In addition to the system-level indicator types, you can create custom indicator types in Cortex XSIAM.
Indicators are categorized by indicator type, which determines the indicator layout and fields that are displayed and which scripts are run on indicators of that type. Cortex XSIAM includes several out-of-the-box indicator types, such as:
IP Address
Domain
URL
File
For more information about file indicators and how to configure the file hash, see File indicators.
When you create a new indicator type, you define its properties, including whether and how to format the indicator data and how the verdict is calculated.
Go to
→ → → → .Click New.
In the Settings tab, add the required indicator profile, such as name and Regex.
For more information, see Indicator type profile.
In the Custom Fields tab, map the fields, as required.
For more information, see Map custom indicator fields.
The following example describes how to create a new indicator type to manage employee emails, for example for resource management or inside threat investigation.
Create a new indicator type for the employee email addresses which contain the “our_company.com” company domain.
Under Settings tab, define the following.
→ → → → → , in theName: Company email
Regex:
.*?@our_company.com
(simplified to capture all the email addresses using the our_company.com domain).Reputation command: Not relevant for this example, since we don't want any external enrichment.
Formatting script: If more formatting is needed, you can use a formatting script to edit the saved value.
Reputation script: If needed, you can create a reputation script to affect the DBot score given to the new custom indicator.
In the Custom Fields tab, map custom fields for the new indicator type.
You can map fields returned using an integration such as Active Directory to obtain more data about the actual user to whom the email belongs. You can also collect data using integrations such as Okta (MFA, SSO), SIEM, and email security. Fields such as Username, Full name, and various groups the user is part of as well as other identifiers are returned to context and mapped into the indicator using the custom fields.
Note
If you miss mapping any field, you can create additional new indicator fields and either relate them to all indicator types, or relate them only to the new indicator type (recommended).