Indicator Type Profile
When you create or edit an indicator type, there are several fields to configure that determine how the system interacts with indicators of that type.
In addition to configuring the standard indicator type fields, you can map custom indicator fields to context data.
There are a number of configuration options and fields that you must complete when creating a new indicator type.
A meaningful name for the indicator type.
The regular expression (regex) by which to identify indicators for this indicator type.
The script to run on and modify how the indicator displays in Cortex XSOAR, such as in the War Room, reports, and so on. For example, the UnescapeURLs script extracts URLs that are redirected by security tools or unescapes URLs that are escaped for safety (e.g., hxxps://www[.]CortexXSOAR[.]com.
A script to run on an identified indicator. For example, an enrichment script, a script that runs a search in a SIEM for the indicator, and so on.
After indicators are identified, you can go to the indicator quick view, click the
Actionsbutton and run an enhancement script directly on an indicator. In order for these scripts to be available in the drop-down menu, they need the
The command to run to calculate the reputation of indicators of this type. The result (reputation) is only associated with the specific indicator on which it’s run (not the indicator type).
Integrations to exclude when calculating the reputation, evaluating, and enriching indicators of this indicator type.
User-created scripts that either override the Cortex XSOAR command algorithm or run on top of the data returned from the command. In order for these scripts to be available in the drop-down menu, they require the
reputationtag. The output of this script is a reputation score, which is used as the basis for the indicator reputation. For more information, learn how to Customize the Dbot Reputation Score Logic.
Indicator Expiration Method
The method by which to expire indicators of this type. The expiration method that you select is the default expiration method for indicators of this indicator type.
The expiration can also be assigned when configuring a feed integration instance, which overrides the default method.
Context path for reputation value (
When an indicator is auto-extracted, the entry data from the command is mapped to the incident context. This path defines the context key that the indicator reputation is mapped to.
Context value of reputation (
The value of this field defines the actual data that is mapped to the context path.
Cache expiration in minutes (
The amount of time (in minutes) after which the cache for indicators of this type expire. The default is 4,320 minutes (three days).
Formatting scripts for out-of-the-box indicator types are now system level. This means that the formatting scripts for these indicator types are not configurable. To create a formatting script for an out-of-the-box indicator type, you need to disable the existing indicator type and create a new (custom) indicator type. If you configured a formatting script before this change and updated your content, this configuration will revert to content settings (empty).
Recommended For You
Recommended videos not found.