Indicator Type Profile

When you create or edit an indicator type, there are several fields to configure that determine how the system interacts with indicators of that type.
In addition to configuring the standard indicator type fields, you can map custom indicator fields to context data.
There are a number of configuration options and fields that you must complete when creating a new indicator type.
Settings
Field
Description
Name
A meaningful name for the indicator type.
Regex
The regular expression (regex) by which to identify indicators for this indicator type.
Formatting Script
The script to run on and modify how the indicator displays in Cortex XSOAR, such as in the War Room, reports, and so on. For example, the UnescapeURLs script extracts URLs that are redirected by security tools or unescapes URLs that are escaped for safety (e.g., hxxps://www[.]CortexXSOAR[.]com.
Enhancement Scripts
A script to run on an identified indicator. For example, an enrichment script, a script that runs a search in a SIEM for the indicator, and so on.
After indicators are identified, you can go to the indicator quick view, click the
Actions
button and run an enhancement script directly on an indicator. In order for these scripts to be available in the drop-down menu, they need the
enhancement
tag.
Reputation Command
The command to run to calculate the reputation of indicators of this type. The result (reputation) is only associated with the specific indicator on which it’s run (not the indicator type).
Excluded Integrations
Integrations to exclude when calculating the reputation, evaluating, and enriching indicators of this indicator type.
Reputation Script
User-created scripts that either override the Cortex XSOAR command algorithm or run on top of the data returned from the command. In order for these scripts to be available in the drop-down menu, they require the
reputation
tag. The output of this script is a reputation score, which is used as the basis for the indicator reputation.
Indicator Expiration Method
The method by which to expire indicators of this type. The expiration method that you select is the default expiration method for indicators of this indicator type.
The expiration can also be assigned when configuring a feed integration instance, which overrides the default method.
  • Never Expire: indicators of this type never expire.
  • Time Interval: indicators of this type expire after the specified number of days or hours.
Context path for reputation value (
Advanced
)
When an indicator is auto-extracted, the entry data from the command is mapped to the incident context. This path defines the context key that the indicator reputation is mapped to.
Context value of reputation (
Advanced)
)
The value of this field defines the actual data that is mapped to the context path.
Cache expiration in minutes (
Advanced
)
The amount of time (in minutes) after which the cache for indicators of this type expire. The default is 4,320 minutes (three days).
Formatting scripts for out-of-the-box indicator types are now system level. This means that the formatting scripts for these indicator types are not configurable. To create a formatting script for an out-of-the-box indicator type, you need to disable the existing indicator type and create a new (custom) indicator type. If you configured a formatting script before this change and updated your content, this configuration will revert to content settings (empty).

Recommended For You