Create an indicator type - Threat Intel Management Guide - Cortex XSIAM - Cortex - Security Operations

Threat intel management

Product
Cortex XSIAM
Creation date
2023-07-30
Last date published
2024-04-15
Category
Threat Intel Management Guide
Abstract

In addition to the system-level indicator types, you can create custom indicator types in Cortex XSIAM.

Indicators are categorized by indicator type, which determines the indicator layout and fields that are displayed and which scripts are run on indicators of that type. Cortex XSIAM includes several out-of-the-box indicator types, such as:

  • IP Address

  • Domain

  • URL

  • File

    For more information about file indicators and how to configure the file hash, see File indicators.

When you create a new indicator type, you define its properties, including whether and how to format the indicator data and how the verdict is calculated.

  1. Go to SettingsConfigurationsObject SetupIndicatorsTypes.

  2. Click New.

  3. In the Settings tab, add the required indicator profile, such as name and Regex.

    For more information, see Indicator type profile.

  4. In the Custom Fields tab, map the fields, as required.

    For more information, see Map custom indicator fields.