Indicators are artifacts associated with incidents, and are an essential part of the incident management and remediation process. They help correlate incidents, create hunting operations, and enable you to easily analyze incidents and reduce Mean Time to Response (MTTR).
Cortex XSOAR automates threat intel management by ingesting and processing indicator sources, such as feeds and lists, and exporting the enriched intelligence data to SIEMs, firewalls, and any other system that can benefit from the data. These capabilities enable you to sort through millions of indicators daily and take automated steps to make those indicators actionable in your security posture.
Indicators are added to Cortex XSOAR via the following methods:
Integrations that fetch indicators from feeds.
Indicators extracted from incidents.
Indicators added manually to Cortex XSOAR.
By default, when editing the dropdown or text values in an indicator, the changes are not saved until you confirm your changes (by clicking the checkmark icon in the value field).
These icons are designed to let you have an additional level of security before you make changes to the fields in incidents, indicators, and threat intel reports.
To change the default behavior set the
inline.edit.on.blur server configuration to
true, which enables you to make changes to inline fields without clicking the check mark. The changes are automatically saved when clicking anywhere on the page or when navigating to another page. For text values you can also click anywhere in the value field to edit.
For indicator daily tasks, such as creating an indicator, and adding an indicator to an exclusion list, see Indicator Management.