Customize indicator fields and types - Administrator Guide - Threat Intel Management Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-06-18
Category
Administrator Guide
Abstract

Customize your indicators to your specific needs. Edit existing indicator types and fields, add scripts, and configure tailored extraction and expiration settings for optimal insights.

Cortex XSIAM provides out-of-the-box indicator types and fields. However, your use case may require indicator customization, either by editing existing indicator types and fields or by creating new ones to help investigate and respond to potential security threats specific to your organization.

Custom indicators can provide more accurate and efficient identification of potential cyber security threats. For example, you can customize indicators to monitor and detect unusual activity within your organization's internal network. This can include creating indicators to flag unauthorized access attempts or unusual data transfers, or identifying insider threats or compromised accounts.

Before customizing an indicator, review the ingested indicator and then customize it as needed. After ingesting alerts and indicators, check the indicator information associated with your alert. From an alert, review the context data. If there is information in the context data that you don't see in the indicator, map it into indicator fields and display it in the layout.

You can customize the following:

Option

Description

Indicator type

Customize an indicator type by setting the relevant fields, scripts to run, and reputation command for the indicator type. You can create a new indicator type or you can edit an out-of-the-box indicator type. For more information, see Creating new indicator types.

Indicator fields

Custom indicator fields add specific details or attributes to indicators, helping to better classify and understand the nature of potential security threats. You can edit an existing indicator field or create a new one. After creating a new indicator field, map the field to the relevant context data. You can add the field to an indicator type and view it in an indicator layout. For more information, see Create an indicator field and Map custom indicator fields.