Learn about the classification and mapping for indicators.
The following table shows methods by which indicators are detected and ingested in Cortex XSIAM and how they are classified and mapped.
Method | Description | Classification and Mapping |
---|---|---|
Integration | Feed integrations: Fetch indicators from a feed, for example, TAXII, Office 365, and Unit 42 ATOMS Feed. | Indicator classification and mapping is done in the integration code by duplicating the integration in Feed Integrations. → and not in the → tab. For more information, seeSome integrations come with a classifier and mapper, which you can customize. |
Indicator extraction | Indicators are extracted from selected incidents that flow into Cortex XSIAM, for example from an SIEM integration. | Only the value of an indicator is extracted, so no classification or mapping is needed. For more information, see Indicator extraction. |
Manual |
| Data is inserted manually via the UI so no classification or mapping is needed. If importing an STIX file, mapping is done via the STIX parser code. |
Classify and map an indicator type for an integration
The indicator classification and mapping feature enables you to take the data that Cortex XSIAM ingests from integrations, and classify and map the data to indicator types and indicator fields. By classifying the data as different indicator types, you can process them with different playbooks suited to their respective requirements.
Note
When creating a new indicator type, you classify and map the indicator fields in the indicator type settings. For more details, see Map custom indicator fields.
Classification determines the type of indicator that is created for data ingested from a specific integration. You create a classifier and define that classifier in an integration.
You can map the fields from your third-party integration to the fields in your indicator layouts as follows:
Map your fields to indicator types irrespective of the integration or classifier. This means that you can create a mapping before defining an instance and ingesting indicators. By doing so, when you do define an instance and apply a mapper, the data that comes in is already mapped.
Create default mapping for all of the fields that are common to all indicator types, and then map only those fields that are specific to each alert type individually. You can still overwrite the contents of a field in the specific indicator type.