Use case example in Cortex XSIAM to tailor indicator extraction and enrichment for your organization's needs.
The following example describes how to create a new indicator type to manage employee emails, for example for resource management or inside threat investigation.
Create a new indicator type for the employee email addresses which contain the “our_company.com” company domain.
Under Settings tab, define the following.
→ → → → → , in theName: Company email
Regex:
.*?@our_company.com
(simplified to capture all the email addresses using the our_company.com domain).Reputation command: Not relevant for this example, since we don't want any external enrichment.
Formatting script: If more formatting is needed, you can use a formatting script to edit the saved value.
Reputation script: If needed, you can create a reputation script to affect the DBot score given to the new custom indicator.
In the Custom Fields tab, map custom fields for the new indicator type.
You can map fields returned using an integration such as Active Directory to obtain more data about the actual user to whom the email belongs. You can also collect data using integrations such as Okta (MFA, SSO), SIEM, and email security. Fields such as Username, Full name, and various groups the user is part of as well as other identifiers are returned to context and mapped into the indicator using the custom fields.
Note
If you miss mapping any field, you can create additional new indicator fields and either relate them to all indicator types, or relate them only to the new indicator type (recommended).