threat intelligence feeds. The dashboard can be customized to suit your needs. This lab has one threat intel feed, so the displayed information will be limited.
  3. Search for indicators from Palo Alto Networks Unit 42 Threat Resarch team.

    sourceBrands:"Unit42v2 Feed"

    Unit 42 combines top threat researchers and elite security consultants to form an intelligence-driven, response-ready team.
  4. (Optional) Explore more into the TIM dashboard by clicking into any of the tiles.

Step 2. Review Threat Intel

In this step, review the Threat Intel user inteface within Cortex XSOAR. This interface allows you to view critical threat intel information, including the state, type, & reputation of indicators.

  1. In XSOAR, navigate to Threat Intel.

    Threat Intel displays information on fetched indicators, including type, value, reputation, related incidents, etc.
  2. Search for indicators from Unit 42 with the tag intrusion-set.

    sourceBrands:"Unit42v2 Feed" and tags:intrusion-set

    Analyst can apply tags to categorize and provide context about indicators.
  3. Click any of the Indicators to perform further investigation.

    In this example, the indicator is Astaroth, a banking malware used to impersonate financial institutions through e-mail.

Step 3. Associate Indicators to Incidents

Use XSOAR's CLI to associate an indicator from the Feodo integration with a security incident. The XSOAR CLI enables you to run commands to perform different tasks.

  1. In Threat Intel, search for malicious indicators from the Feodo integration.

    sourceInstances:"Feodo Tracker IP Blocklist Feed_instance_1" and verdict:Malicious

  2. Select the indicator with the IP Value 146.70.149.32.

  3. Under Related Incidents, you should see no related incidents for the indicator.

    During the normal course of threat intel operations, there may be circumstances that require you to associate an indicator with an incident.
  4. In the XSOAR CLI, associate the indicator with a security incident.

    !associateIndicatorsToIncident incidentId=1 indicatorsValues=146.70.149.32 The associateIndicatorsToIncident command associates the indicator _146.70.149.32_ with Incident ID 1
  5. Press enter to execute the command.

  6. When prompted, click Yes, execute in playground.

  7. You will be redirected to the Playground War Room.

    A Playground War Room is a simulated environment where users can safely test & develop playbooks, integrations, & commands without affecting the production environment
  8. Within the playground, verify the command was executed successfully.

  9. Go to Threat Intel and search for the indicator.

    type:IP value:146.70.149.32

  10. Select the 146.70.149.32 indicator.

  11. Under Related Incidents verify the indicator has been associated with the incident ID 1.

    The Timeline widget to the right also displays all related historical actions pertaining to the indicator.

Task 3. XSOAR Playbooks

In this task, familiarize yourself with XSOAR playbooks. Playbooks enable you to automate security processes for consistent and fast response to various events.

Step 1. Access Threat Intel Management Playbooks

Review the playbooks for XSOAR Threat Intel Management (TIM).

  1. In XSOAR, go to Playbooks.

  2. Enter TIM to search for the Threat Intelligence Management playbooks.

    Cortex XSOAR adds new playbooks every two weeks based on new evolving threat intel scenarios.
  3. Select the TIM-Automated Indicator Processing Against Business Partners IP List playbook.

    This playbook checks indicators against a list of business partner IP addresses in XSOAR and tags them accordingly.
  4. Familiarize yourself with the playbook. It will be used to orchestrate response for an incident later in the lab.

Step 2. XSOAR Incidents & Playbooks

In this step, review how XSOAR playbooks automate and standardize security incident response procedures.

  1. Go to Incidents and select the incident #1.

  2. Under Indicators, the indicator from the previous step is now associated with this incident.

  3. Click the Work Plan tab.

    Work Plans detail the automated and manual tasks for incident response, outlining each playbook step and its status.
  4. Click the Playbook Triggered task to view the trigger for the playbook.

    This is the same playbook from the previous step. It checks if any addresses in the indicator repo match business/partner addresses. If so, it automatically adds & tags the addresses to the BusinessPartnersIPListName list.
  5. Go to Settings → Advanced → Lists.

  6. Click BusinessPartnersIPListName to view the list.

    Lists are dynamic collections of data, such as IP addresses or user accounts, used to streamline and automate incident response by serving as reference points for playbooks and other workflows.
  7. Go to Threat Intel and enter the following query to search for all indicators with the business_partner tag.

    tags:business_partner

    Indicators can have multiple tags, making it easier to categorize indicators to fit your use-case.
  8. (Optional) Click any of the indicators to more information about it.

Task 4. XSOAR EDL Generation

In this task, use XSOAR to automatically populate an External Dynamic List (EDL). EDLs are used by firewalls to allow or block traffic from specific resources and destinations.

Step 1. Create EDL

In this step, create an EDL. This EDL can be ingested into a firewall appliances, including all of Palo Alto Networks NGFWs.

  1. Go to Settings → Integrations.

  2. Enter the following into the search bar.

    Generic Export Indicators Service
  3. Click Add Instance next to the Generic Export Indicators Service.

    The Generic Export Indicators Service integration provides an end device (i.e. NGFW) with a list of indicators as a service.
  4. Configure the instance as follows:

    Key Value
    Name Workshop_EDL
    Update list on demand only Check ON
    Outbound Format PAN-OS (text)
    List Size 2500
    Refresh Rate 5 minutes
    Listen Port 8443
    Leave all other settings unchanged.
  5. Click Test to verify the configuration. Once successful, click Save & exit.

Step 2. Create Custom Threat Intel Reports

In this step, create a custom report. Although XSOAR provides broad reporting capabilities natively, it also allows you to tailor reports to suit your specific needs.

  1. Go to Settings → Objects Setup → Threat Intel Reports → Types.

  2. Click + New Type to create a new Threat Intel Report.

  3. Configure the new report as follows.

    Key Value
    Name Threat Intel Report Demo
    Layout Threat Intel Demo Report
  4. Click Save to create the report.

Step 3. Perform an Incident Walkthrough

In this step, use XSOAR TIM to respond to a Log4j security incident. Specifically, use a playbook to retrieve security articles on Log4j and populate the Threat Intel Report created in the previous step.

  1. Go to Incidents.

  2. Select the incident Log4j: Block Threats and Generate Report.

    XSOAR TIM brings additional context to investigations by providing Unit42 Threat Intel directly into each incident's layout.
  3. Click Work Plan:
    → Review the tasks under the Collect and Extract Indicators process.

    The Work Plan associated with the incident collects indicators from Github and other threat feeds.
  4. Open the Tag IP Indicators task:
    → Review what the task does with the collected indicators.

    This task creates the IP indicators and tags them accordingly (i.e. CVE-2021-44228 & log4j
  5. Open the Should we continue blocking indicators? task:
    → Under Complete Task select Yes
    → Click Mark Completed

    This task is highlighed yellow, indicating user intervention is required. It is not automated because the send-email integration has not been configured. Make sure Yes is selected before continuing! By selecting Yes, you are telling XSOAR to continue blocking the indicators.
  6. Open the Which EDL should we use? task:
    → Copy and paste the EDL URL below into the field.

    {{{project_0.startup_script.xsoar_console|XSOAR_URL}}}/instance/execute/Workshop_EDL
    → Click Submit Answers

    This URL is created by the Export Indicators Service instance that you created previously.
  7. The playbook should complete by generating the custom Threat Intel report and closing the incident.

Step 4. Review the Incident Intelligence

Verify the incident was closed by the Work Plan, then review the custom Threat Intel Report.

  1. Go to Incidents and open the Log4j incident.

  2. Within Incident Info, the incident should listed as closed.

  3. Click the EDL URL

    The EDL page should be populated with malicious addresses. This list can be shared with network appliances for enforcement purposes.
  4. Go to Threat Intel → Threat Intel Reports.

  5. Click report #2.

    This Threat Intel Report was generated by the XSOAR playbook.
  6. The Threat Intel report contains a summary of the Log4j threat and indicators processed and blocked by the playbook that was executed.

Congratulations!

In this lab you learned to use Cortex XSOAR Threat Intel Management. You also learned how to manage customizable Threat Intel pages, associate indicators to incidents, and process indicators against business/partner addresses using playbooks and EDLs.

Next steps / Learn more

To learn more, check out the following resources:

Google Cloud training and certification

...helps you make the most of Google Cloud technologies. Our classes include technical skills and best practices to help you get up to speed quickly and continue your learning journey. We offer fundamental to advanced level training, with on-demand, live, and virtual options to suit your busy schedule. Certifications help you validate and prove your skill and expertise in Google Cloud technologies.

Manual Last Updated August 11, 2024

Lab Last Tested August 11, 2024

Copyright 2025 Google LLC. All rights reserved. Google and the Google logo are trademarks of Google LLC. All other company and product names may be trademarks of the respective companies with which they are associated.

Before you begin

  1. Labs create a Google Cloud project and resources for a fixed time
  2. Labs have a time limit and no pause feature. If you end the lab, you'll have to restart from the beginning.
  3. On the top left of your screen, click Start lab to begin

This content is not currently available

We will notify you via email when it becomes available

Great!

We will contact you via email if it becomes available

One lab at a time

Confirm to end all existing labs and start this one

Use private browsing to run the lab

Use an Incognito or private browser window to run this lab. This prevents any conflicts between your personal account and the Student account, which may cause extra charges incurred to your personal account.