1. Home
    2. Security Operations
    3. Cortex XSOAR
    4. Cortex XSOAR Threat Intel Management Guide
    5. Manage Indicators
    6. Understand Indicators
    7. Indicator Types
    8. Indicator Type Profile
    End-of-Life (EoL)

    Indicator Type Profile

    When you create or edit an indicator type, there are several fields to configure that determine how the system interacts with indicators of that type.
    Each indicator type has its own 'profile' that allows XSOAR to recognize it across the platform. Below are the related fields. During the auto-extract flow, the order of execution is regex, formatting script, reputation command, reputation script.
    Field
    Description
    Name
    A meaningful name for the indicator type.
    Regex
    The regular expression (regex) by which to identify indicators for this indicator type.
    Formatting Script
    Modifies how the indicator displays in Cortex XSOAR.
    Formatting scripts must be tagged
    indicator-format
     in order to appear in the dropdown for the indicator type.
    The formatting script has one argument, input, the indicator value. The input argument should be an array, in order to accept multiple inputs and return an entry-result per input. The entry-result per input can be a json array to create multiple indicators. If the entry-result is an empty string, it will be ignored and no indicator will be created.
    Reputation Command
    Calculates the reputation of indicators of this type. The result (reputation) is only associated with the specific indicator on which it’s run (not the indicator type). The command returns the reputation of the indicator as an entry with entry context and in some cases also returns context values that can be mapped to the custom fields of the indicator. The results of the reputation command do not print to the war room in the auto-extract flow.
    Reputation Script
    The output of the reputation script is a reputation score, which is used as the basis for the indicator reputation. Reputation scripts must be tagged
    reputation
     in order to appear in the dropdown for the indicator type.
    Reputation scripts are user-created scripts that either:
    • Return only the reputation as a number. The number will override the reputation returned from the reputation command. The reliability of the score from a reputation script is
      A++ - Reputation script
      by default and controlled by the
      enrichment.reputationScript.reliability
       server configuration.
    • Return entry with entry context. The entry context must have DbotScore as with reputation commands. The entry context will be mapped to the custom fields of the indicator with the same reliability as if it came from a reputation command. The default is
      A+ - 3rd party enrichment
      , but can be controlled per vendor by the
      integrations.enrichment.reliability.%s
       server configuration.
    The results of reputation scripts do not print to the war room in the auto-extract flow.
    Enhancement Script
    The enhancement script is not part of the auto extract flow, but can be run manually or from the
    Incident Quick View
    page. Examples of enhancement scripts include an enrichment script, a script that runs a search in a SIEM for the indicator, etc.
    After indicators are identified, you can go to the indicator quick view, click the
    Actions
     button and run an enhancement script directly on an indicator. In order for these scripts to be available in the drop-down menu, they need the
    enhancement
     tag. When you run an enhancement script, it is the equivalent of running the script at the CLI in the War Room. The script can write to context, return an entry, etc.
    Excluded Integrations
    Integrations to exclude when calculating the reputation, evaluating, and enriching indicators of this indicator type.
    Indicator Expiration Method
    The method by which to expire indicators of this type. The expiration method that you select is the default expiration method for indicators of this indicator type.
    The expiration can also be assigned when configuring a feed integration instance, which overrides the default method.
    • Never Expire: indicators of this type never expire.
    • Time Interval: indicators of this type expire after the specified number of days or hours.
    Context path for reputation value (
    Advanced
    )
    When an indicator is extracted, the entry data from the command is mapped to the incident context. This path defines where in context the data is mapped.
    Context value of reputation (
    Advanced
    )
    The value of this field defines the actual data that is mapped to the context path.
    Cache expiration in minutes (
    Advanced
    )
    The amount of time (in minutes) after which the cache for indicators of this type expire. The default is 4,320 minutes (three days).
    Formatting scripts for out-of-the-box indicator types are now system level. This means that the formatting scripts for these indicator types are not configurable. To create a formatting script for an out-of-the-box indicator type, you need to disable the existing indicator type and create a new (custom) indicator type. If you configured a formatting script before this change and updated your content, this configuration will revert to content settings (empty).

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2022 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo