Indicator Fields Structure - Administrator Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Cortex XSOAR
Creation date
Last date published
Administrator Guide

Indicator fields structure aligned with STIX standards to more easily share and work with IOCs.

Cortex XSOAR IOC fields are based on the STIX 2.1 specifications. These fields provide a guideline for the fields we recommend you maintain within an IOC. None of the fields are mandatory, except the value field. Maintaining this field structure enables you to share and export IOCs to additional threat intel based systems as well as to other cybersecurity devices.

Like STIX, Cortex XSOAR indicators are divided into two categories, STIX Domain Objects (SDOs) and STIX Cyber-observable Objects (SCOs). The category determines which fields are presented in the layout of that specific IOC. In Cortex XSOAR, all SCOs can be used in a relationship with either SDOs or SCOs.

Each IOC table of fields is separated into three parts:

  • System fields - Fields created and managed by Cortex XSOAR.

  • Custom core fields - Custom fields shared by all IOCs of the same time (SDO or SCO). Fields may be empty.

  • Custom unique fields - Fields unique to a specific type of IOC. If a user associates more fields with the IOC, the additional fields are also treated as unique.

STIX Cyber-observable Objects (SCO)

STIX Domain Objects (SDO)