Learn more about mapping custom indicator fields.
Indicator mapping enables you to automatically update the value of an indicator field without having to manually change it. For example, the IP indicator automatically maps the Country field. If it was not mapped, each time the IP address changes country the analyst would have to update the country every time that indicator type is ingested.
The value of an indicator field is determined by the value of the key in context data the field is mapped to in Cortex XSIAM.
When you start ingesting indicators, the incoming fields are automatically mapped to the relevant indicator fields. Sometimes you may want to change the default settings or map custom indicator fields to specific context data. Before you map custom indicator fields, you need to create the indicator field and add it to the relevant indicator type layout.
Note
Some integrations have indicator mappers and classifiers, such as AWS. If you want to use an integration mapper or classifier, see Indicator classification and mapping.
To map custom fields to the indicator type, you need to enrich the indicator either by using the !enrichindicators command in the Alert Room CLI, in a playbook, or by opening an indicator and click Enrich indicator. Enrichment returns an entry, with the EntryContext property as the source of the mapping process. When editing an indicator type, in the Custom Fields tab, type the name of the indicator exactly how it appears (in the XSIAM Indicators page) and click Load.
For the enrichment data to be considered valid, EntryContext must include a DBotScore with the fields: Indicator, Score, Vendor , and Type. If DBotScore has those fields, all the data of EntryContext is used as the source for the mapping, and not only the data under EntryContext.DBotScore.
Go to → → → → .
Select the indicator type and click Edit.
Click the Custom Fields tab.
The custom fields associated with this indicator type are listed in the table. If you do not see a custom field in the list, verify that you associated the custom field with this indicator type.
(Optional) In the Indicator Sample panel, enter an indicator relevant to the indicator type to load sample data.
Click Choose data path to map the custom field to a data path.
(Optional) Click the curly brackets to map the field to a context path.
(Optional) From the Indicator Sample panel, select a context key to map to the field.
Save the indicator type.
Source reliability and custom indicator field mapping
Custom indicator fields are mapped and populated according to source reliability hierarchy. When there are two different values for a single custom indicator field, the field is mapped and populated with the value provided by the integration instance with the highest source reliability score. For example, if an instance with a higher source reliability has no mapping for a specific custom indicator field, the field will display No entries in the dashboard even though the integration instance with the lower reliability score contains mapping for that field.
To ensure your custom indicator field populates correctly, the integration instance you want to use to map the data must be the primary source used by the system. You can do this by:
Editing the Source reliability setting of the integration instance you want to use for mapping and data so that its reliability score is higher than all other active enrichment integrations.
Disabling other enrichment integration instances with equal or higher source reliability and setting them to Do not use by default. This prevents them from competing for priority, allowing your integration to map and populate custom indicator fields correctly.