Indicator Verdict - Threat Intel Management Guide - 6.8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Threat Intel Management Guide

Product
Cortex XSOAR
Version
6.8
Creation date
2022-09-29
Last date published
2023-12-12
End_of_Life
EoL
Category
Threat Intel Management Guide

An indicator’s verdict is assigned according to the verdict returned by the source with the highest reliability. In cases where multiple sources with the same reliability score return a different verdict for the indicator, the worst verdict is taken.

Indicator verdicts

Indicators are assigned a verdict on a scale of 0 to 3.

Score

Verdict

Color

0

Unknown

Gray

1

Benign

Green

2

Suspicious

Orange

3

Malicious

Red

Note

You can change the benign verdict by editing the indicator. If you have manually changed the indicator’s verdict and want to recalculate it according to enrichment integrations, click Calculate when editing the indicator.

Source reliability

The reliability of an intelligence-data source influences the verdict of an indicator and the values for indicator fields when merging indicators.

Indicator fields are merged according to the source reliability hierarchy. This means that when there are two different values for a single indicator field, the field will be populated with the value provided by the source with the highest reliability score.

In rare cases, two sources with the same reliability score might return different values for the same indicator field. In these cases, the field is populated with the most recently provided source, unless the field is verdict. If two sources have the same reliability score and return different values for the verdict field, the worse verdict is used.

For the field types Tags and Multi-select, all values are appended, nothing is overridden.

Source

Reliability Score

Notes

Manual

A+++

A user manually updates the verdict of an indicator.

Reputation script

A++

A script with the reputation tag, which calculates the verdict of an indicator.

Third-party enrichment

A+

An integration or service that evaluates the verdict of an indicator. For example, the urlscan.io integration evaluates the verdict of a URL.

Feed

A: Completely reliable

The feed reliability is applied at the integration instance level.

B: Usually reliable

C: Fairly reliable

D: Not usually reliable

E: Unreliable

F: Reliability cannot be judged

Example 1

In this example, two third-party integrations, VirusTotal and AlienVault, return a different verdict for the same indicator. The indicator’s verdict will be Malicious because VirusTotal’s reliability score is higher than AlienVault.

Integration

Reliability

Verdict

Final Verdict

VirusTotal

C - Fairly reliable

Malicious

Malicious

AlienVault

D- Not usually reliable

Benign

Example 2

In this example, two sources with the same verdict score return a different verdict for the same indicator. The indicator’s verdict will be Malicious because when two sources have the same reliability, the worse verdict applies.

Integration

Reliability

Verdict

Final Verdict

TAXII Feed

B - Usually reliable

Malicious

Malicious

CSV Feed

B - Usually reliable

Benign