Indicators Server Configurations - Administrator Guide - 6.6 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Product
Cortex XSOAR
Version
6.6
Creation date
2022-09-29
Last date published
2024-03-21
End_of_Life
EoL
Category
Administrator Guide

Key

Description

Default

create.indicators.limit.by.time.range

Whether to limit the period of time to fetch indicators.

true

create.indicators.limit.by.time.range.hours

The period of time (hours) within which to limit indicators that can be fetched.

24

create.indicators.limit.by.time.range.max.allowed

The maximum number of indicators that can be fetched within the time period defined in the following server configuration: create.indicators.limit.by.time.range.hours

1000

create.indicators.limit.by.total.amount

Whether to limit the total number of indicators that can be fetched. (Hosted development instances only) To prevent workflow overloads that led to system crashes, Cortex XSOAR now limits the number of incidents and indicators that can be fetched within a given time frame. The new limits are:

  • 1000 indicators within a 24 hour period.

  • 1000 incidents within a 24 hour period.

For on-premises customers, these limits are disabled by default, but are configurable through the following server configurations.

create.indicators.limit.by.total.amount: Whether fetch limits are imposed for indicators. Value: true (default) or false.

create.indicators.limit.by.total.amount.max.allowed: The maximum number of total indicators that can be fetched. Default is 5,000,000.

false

create.indicators.limit.by.total.amount.max.allowed

The maximum number of total indicators that can be fetched by default. For more information, see For more information, see Case Management in New Features.Features Introduced in 2023

5000000

create.indicators.limit.by.total.amount.warning.percentage

The percentage of indicators fetched, calculated from create.indicators.limit.by.total.amount.max.allowed, after which warning messages are sent to defined users.

75

create.related.indicators.entry

Whether to disable War Room notifications for related indicators. For more information, see War Room Overview.

true

enrichment.reputationScript.reliability

The reliability of the score from a reputation script. For more information, see Indicator Type Profile.

A++

Export.utf8bom

Whether to export an incident to CSV using the UTF8-BOM format.

false

indicator.feed.html.field.truncate.maxChars

To change the maximum size in KB to display the HTML field. If you increase the limit substantially, it may slow performance. For more information, see Configure the HTML Field.

50

indicator.html.style.attributes

If HTML is missing some styles add missing styles. For more information, see Configure the HTML Field.

N/a

indicator.timeline.auto.extract.enabled

Enables the indicator timeline in the indicator extraction flow. For more information, see Manage the Indicator Timeline.

true

indicator.timeline.enabled

Enables the indicator timeline in all flows. For more information, see Manage the Indicator Timeline.

true

indicator.timeline.enabled.type.<indicatorType>

Enables the indicator timeline for a specific indicator type. For more information, see Manage the Indicator Timeline.

true

indicator.timeline.max.size

The maximum number of indicator comments (timeline and regular). For more information, see Manage the Indicator Timeline.

100

indicator.timeline.worker.enabled

Enables you to add timeline comments through content integrations. For more information, see Manage the Indicator Timeline.

true

message.ignore.fetchIndicator.warning

Indicates whether to send warning messages to defined users.

This is an alternative to the previous set of configurations which sets the limit according to the total number and the defined time period.

false

reputation.calc.algorithm.tasks

Applies to the result of the task. You can change the value when editing a task, which overrides the system configuration for this task. For more information, see Indicator Extraction Mode Options.

none

reputation.calc.algorithm

Sets the indicator extraction mode for incident creation. Also troubleshoot where playbooks take a long time to start.

  • 1- None

  • 2 - Inline

  • 3 - Out of band

For more information, see Indicator Extraction Mode Options.

2 (inline)

reputation.calc.algorithm.fields.change

Sets the indicator extraction mode for incident field change. You can change the value when editing an incident type, which overrides this system configuration for this incident type. For more information, see Indicator Extraction Mode Options.

3 (out of band)

reputation.calc.algorithm.manual

Applies to commands triggered from the CLI. You can change the value when using the auto-extract parameter, which overrides the system configuration for this command. For more information, see Indicator Extraction Mode Options.

3 (Out of band)

reputation.notification.max.count

The Maximum notification of reputation indicators in a batch update.

100

ThreatIntelReport.default.readonly.roles

Grants read-only access-only access to Threat Intel reports. Value: List of comma separated users.

N/a

ThreatIntelReport.default.roles

Grands read and write access to Threat Intel Reports. Value: List of comma separated users.

N/a

UI.html.use.theme.css

Whether to use Cortex XSOAR theme styles. For more information, see Configure the HTML Field.

true

UI.investigation.page

Customizes the default landing page within the incident view. Values:

  • /Details/

  • /WarRoom/

  • /WorkPlan/

  • /EvidenceBoard/

/Details/

UI.summary.page.hide.empty.fields

Whether to hide empty fields in the incident summary tab. For more information, see Customize Indicator View Layouts.

true