Create a new indicator field in the Fields tab in Cortex XSOAR. Add specific indicator information to incidents.
Indicator fields are used to add specific indicator information to incidents. When you create an indicator field, you can associate the field to a specific indicator type or all indicator types. You can then map the custom field to the relevant indicator type. You can also add an indicator field trigger script.
Note
Cortex XSOAR IOC fields are based on the STIX 2.1 specifications. For more information, see Indicator field structure.
Field type | Description |
---|---|
Boolean | Checkbox |
Date picker | Adds the date to the field. |
Grid (table) | Include an interactive, editable grid as a field type for selected indicator types or all indicator types. To see how to create a grid field and to use a script, see Add an indicator field trigger script to an indicator field. When you select Grid (table) you can format the table and determine if the user can add rows. |
HTML | Create and view HTML content, which can be used in any type of indicator. |
Long text |
Add a placeholder, if required. |
Markdown | Add markdown formatted text as a template, which will be displayed to users in the field after the indicator is created. Markdown lets you add basic formatting to text to provide a better end-user experience. |
Multi select/Array | Select the following options:
Add a placeholder, if required. |
Number | Can contain any number. Default is 0. |
Role | The role assigned to the indicator. Determines which users (by role) can view the indicator. |
Short text |
Recommended use is one-word entries, such as username and email address. Select a placeholder, if required. |
Single select | Select a value from a list of options. Add comma-separated values. |
Tags | Accepts a single tag or a comma-separated list, not case-sensitive. Add a placeholder, if required. |
URL | Add a URL when completing the field. |
User | A user in Cortex XSOAR. |
Select Settings & Info → Settings → Object Setup → Indicators → Fields → New Field.
Select the relevant field type.
Complete the following fields (if relevant):
Parameter
Description
Mandatory
If selected, this field is mandatory when used in a form.
Field Name
A meaningful display name for the field. After you type a name, you will see below the field that the Machine name is automatically populated. The field’s machine name is applicable for searching and the CLI.
Tooltip
An optional tooltip for the field.
In the Basic Settings tab, define the values (according to the selected field type).
In the Attributes tab define the following:
Field
Description
Script to run when field value changes
The script dynamically changes the field value when script conditions are met. For a script to be available, it must have the
field-change-triggered-indicator
tag when defining the script. For more information, see Indicator field trigger scripts.Add to all indicator types
This option is selected by default, which means this field is available to use in all incident types.
Clear the checkbox to associate this field with a subset of indicator types.
Make data available for search
The values for this field can be returned in searches.
Save the field.
If you subsequently edit the field, you can optionally select Don't show in the indicators layout. If you select this, the indicator field does not appear in the layout but the data is displayed in the context data.
(Optional) Add a custom field to a section in the indicator layout.
If you select Don't show in the indicators layout, the field will not appear in the layout.
(Optional) In the indicator type, map custom indicator fields, so an indicator field is automatically updated, without the analyst having to manually change it.