Indicator Fields Structure - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Cortex XSIAM
Creation date
Last date published
Administrator Guide

Indicator fields structure aligned with STIX standards to more easily share and work with IOCs.

Cortex XSIAM IOC fields are based on the STIX 2.1 specifications. These fields provide a guideline for the fields we recommend you maintain within an IOC. None of the fields are mandatory, except the value field. Maintaining this field structure enables you to share and export IOCs to additional threat intel based systems as well as to other cybersecurity devices.

Like STIX, Cortex XSIAM indicators are divided into two categories, STIX Domain Objects (SDOs) and STIX Cyber-observable Objects (SCOs). The category determines which fields are presented in the layout of that specific IOC. In Cortex XSIAM, all SCOs can be used in a relationship with either SDOs or SCOs.

Each IOC table of fields is separated into three parts:

  • System fields - Fields created and managed by Cortex XSIAM.

  • Custom core fields - Custom fields shared by all IOCs of the same time (SDO or SCO). Fields may be empty.

  • Custom unique fields - Fields unique to a specific type of IOC. If a user associates more fields with the IOC, the additional fields are also treated as unique.

STIX Cyber-observable Objects (SCO)
STIX Domain Objects (SDO)