Understand Indicators

Indicators enable you to analyze incidents in Cortex XSOAR. Overview of how Cortex XSOAR indicators are detected and ingested.
Indicators are artifacts associated with incidents, and are an essential part of the incident management and remediation process.
They help correlate incidents, create hunting operations, and enable you to easily analyze incidents and reduce Mean Time to Response (MTTR).
Detect and ingest indicators
There are several methods by which indicators are detected and ingested in Cortex XSOAR.
  • Feed: integrations that fetch indicators from a feed, for example TAXII, AutoFocus, Office 365, and so on.
  • Enricher: integrations that enhance the indicator, giving it more context and information, for example AutoFocus, VirusTotal, Ipinfo, and so on.
Indicators are extracted from selected incidents that flow into Cortex XSOAR, for example from a SIEM integration.
  • Command line
  • Mark: User marks a piece of data as an indicator.
  • STIX file: Manually upload a STIX file on the Indicators page.

Recommended For You