Configure the Indicator Timeline - Administrator Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Product
Cortex XSOAR
Version
8
Creation date
2024-04-17
Last date published
2024-07-18
Category
Administrator Guide
Solution
Cloud
Abstract

Add a server configuration to manage the indicator timeline in Cortex XSOAR and improve indicator timeline performance.

The indicator timeline displays a list of dates and events showing changes in an indicator over time, such as change of verdict and traffic light protocol. A large number of indicators can affect the indicator timeline performance. You can configure advanced server configurations to manage the indicator timeline performance.

  1. Select Settings & InfoSettingsSystemServer SettingsServer ConfigurationAdd Server Configuration.

  2. Add the following server configurations.

    Key

    Value

    Description

    indicator.timeline.enabled

    true or false

    Enables the indicator timeline in all flows. The default is true.

    indicator.timeline.auto. extract.enabled

    true or false

    Enables the indicator timeline in the indicator extraction flow. The default is true.

View Indicator Timeline Entries

The indicator timeline contains two tabs:

  • Initial: Shows a table listing the first indicator timeline entries.

  • Latest: Shows a table listing the most recent indicator timeline entries. This ensures continuous monitoring of security threats and provides access to the latest activity data.

The maximum number of entries the tabs display is by default 100. The first 100 entries are displayed in both tabs. If there are more than 100 entries, the Initial table displays the first 100 entries, and the Latest table displays the 100 latest entries. For example, if there are 105 entries, the Latest table displays the five latest entries plus the 95 entries that occurred chronologically before them.