Cortex XSOAR analyzes indicators to determine whether they are malicious. Create indicator types and custom layouts, exclusion lists, and indicator verdicts.
An indicator’s verdict is assigned according to the verdict returned by the source with the highest reliability, where reliability is scaled based on the Admiralty Source and Information Reliability Matrix. In cases where multiple sources with the same reliability score return a different verdict for the indicator, the worst verdict is taken. Indicators are assigned the following verdicts:
0: Unknown
1: Benign
2: Suspicious
3: Malicious
You can set the verdict manually by editing the indicator. If you manually changed the indicator’s verdict and want to recalculate it according to enrichment integrations, set the verdict to Unknown
and then enrich the indicator. If after manually setting the indicator's verdict you run indicator enrichment without setting the verdict to Unknown
, the indicator is enriched but the manually set verdict is not changed.
Source reliability
The reliability of an intelligence data source influences the verdict of an indicator and the values for indicator fields when merging indicators. Indicator fields are merged according to the source reliability hierarchy, which means that when there are two different values for a single indicator field, the field will be populated with the value provided by the source with the highest reliability score.
In rare cases, two sources with the same reliability score might return different values for the same indicator field. In these cases, the field is populated with the most recently provided source, unless the field is verdict. If two sources have the same reliability score and return different values for the verdict field, the worse verdict is used.
For the field types Tags and Multi-select, all values are appended, and nothing is overridden.
Source | Reliability Score | Notes |
---|---|---|
Manual | A+++ | A user manually updates the verdict of an indicator. |
Reputation script | A++ | A script with the reputation tag calculates the verdict of an indicator. For example, the DataDomainReputation script evaluates the verdict of a URL or domain. |
Third-party enrichment | A+ | An integration or service that evaluates the verdict of an indicator. For example, the urlscan.io integration evaluates the verdict of a URL. |
Feed | A: Completely reliable | The feed reliability is applied at the integration instance level. Configure Threat Intel feed integrations, see Configure Threat Intel feed integrations |
B: Usually reliable | ||
C: Fairly reliable | ||
D: Not usually reliable | ||
E: Unreliable | ||
F: Reliability cannot be judged |
Different verdicts from integrations
In this example, two third-party integrations, VirusTotal and AlienVault, return a different verdict for the same indicator. The indicator’s verdict will be Malicious because VirusTotal’s reliability score is higher than AlienVault.
Integration | Reliability | Verdict | Final Verdict |
---|---|---|---|
VirusTotal | C - Fairly reliable | Malicious | Malicious |
AlienVault | D- Not usually reliable | Benign |
In this example, two sources with the same verdict score return a different verdict for the same indicator. The indicator’s verdict will be Malicious because when two sources have the same reliability, the worse verdict applies.
Integration | Reliability | Verdict | Final Verdict |
---|---|---|---|
TAXII Feed | B - Usually reliable | Malicious | Malicious |
CSV Feed | B - Usually reliable | Benign |