* [Blog](https://www.paloaltonetworks.com/blog)
* [Security Operations](https://www.paloaltonetworks.com/blog/security-operations/)
* [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/)
* Playbook of the Week: Aut...

# Playbook of the Week: Automating Your Threat Intelligence with Cortex XSOAR

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fplaybook-of-the-week-automating-your-threat-intelligence-with-cortex-xsoar%2F)  
[](https://twitter.com/share?text=Playbook+of+the+Week%3A+Automating+Your+Threat+Intelligence+with+Cortex+XSOAR&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fplaybook-of-the-week-automating-your-threat-intelligence-with-cortex-xsoar%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fplaybook-of-the-week-automating-your-threat-intelligence-with-cortex-xsoar%2F&title=Playbook+of+the+Week%3A+Automating+Your+Threat+Intelligence+with+Cortex+XSOAR&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-automating-your-threat-intelligence-with-cortex-xsoar/&ts=markdown)  
\[\](mailto:?subject=Playbook of the Week: Automating Your Threat Intelligence with Cortex XSOAR)  
Link copied  
By [Brendan Powers](https://www.paloaltonetworks.com/blog/author/brendan-powers/?ts=markdown "Posts by Brendan Powers")  
Sep 16, 2022  
3 minutes  
[Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown)  
[Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown)  
[Cortex XSOAR](https://www.paloaltonetworks.com/blog/tag/cortex-xsoar/?ts=markdown)  
[playbook of the week](https://www.paloaltonetworks.com/blog/tag/playbook-of-the-week/?ts=markdown)  
[Security Orchestration Automation and Response](https://www.paloaltonetworks.com/blog/tag/security-orchestration-automation-and-response/?ts=markdown)  
[SOAR](https://www.paloaltonetworks.com/blog/tag/soar-2/?ts=markdown)  
[Threat Intel](https://www.paloaltonetworks.com/blog/tag/threat-intel/?ts=markdown)  
[Threat intelligence management](https://www.paloaltonetworks.com/blog/tag/threat-intelligence-management/?ts=markdown)  
[TIM](https://www.paloaltonetworks.com/blog/tag/tim/?ts=markdown)  
[TIP](https://www.paloaltonetworks.com/blog/tag/tip/?ts=markdown)  
[XSOAR playbook](https://www.paloaltonetworks.com/blog/tag/xsoar-playbook/?ts=markdown)

### **Getting the Most Out of Your Threat Feeds**

How confident are you in tracking and assessing the threat actors that stalk your enterprise? Despite the millions of threat indicators that come in daily, SecOps rarely get the most visibility out of their enterprise's threat intelligence investments. Furthermore, the variance in quality and manual processing of these threat intelligence feeds inhibits the rapid identification of malicious indicators impacting your organization.

Integrating these feeds with your incident response workflow allows you to map external threat data to what's happening within your enterprise's network. By automating responses to the hundreds of thousands of threat indicators, Cortex XSOAR helps your analysts stay a step ahead of the game in today's threat detection.

SecOps should consider a few crucial questions when ingesting each threat indicator:

* How bad is it?
* Who is using this IP Address?
* Who is behind it?
* Which policy is blocking this IP address?

The XSOAR Marketplace supplies content packs on threat intelligence management (TIM) that help make threat indicators actionable via automated playbooks. The [**TIM - Indicator Auto-Processing Content Pack**](https://xsoar.pan.dev/marketplace/details/TIM_Processing) includes playbooks that operationalize the processing of indicators for many use cases, such as tagging, checking for existence in various exclusion or other lists of interest, running enrichment for specific indicators, and preparing indicators for a manual review in case additional approval is required.
![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/09/word-image-20.png)
Image #1: TIM - Indicator Auto Processing Playbook

For example, there are playbooks to automate searching for enterprise-relevant IOCs by processing indicators to check if they exist in a Cortex XSOAR list, which contains the business partner domains or IP addresses. These playbooks help you quickly separate indicators relevant to your organization from irrelevant ones. Furthermore, the [**TIM - Process Indicators - Manual Review**](https://xsoar.pan.dev/docs/reference/playbooks/tim---process-indicators---manual-review) playbook automatically selects IOCs ingested by feeds that require manual approval. It optionally concludes by creating a new incident that includes all indicators needed for analyst review.
![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/09/word-image-21.png)
Image #2: Review Indicators Manually For Whitelisting Incident - Layout included in Content Pack

**What does the TIM - Indicator Auto-Processing pack do?**

With this content pack, you can significantly reduce the time your threat intelligence analysts spend on reviewing hundreds of thousands of indicators by performing many pre-defined logics and processing tasks automatically. The [**TIM - Indicator Auto-Processing** **Pack**](https://xsoar.pan.dev/marketplace/details/TIM_Processing) is one of many solutions available for download on the Cortex XSOAR Marketplace to help you automate repetitive tasks associated with the handling of indicators and threat intelligence management, including:

* Checking if indicators are related to internal exclusion lists such as business partners or other approved origin.
* Validating CIDR indicator size in order not to approve or deny large CIDR ranges.
* Creating incidents for indicators that require additional analyst review and chain of approval.
* Running additional enrichment for indicators ingested by specific feeds.
* Checking Whois to validate domains registrant and time of creation.
* Checking if an indicator with a tag of organizational\_external\_ip has been updated and keeps or removes the tag according to the results.
* Processing indicators against IP and CIDR lists.

*For more information on the* [***TIM - Indicator Auto-Processing Pack***](https://xsoar.pan.dev/marketplace/details/TIM_Processing)*and other XSOAR packs and playbooks, visit our* [*Cortex XSOAR Developer Docs*](https://xsoar.pan.dev/docs/reference/index)*reference page.*

**To learn more about how you can automate security operations with Cortex XSOAR, check out our virtual self-guided [XSOAR Product Tour](https://www.paloaltonetworks.com/resources/infographics/xsoar-product-tour?ts=markdown)**

**We also host virtual and in-person events, so check [here](https://www.paloaltonetworks.com/resources/cortex-events?ts=markdown) for upcoming ones.**

*** ** * ** ***

## Related Blogs

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown)

[#### Playbook of the Week: Automated Rapid Response to 3CXDesktopApp Supply Chain Attack](https://www.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-automated-rapid-response-to-3cxdesktopapp-supply-chain-attack/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown)

[#### Playbook of the Week: Automated Rapid Response to Microsoft Outlook for Windows Vulnerability](https://www.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-automated-rapid-response-to-microsoft-outlook-for-windows-vulnerability/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown)

[#### Playbook of the Week: Automating Attack Surface Management with Cortex XSOAR](https://www.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-automating-attack-surface-management/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown)

[#### Playbook of the Week: Automating Cortex XDR Investigation and Response](https://www.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-automating-cortex-xdr-investigation-and-response/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown)

[#### Playbook of the Week: ServiceNow Ticket Mirroring with Cortex XSOAR](https://www.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-servicenow-ticket-mirroring-with-cortex-xsoar/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown)

[#### Playbook of the Week: MITRE ATT\&CK---Courses of Action with Cortex XSOAR](https://www.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-mitre-attck-courses-of-action-with-cortex-xsoar/)

### Subscribe to Security Operations Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language