Map Custom Indicator Fields - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

The value of the custom incident field is determined by the value of the key in Context data to which the field is mapped in Cortex XSIAM.

When you start ingesting indicators, the indicator fields are automatically mapped to the relevant indicator fields. Sometimes you may want to change the default settings, or map custom indicator fields to the relevant context data. Before you map custom indicator fields, you need to create the indicator field, add it to the required indicator type layout.

Mapping enables you to automatically update the indicator without having to manually change it. For example, the IP indicator automatically maps the Geo Country. Without it being mapped, every time the IP address changes country, the analyst would have to update the country every time that indicator type is ingested.

To map custom fields to the indicator type, you need to enrich the indicator either by using the !enrichindicators command in the Alert Room CLI, in a playbook, or open an indicator and click Enrich indicator. Enrichment returns an entry, with the EntryContext property as the source of the mapping process. When editing an indicator type, in the Custom Fields tab, type the name of the indicator exactly how it appears (in the Threat Intel page) and click Load.

For the enrichment data to be considered valid, EntryContext must include a DBotScore with the fields: Indicator, Score, Vendor and Type. If DBotScore has those fields, all the data of EntryContext is used as the source for the mapping, and not only the data under EntryContext.DBotScore.