Indicator Ingestion

Overview of how Cortex XSOAR indicators are detected and ingested.
The following table shows methods by which indicators are detected and ingested in Cortex XSOAR.
Method
Description
Classification and Mapping
Integration
  • Feed integrations: Fetch indicators from a feed, for example TAXII, AutoFocus, Office 365, and FeedUnit42v2.
  • Enrichment integrations: Enhance the indicator, giving it more context and information, for example AutoFocus, VirusTotal, and Ipinfo.
Indicator classification and mapping is done in the Feed Integration code and not in the Cortex XSOAR Settings > OBJECTS SETUP > Indicators > Classification & Mapping tab. For example, see the FeedUnit42v2 integration.
Indicators are extracted from selected incidents that flow into Cortex XSOAR, for example from a SIEM integration.
Only the value of an indicator is extracted, so no classification or mapping is needed.
Manual
  • Command line
  • Mark: User marks a piece of data as an indicator.
  • STIX file: Manually upload a STIX file on the Threat Intel (Indicators) page.
Data is inserted manually via the UI so no classification or mapping is needed.
If importing a STIX file, mapping is done via the STIX parser code.

Recommended For You