Indicators - Administrator Guide - 6.9 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Product
Cortex XSOAR
Version
6.9
Creation date
2022-09-29
Last date published
2024-12-05
End_of_Life
EoL
Category
Administrator Guide
Abstract

Cortex XSOAR analyzes indicators to determine whether they are malicious. Create indicator types and custom layouts and an exclusion list.

Indicators are artifacts associated with incidents, and are an essential part of the incident management and remediation process. They help correlate incidents, create hunting operations, and enable you to easily analyze incidents and reduce Mean Time to Response (MTTR).

Cortex XSOAR automates threat intel management by ingesting and processing indicator sources, such as feeds and lists, and exporting the enriched intelligence data to SIEMs, firewalls, and any other system that can benefit from the data. These capabilities enable you to sort through millions of indicators daily and take automated steps to make those indicators actionable in your security posture.

Indicators are added to Cortex XSOAR via the following methods:

  • Integrations that fetch indicators from feeds.

  • Indicators extracted from incidents.

  • Indicators added manually to Cortex XSOAR.

Note

By default, when editing the dropdown or text values in an indicator, the changes are not saved until you confirm your changes (by clicking the checkmark icon in the value field).

These icons are designed to let you have an additional level of security before you make changes to the fields in incidents, indicators, and threat intel reports.

To change the default behavior set the inline.edit.on.blur server configuration to true, which enables you to make changes to inline fields without clicking the check mark. The changes are automatically saved when clicking anywhere on the page or when navigating to another page. For text values you can also click anywhere in the value field to edit.

For indicator daily tasks, such as creating an indicator, and adding an indicator to an exclusion list, see Indicator Management.