Create or edit a Cortex XSOAR indicator type and configure fields that determine how the system interacts with indicators of that type.
Each indicator type has its own 'profile' that allows XSOAR to recognize it across the platform. Add the following fields, when you edit or Create an Indicator Type.
Field | Description |
---|---|
Name | A meaningful name for the indicator type. |
Regex | The regular expression (regex) by which to identify indicators for this indicator type. |
Modifies how the indicator displays in Cortex XSOAR. Formatting scripts must be tagged indicator-format in order to appear in the dropdown for the indicator type. | |
Calculates the reputation of indicators of this type. The verdict (reputation) is only associated with the specific indicator on which it’s run (not the indicator type). The command returns the reputation of the indicator as an entry with entry context and in some cases also returns context values that can be mapped to the custom fields of the indicator. The results of the reputation command do not print to the war room in the indicator extraction flow. | |
Layout | Select the Indicator layout. |
The output of the reputation script is a verdict score, which is used as the basis for the indicator verdict. Reputation scripts must be tagged reputation in order to appear in the dropdown for the indicator type. The results of reputation scripts do not print to the war room in the extraction flow. | |
The enhancement script is not part of the indicator extraction flow, and are run manually on the indicator type. For example, domain reputation, email reputation, parse email files, etc. After indicators are identified, you can go to the indicator quick view, click the Actions button and run an enhancement script directly on an indicator. In order for these scripts to be available in the drop-down menu, they need the enhancement tag. When you run an enhancement script, it is the equivalent of running the script at the CLI in the War Room. The script can write to context, return an entry, etc. | |
Exclude these integrations for the reputation command | Integrations to exclude when calculating the verdict, evaluating, and enriching indicators of this indicator type. Only applies to the indicator extraction and enrichment mechanism, does not apply when directly running reputation commands such as |
The method by which to expire indicators of this type. The expiration method that you select is the default expiration method for indicators of this indicator type. The expiration can also be assigned when configuring a feed integration instance, which overrides the default method.
| |
Context path for verdict value (Advanced) | When an indicator is extracted, the entry data from the command is mapped to the incident context. This path defines where in context the data is mapped. |
Context value of verdict (Advanced) | The value of this field defines the actual data that is mapped to the context path. |
Cache expiration in minutes (Advanced) | The amount of time (in minutes) after which the cache for indicators of this type expire. The default is 4,320 minutes (three days). The cache enables you to limit API requests by only updating indicators after a specific time period has passed. The cache cannot be cleared manually. NoteIndicator cache expiration rules only apply to automatic enrichment, triggered by the |