Indicator Ingestion - Threat Intel Management Guide - 6.9 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Threat Intel Management Guide

Product
Cortex XSOAR
Version
6.9
Creation date
2022-09-29
Last date published
2024-02-22
End_of_Life
EoL
Category
Threat Intel Management Guide
Abstract

Overview of how Cortex XSOAR indicators are detected and ingested.

The following table shows methods by which indicators are detected and ingested in Cortex XSOAR.

Method

Description

Classification and Mapping

Integration

  • Feed integrations: Fetch indicators from a feed, for example TAXII, Office 365, and FeedUnit42v2.

  • Enrichment integrations: Enhance the indicator, giving it more context and information, for example, VirusTotal and Ipinfo.

Indicator classification and mapping is done in the Feed Integration code and not in the Cortex XSOAR Settings > OBJECTS SETUP > Indicators > Classification & Mapping tab. For example, see the FeedUnit42v2 integration.

Indicator Extraction

Indicators are extracted from selected incidents that flow into Cortex XSOAR, for example from a SIEM integration.

Only the value of an indicator is extracted, so no classification or mapping is needed.

Manual

  • Command line

  • Mark: User marks a piece of data as an indicator.

  • STIX file: Manually upload a STIX file on the Threat Intel (Indicators) page.

Data is inserted manually via the UI so no classification or mapping is needed.

If importing a STIX file, mapping is done via the STIX parser code.