Indicator type profile - Administrator Guide - Threat Intel Management Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Cortex XSIAM
Creation date
Last date published
Administrator Guide

Create or edit an indicator type and configure fields that determine how the system interacts with indicators of that type.

Each indicator type has its own profile that enables Cortex XSIAM to recognize it across the platform. During the indicator extraction flow, the order of execution is regex, formatting script, reputation command, and reputation script. You can update the following fields when updating an indicator type.




A meaningful name for the indicator type.

Reputation script

The output of the reputation script is a verdict score, which is used as the basis for the indicator verdict. Reputation scripts must be tagged reputation to appear in the list for the indicator type. For more information, see Reputation scripts

The results of reputation scripts do not print to the War Room in the extraction flow.

Formatting script

Modifies how the indicator displays in Cortex XSIAM.

Formatting scripts must be tagged indicator-format to appear in the list for the indicator type. For more information, see Formatting scripts.

Enhancement script

The enhancement script is not part of the indicator extraction flow and is run manually on the indicator type. Examples of enhancement scripts include an enrichment script and a script that runs a search in an SIEM for the indicator.

After indicators are identified, you can go to the Indicator Quick View page, click the Actions button, and run an enhancement script directly on an indicator. For these scripts to be available in the menu, they need the enhancement tag. For more information, see Enhancement scripts.

When you run an enhancement script, it is the equivalent of running the script in the CLI. The script can write to context, return an entry, etc.

Reputation command

Calculates the reputation of indicators of this type. The verdict (reputation) is only associated with the specific indicator value on which it’s run (not the indicator type). The command returns the reputation of the indicator value as an entry with entry context and in some cases also returns context values that can be mapped to the indicator type custom fields.

The results of the reputation command do not print to the War Room in the indicator extraction flow. For more information, see Reputation commands.


The regular expression (regex) to identify indicators for this indicator type.


Select the indicator layout to use.

Exclude these integrations for the reputation command

Integrations to exclude when calculating the verdict, evaluating, and enriching indicators of this indicator type. This only applies to the indicator extraction and enrichment mechanism and does not apply when directly running reputation commands such as !ip, !url, !domain, etc.

Indicator Expiration Method

The method by which to expire indicators of this type. The expiration method that you select is the default expiration method for indicators of this indicator type.

The expiration can also be assigned when configuring a feed integration instance, which overrides the default method.

  • Never Expire: indicators of this type never expire.

  • Time Interval: indicators of this type expire after the specified number of days or hours. For more information, see Configure indicator expiration.

Context path for verdict value (Advanced)

When an indicator is extracted, the entry data from the command is mapped to the incident context. This path defines where in context the data is mapped.

Context value of verdict (Advanced)

The value of this field defines the actual data that is mapped to the context path.

Cache expiration in minutes (Advanced)

The amount of time (in minutes) after which the cache for indicators of this type expire. The default is 4,320 minutes (three days). The cache enables you to limit API requests by only updating indicators after a specific time period has passed. The cache cannot be cleared manually.


Indicator cache expiration rules only apply to standard enrichment (for example, running the enrichIndicators command). If you run a reputation command, such as !ip, the commands executes even if the cache has not expired.