are ingested, regardless of their source, they have a unified, common
set of indicator fields, including traffic light protocol (TLP),
expiration, reputation, and tags.
Indicator smart merge
The same indicator
can originate from multiple sources and be enriched with multiple
methods (integrations, scripts, playbooks, and so on). Cortex XSOAR
implements a smart merge logic to make sure indicators are accurately scored
(reputation) and aggregated.
The indicator timeline
is in table format and displays an indicator’s complete history,
including the first seen and last seen timestamp, changes made to indicator
fields, and more.
When ingesting and
processing millions of indicators on a daily basis, it’s important
to control whether or not they are active or expired, and to define
how and when indicators are expired. Cortex XSOAR offers multiple
options to set indicator expiration.
If you plan to ingest
and process a large number of indicators, you should consider migrating
You can export indicators
as a hosted list, an EDL, or a TAXII collection. This enables your
SIEM or firewall to ingest or pull the indicator list to update policy
rules. The supported list file types are JSON, CSV, and TXT.
to the exclusion list are disregarded by the system, and are not
created or involved in automated flows such as indicator extraction.
You can define a
job to trigger a playbook when the specified feed or feeds finish
a fetch operation that included a modification to the list. The
modification can be a new indicator, a modified indicator, or a