Indicator Ingestion - Threat Intel Management Guide - 6.9 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Threat Intel Management Guide

Cortex XSOAR
Creation date
Last date published
Threat Intel Management Guide

The following table shows methods by which indicators are detected and ingested in Cortex XSOAR.



Classification and Mapping


  • Feed integrations: Fetch indicators from a feed, for example TAXII, Office 365, and FeedUnit42v2.

  • Enrichment integrations: Enhance the indicator, giving it more context and information, for example, VirusTotal and Ipinfo.

Indicator classification and mapping is done in the Feed Integration code and not in the Cortex XSOAR Settings > OBJECTS SETUP > Indicators > Classification & Mapping tab. For example, see the FeedUnit42v2 integration.

Indicator Extraction

Indicators are extracted from selected incidents that flow into Cortex XSOAR, for example from a SIEM integration.

Only the value of an indicator is extracted, so no classification or mapping is needed.


  • Command line

  • Mark: User marks a piece of data as an indicator.

  • STIX file: Manually upload a STIX file on the Threat Intel (Indicators) page.

Data is inserted manually via the UI so no classification or mapping is needed.

If importing a STIX file, mapping is done via the STIX parser code.