Understand Indicators

Information about indicators, and how indicators are detected and ingested.
Indicators are artifacts associated with incidents, and are an essential part of the incident management and remediation process.
They help to correlate incidents, create hunting operations, and enable you to easily analyze incidents and reduce MTTR.
Cortex XSOAR includes an Indicator repository, which collects and correlates indicators across all incidents, alerts, and feeds flowing into Cortex XSOAR.
Detect and ingest indicators
There are several methods by which indicators are detected and ingested in Cortex XSOAR.
Method
Description
Integration
  • Feed: integrations that fetch indicators from a feed, for example TAXII, AutoFocus, Office 365, and so on.
  • Mail: integrations that consume emails with STIX or CSV files and add the indicators to the indicator repository.
Incident
  • Manual: user marks a piece of data as an indicator.
  • Auto-extract: indicators are extracted from every incident that flows into Cortex XSOAR, for example from a SIEM integration.
Regex query
A query that identifies indicators in the War Room.
STIX file
Manually upload a STIX file on the Indicators page.
Script
  • FetchIndicatorsFromFile
    : accepts a file from which it extracts indicators and processes them in Cortex XSOAR.
  • CreateIndicatorsFromSTIX
    : extracts indicators from a STIX file and processes them in Cortex XSOAR.

Recommended For You