Map custom indicator fields - Threat Intel Management Guide - Cortex XSIAM - Cortex - Security Operations

Threat intel management

Product
Cortex XSIAM
Creation date
2023-07-30
Last date published
2024-04-15
Category
Threat Intel Management Guide
Abstract

Learn more about mapping custom indicator fields.

Indicator mapping enables you to automatically update the value of an indicator field without having to manually change it. For example, the IP indicator automatically maps the Country field. If it was not mapped, each time the IP address changes country the analyst would have to update the country every time that indicator type is ingested.

The value of an indicator field is determined by the value of the key in context data the field is mapped to in Cortex XSIAM.

When you start ingesting indicators, the incoming fields are automatically mapped to the relevant indicator fields. Sometimes you may want to change the default settings or map custom indicator fields to specific context data. Before you map custom indicator fields, you need to create the indicator field and add it to the relevant indicator type layout.

Note

Some integrations have indicator mappers and classifiers, such as AWS. If you want to use an integration mapper or classifier, see Indicator classification and mapping.

To map custom fields to the indicator type, you need to enrich the indicator either by using the !enrichindicators  command in the Alert Room CLI, in a playbook, or by opening an indicator and click Enrich indicator. Enrichment returns an entry, with the EntryContext property as the source of the mapping process. When editing an indicator type, in the Custom Fields tab, type the name of the indicator exactly how it appears (in the Threat Intel page) and click Load.

For the enrichment data to be considered valid, EntryContext must include a DBotScore with the fields: Indicator, Score, Vendor , and Type. If DBotScore has those fields, all the data of EntryContext is used as the source for the mapping, and not only the data under EntryContext.DBotScore.

How to map indicator fields
  1. Go to SettingsConfigurationsObject SetupIndicatorsTypes.

  2. Select the indicator type and click Edit.

  3. Click the Custom Fields tab.

    The custom fields associated with this indicator type are listed in the table. If you do not see a custom field in the list, verify that you associated the custom field with this indicator type.

  4. (Optional) In the Indicator Sample panel, enter an indicator relevant to the indicator type to load sample data.

  5. Click Choose data path to map the custom field to a data path.

    1. (Optional) Click the curly brackets to map the field to a context path.

    2. (Optional) From the Indicator Sample panel, select a context key to map to the field.

  6. Save the indicator type.