Indicator Customization - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Cortex XSIAM
Creation date
Last date published
Administrator Guide

Learn more about the options available for customizing indicators.

Indicators are artifacts associated with incidents, and are an essential part of the incident management and remediation process.

To customize indicators, such as indicator types, fields, layouts, etc., go to SettingsConfigurationsObject SetupIndicators. You can see the following tabs:

  • Types: Indicators are categorized by indicator type, which determines the indicator layout that is displayed and which scripts are run.

  • Fields: Add indicator fields to the indicator type and layouts. After creating the field, you can map the field to the relevant context data.

  • Layouts: You can view, import and export indicator layouts. You can add layouts to relevant indicator types. Provided you haven't selected Don't show in the indicators layout, when creating or editing a field, you can see any custom indicator fields in the layout.

  • Classification & Mapping: View, map and classify any relevant indicator feeds, such as AWS feed, etc.

  • Exclusion List: Indicators added to the exclusion list are disregarded by the system and are not created or involved in automated flows such as indicator extraction.