Map Custom Indicator Fields - Threat Intel Management Guide - 6.6 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Threat Intel Management Guide

Product
Cortex XSOAR
Version
6.6
Creation date
2022-09-29
Last date published
2023-12-12
End_of_Life
EoL
Category
Threat Intel Management Guide

When you start ingesting indicators, the indicator fields are automatically mapped to the relevant indicator fields. Sometimes you may want to change the default settings, or map custom indicator fields to the relevant context data. Before you map custom indicator fields, you need to create the indicator field, add it to the required indicator type and layout.

Mapping enables you to automatically update the indicator without having to manually change it. For example, the IP indicator automatically maps the Geo Country. Without it being mapped, every time the IP address changes country, the analyst would have to update the country every time that indicator type is ingested.

Note

Some integrations have indicator mappers and classifiers, such as AWS. If you want to use an integration mapper or classifier, see Classification and Mapping.Classification and Mapping

To map custom fields to the indicator type, you need to enrich the indicator either by using the !enrichindicators command in the CLI, in a playbook, or open an indicator and click Enrich indicator. Enrichment returns an entry, with the EntryContext property as the source of the mapping process. When editing an indicator type, in the Custom Fields tab, type the name of the indicator exactly how it appears (in the Threat Intel page) and click Load. In the following example, we have an indicator called 252ftwitter.com.

indicator-mapping.png

For the enrichment data to be considered valid, EntryContext must include a DBotScore with the fields: Indicator, Score, Vendor and Type. If DBotScore has those fields, all the data of EntryContext is used as the source for the mapping, and not only the data under EntryContext.DBotScore.

  1. Go to SettingsOBJECTS SETUPIndicatorsTypes.

  2. Select the checkbox for the indicator for which to map the custom fields.

  3. Click the Edit button.

  4. Click the Custom Fields tab.

    The custom fields associated with this incident type are listed in the table. If you do not see a custom field in the list, verify that you associated the custom field to this incident type.

  5. (Optional) In the Indicator Sample panel, enter an indicator relevant to the indicator type to load sample data.

  6. Click Choose data path to map the custom field to a data path.

    1. (Optional) Click the curly brackets to map the field to a context path.

    2. (Optional) From the Indicator Sample panel, select a context key to map to the field.

  7. Save the indicator type.