Learn more about the options available for customizing indicators.
Cortex XSOAR provides out-of-the-box indicator types, fields, and layouts. However, you may need to customize indicators to suit your use case, either by editing existing indicator types, fields, or layouts or by creating new ones to help investigate and respond to potential security threats specific to your organization.
Custom indicators can provide more accurate and efficient identification of potential cyber security threats. For example, you can customize indicators to monitor and detect unusual activity within your organization's internal network. This can include creating indicators to flag unauthorized access attempts or unusual data transfers, or identifying insider threats or compromised accounts.
Before customizing an indicator, review the ingested indicator and then customize it as needed. After ingesting incidents and indicators, check the indicator information associated with your incident. From an incident, review the context data (from Side panels). If there is information in the context data that you don't see in the indicator, map it into indicator fields and display it in the layout.
You can customize the following:
Option | Description |
---|---|
Indicator type | Customize an indicator type by setting the relevant fields, display layout, scripts to run, and reputation command for the indicator type. You can create a new indicator type or you can edit an out-of-the-box indicator type. For more information, see Create an indicator type. |
Indicator fields | Custom indicator fields add specific details or attributes to indicators, helping to better classify and understand the nature of potential security threats. You can edit an existing indicator field or create a new one. After creating a new indicator field, map the field to the relevant context data. You can add the field to an indicator type and view it in an indicator layout. For more information, see Create an indicator field. |
Indicator layout | Custom indicator layouts enable you to organize and display specific details about potential threats in a way that makes sense for your organization, making it easier to quickly understand and respond to security issues. You can view, customize, import and export indicator layouts as well as add a custom layout to an indicator type. NoteIf you do not have a TIM license, you cannot edit the Indicator Summary layout. You can only edit the Quick view and the New/Edit form tabs. For more information, see Indicator layout customization. |