Indicator verdict - Threat Intel Management Guide - Cortex XSIAM - Cortex - Security Operations

Threat intel management

Product
Cortex XSIAM
Creation date
2023-07-30
Last date published
2024-04-15
Category
Threat Intel Management Guide
Abstract

Cortex XSIAM analyzes indicators to determine whether they are malicious. Create indicator types and custom layouts, exclusion lists, and indicator verdicts.

An indicator’s verdict is assigned according to the verdict returned by the source with the highest reliability. In cases where multiple sources with the same reliability score return a different verdict for the indicator, the worst verdict is taken. Indicators are assigned the following verdicts:

  • 0: Unknown

  • 1: Benign

  • 2: Suspicious

  • 3: Malicious

You can set the verdict manually by editing the indicator. If you manually changed the indicator’s verdict and want to recalculate it according to enrichment integrations, set the verdict to Unknown and then enrich the indicator. If after manually setting the indicator's verdict you run indicator enrichment without setting the verdict to Unknown, the indicator is enriched but the manually set verdict is not changed.

Source reliability

The reliability of an intelligence data source influences the verdict of an indicator and the values for indicator fields when merging indicators. Indicator fields are merged according to the source reliability hierarchy, which means that when there are two different values for a single indicator field, the field will be populated with the value provided by the source with the highest reliability score.

In rare cases, two sources with the same reliability score might return different values for the same indicator field. In these cases, the field is populated with the most recently provided source, unless the field is verdict. If two sources have the same reliability score and return different values for the verdict field, the worse verdict is used.

For the field types Tags and Multi-select, all values are appended, and nothing is overridden.

Source

Reliability Score

Notes

Manual

A+++

A user manually updates the verdict of an indicator.

Reputation script

A++

A script with the reputation tag calculates the verdict of an indicator. For example, the DataDomainReputation script evaluates the verdict of a URL or domain.

Third-party enrichment

A+

An integration or service that evaluates the verdict of an indicator. For example, the urlscan.io integration evaluates the verdict of a URL.

Feed

A: Completely reliable

The feed reliability is applied at the integration instance level.

B: Usually reliable

C: Fairly reliable

D: Not usually reliable

E: Unreliable

F: Reliability cannot be judged

Different verdicts from integrations

In this example, two third-party integrations, VirusTotal and AlienVault, return a different verdict for the same indicator. The indicator’s verdict will be Malicious because VirusTotal’s reliability score is higher than AlienVault.

Integration

Reliability

Verdict

Final Verdict

VirusTotal

C - Fairly reliable

Malicious

Malicious

AlienVault

D- Not usually reliable

Benign

In this example, two sources with the same verdict score return a different verdict for the same indicator. The indicator’s verdict will be Malicious because when two sources have the same reliability, the worse verdict applies.

Integration

Reliability

Verdict

Final Verdict

TAXII Feed

B - Usually reliable

Malicious

Malicious

CSV Feed

B - Usually reliable

Benign