Indicators are artifacts associated with incidents and are an essential part of the incident management and remediation process.
Indicators are text-based artifacts associated with incidents, such as IP addresses, URLs, and email addresses, and are an essential part of the incident management and remediation process. They help correlate incidents, create hunting operations, and enable you to easily analyze incidents and reduce Mean Time to Response (MTTR).
The following diagram explains the indicator lifecycle in Cortex XSOAR.
Step | Details |
---|---|
1. Identify the indicator type and value | Cortex XSOAR analyzes the text-based artifact and if it matches the indicator type profile. The indicator value is extracted, based on the indicator profile definition. You can set up indicator extraction automatically in the incident type, or playbook. Indicator extraction identifies indicators from various sources within Cortex XSOAR, such as email headers, IP addresses, email addresses, and file hashes in file attachments. For more information about indicator extraction, see Indicator extraction. You can create or customize existing indicator types, fields, and layouts for your use case. For more information, see Customize indicator types, fields, and layouts. |
2. Formatting and validation | Formatting and validation of the indicator are done using a formatting script that validates the data that represents the indicator's value and determines how we want the data to appear in Cortex XSOAR. For example, the URL indicator type uses the FormatURL script, which defangs URLs. For more information, see Formatting scripts. |
3. Create or update an indicator | If the indicator is not known to Cortex XSOAR, an indicator is created or you can create your own. If already known, it is updated with any new data including last seen dates. If the indicator is in an expired state but new data is received, it changes to active status. If you have a TIM license, you can add Unit 42 data by adding an indicator to Cortex XSOAR. For more information, see Query indicators with Unit 42 Intel data. |
4. Gather reputation and enrichment information | You can run reputation commands and enhancement script commands on indicator values. You need to set them to run in the indicator type. The enhancement script also runs on the indicator type. Both determine the indicator's verdict. For more information, see Enhancement scripts. When a reputation command/enhancement script is run, the verdict gets added to the incident context, when attached to an incident. Generally, the information is found under the Dbot Score key, the specific Indicator type, and specific vendor information. NoteTo run enhancement scripts and reputation commands, you must configure a relevant enrichment integration, such as VirusTotal, IPinfo v2, etc. You can exclude reputation commands from specific integrations in the indicator type settings if, for example, you are limited with API credits, or the integration is unreliable. |
5. Reputation scripts | Reputation scripts can be used if you want to override existing reputation commands with custom logic. For those indicator types without reputation commands, a custom reputation script can be applied. Use it to customize verdicts and DBotScore context entry. For more information, see Reputation scripts. |
6. Map indicator fields | After your indicator is enriched, you can map fields. Some indicator fields are automatically mapped by Cortex XSOAR to contain the relevant values. The default settings can be changed for each indicator type. You can create and associate any custom fields with indicators. For more information, see Indicator classification and mapping. |
7. Expiration | Many indicators have expiration dates as threats are dynamic. IP addresses may change, systems may be fixed, etc. When configuring an indicator type, you can set it never to expire or after a time interval. For more information, see Configure indicator expiration. TipWe recommend defining your policy for handling expired indicators. |