diff --git a/docs/security/threat-intelligence/threat-indicators-in-cloud-siem.md b/docs/security/threat-intelligence/threat-indicators-in-cloud-siem.md
index 685f5fa9b9..99b4096bd8 100644
--- a/docs/security/threat-intelligence/threat-indicators-in-cloud-siem.md
+++ b/docs/security/threat-intelligence/threat-indicators-in-cloud-siem.md
@@ -35,7 +35,7 @@ When a match to a threat indicator in sources is found, labels showing the entit
|:--|:--|:--|
| **Malicious** | })
| })
|
| **Suspicious** | })
| })
|
-| **Not Flagged** | })
| None |
+| **Not Flagged** | | })
|
**Not Flagged** is not the default value (which is no indicator at all). Cloud SIEM does not automatically assign an indicator value; enrichments must explicitly define it.
@@ -67,7 +67,7 @@ Following is the mapping of threat type fields in indicators to reputation label
| `compromised` | **Malicious** |
| `malicious-activity` | **Malicious** |
| `attribution` | (None) |
-| `unknown` (or not set) | **Suspicious** |
+| Unknown (or not set) | **Suspicious** |
:::note
If the mapping produces a threat indicator level of **Malicious**, but the confidence is less than 60, the entity's reputation will be set to **Suspicious** instead. If there are multiple reputation values for a given entity (potentially from threat intel and enrichment), Cloud SIEM will show the most severe indicator.
diff --git a/static/img/cse/indicator-notflagged-icon.png b/static/img/cse/indicator-notflagged-icon.png
new file mode 100644
index 0000000000..912186cf26
Binary files /dev/null and b/static/img/cse/indicator-notflagged-icon.png differ
diff --git a/static/img/cse/indicator-notflagged-label.png b/static/img/cse/indicator-notflagged-label.png
index a311e86a50..2bef27afee 100644
Binary files a/static/img/cse/indicator-notflagged-label.png and b/static/img/cse/indicator-notflagged-label.png differ