Create an indicator field - Threat Intel Management Guide - Cortex XSIAM - Cortex - Security Operations

Threat intel management

Product
Cortex XSIAM
Creation date
2023-07-30
Last date published
2024-04-15
Category
Threat Intel Management Guide
Abstract

Create a new indicator field in the Fields tab in Cortex XSIAM. Add specific indicator information to indicator layouts and types.

Indicator fields are used to add specific indicator information to alerts. When you create an indicator field, you can associate the field to a specific indicator type or all indicator types. You can then map the custom field to the relevant indicator type. You can also add an indicator field trigger script as well as adding the field to an indicator layout.

Note

Cortex XSIAM IOC fields are based on the STIX 2.1 specifications. For more information, see Indicator field structure.

Field type

Description

Boolean

Checkbox

Date picker

Adds the date to the field.

Grid (table)

Include an interactive, editable grid as a field type for selected indicator types or all indicator types.

When you select Grid (table) you can format the table and determine if the user can add rows,

HTML

HTML: Create and view HTML content, which can be used in any type of indicator.

Long text

  • Long text is analyzed and tokenized, and entries are indexed as individual words, enabling you to perform advanced searches and use wildcards.

  • Long text fields cannot be sorted and cannot be used in graphical dashboard widgets.

  • While editing a long text field, pressing enter will create a new line. Case is insensitive.

Add a placeholder, if required.

Markdown

Add markdown formatted text as a template, which will be displayed to users in the field after the indicator is created. Markdown lets you add basic formatting to text to provide a better end-user experience.

Multi select/Array

Select the following options:

  • Multi-select from a prefilled (static) list

  • An empty array field for the user to add one or more values as a comma-separated list

Add a placeholder, if required.

Number

Can contain any number. Default is 0.

Role

The role assigned to the indicator. Determines which users (by role) can view the indicator.

Short text

  • Short text is treated as a single unit of text and is not indexed by word. Advanced search, including wildcards, is not supported.

  • Short text fields are case-sensitive by default but can be changed to case-insensitive when creating the field.

  • While editing a short text field, pressing enter will save the change.

  • Maximum length 60,000 characters

Recommended use is one-word entries, such as username and email address.

Select a placeholder, if required.

Single select

Select a value from a list of options. Add comma-separated values.

Tags

Accepts a single tag or a comma-separated list, not case-sensitive.

Add a placeholder, if required.

URL

Add a URL when completing the field.

User

A user in Cortex XSIAM.

  1. Select SettingsConfigurationsObject SetupIndicatorsFieldsNew Field.

  2. Select the relevant field type.

  3. Complete the following fields

    Parameter

    Description

    Mandatory

    If selected, this field is mandatory when used in a form.

    Field Name

    A meaningful display name for the field. After you type a name, you will see below the field that the Machine name is automatically populated. The field’s machine name is applicable for searching and the CLI.

    Tooltip

    An optional tooltip for the field.

  4. In the Attributes tab configure the following:

    Field

    Description

    Script to run when field value changes

    The script dynamically changes the field value when script conditions are met. For a script to be available, it must have the field-change-triggered-indicator tag when defining the script. For more information, see Indicator field trigger scripts.

    Add to all indicator types

    This option is selected by default, which means this field is available to use in all incident types.

    Clear the checkbox to associate this field with a subset of indicator types.

  5. Save the field.

  6. (Optional) In the indicator type, map custom indicator fields, so an indicator field is automatically updated, without the analyst having to manually change it.