Indicator Ingestion - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Cortex XSIAM
Creation date
Last date published
Administrator Guide

Overview of how Cortex XSIAM indicators are detected and ingested.

The following table shows methods by which indicators are detected and ingested in Cortex XSIAM.



Classification and Mapping


  • Feed integrations: Fetch indicators from a feed, for example TAXII, Unit 42, Office 365, etc.

  • Enrichment integrations: Enhance the indicator, giving it more context and information, for example Unit 42us, VirusTotal, and Ipinfo.

Indicator classification and mapping is done in the Feed Integration code and not in the Cortex XSIAM SettingsConfigurationsObject SetupIndicatorsClassification & Mapping tab. For example, see the Unit 42 Intel Objects Feed integration.

Indicator extraction

Indicators are extracted from selected incidents that flow into Cortex XSIAM, for example from an integration, such as EWS.

Only the value of an indicator is extracted, so no classification or mapping is needed.


  • Command line

    For example, in the Alert War Room, type !CreateIndicatorsFromSTIX.

  • STIX file: Manually upload a STIX file on the Threat Intel (Indicators) page.

Data is inserted manually via the UI so no classification or mapping is needed.

If importing a STIX file, mapping is done via the STIX parser code.