Indicator Ingestion - Administrator Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Product
Cortex XSOAR
Version
8
Creation date
2024-02-14
Last date published
2024-05-30
Category
Administrator Guide
Solution
Cloud
Abstract

Overview of how Cortex XSOAR indicators are detected and ingested.

The following table shows methods by which indicators are detected and ingested in Cortex XSOAR.

Method

Description

Classification and Mapping

Integration

Feed integrations: Fetch indicators from a feed, for example TAXII, Office 365, and Unit 42 ATOMS Feed.

Indicator classification and mapping is done in the Feed Integration code and not in the Cortex XSOAR Settings & InfoSettingsObject SetupIndicatorsClassification & Mapping tab.

Indicator Extraction

Indicators are extracted from selected incidents that flow into Cortex XSOAR, for example from a SIEM integration.

Only the value of an indicator is extracted, so no classification or mapping is needed.

Manual

  • Command line

  • Mark: User marks a piece of data as an indicator.

  • STIX file: Manually upload a STIX file on the Threat Intel (Indicators) page.

Data is inserted manually via the UI so no classification or mapping is needed.

If importing a STIX file, mapping is done via the STIX parser code.