You can export indicators as a hosted list, an EDL,
or a TAXII collection. This enables your SIEM or firewall to ingest
or pull the indicator list to update policy rules. The supported
list file types are JSON, CSV, and TXT.
Indicators added to the exclusion list are ignored by
the system and are not considered indicators.
When ingesting and processing millions of indicators
on a daily basis, it’s important to control whether or not they
are active or expired, and to define how and when indicators are
the method by which and when that indicator is expired. Indicator expiration is applied
at the indicator type level. Indicators assigned to a specific indicator
type inherit the indicator type’s expiration method.
Indicator smart merge
The same indicator can originate from multiple sources
and be enriched with multiple methods (integrations, scripts, playbooks,
and so on). Cortex XSOAR employs smart merge logic to make sure
indicators are accurately scored and aggregated.
The indicator timeline is the default section in the
indicator summary layout. The timeline is in table format and displays
an indicator’s complete history, including the first seen and last
seen timestamp, changes made to indicator fields, and more.
Common indicator data model
When indicators are ingested, regardless of their source,
they have a unified, common set of indicator fields, including traffic
light protocol (TLP), expiration, and tags.
You can define a job to trigger a playbook when the
specified feed or feeds finish a fetch operation that included a
modification to the list. The modification can be a new indicator,
a modified indicator, or a removed indicator.