Indicators - Administrator Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Cortex XSOAR
Creation date
Last date published
Administrator Guide

Cortex XSOAR analyzes indicators to determine whether they are malicious. Create indicator types and custom layouts, exclusion list, indicator reputation.

Indicators are artifacts associated with incidents, and are an essential part of the incident management and remediation process. They help correlate incidents, create hunting operations, and enable you to easily analyze incidents and reduce Mean Time to Response (MTTR).

Cortex XSOAR automates threat intel management by ingesting and processing indicator sources, such as feeds and lists, and exporting the enriched intelligence data to SIEMs, firewalls, and any other system that can benefit from the data. These capabilities enable you to sort through millions of indicators daily and take automated steps to make those indicators actionable in your security posture.

Indicators are added to Cortex XSOAR via the following methods:

  • Integrations that fetch indicators from feeds.

  • Indicators extracted from incidents.

  • Indicators added manually to Cortex XSOAR.


By default, when editing the dropdown or text values in an indicator, the changes are not saved until you confirm your changes (by clicking the checkmark icon in the value field). This icon is designed to provide an additional level of security before you make changes to the fields in incidents, indicators, and threat intel reports.

To change the default behavior, set the inline.edit.on.blur server configuration to true, which enables you to make changes to inline fields without clicking the checkmark. The changes are automatically saved when clicking anywhere on the page or when navigating to another page. For text values you can also click anywhere in the value field to edit.