Export indicators - Threat Intel Management Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Threat Intel Management
Product
Cortex XSOAR
Version
8
Creation date
2023-08-20
Last date published
2024-04-21
Category
Threat Intel Management Guide
Solution
Cloud
Abstract

Export indicators from the Indicators table, using an integration, or playbook, or set up an External Dynamic list (EDL) by using the Generic Export Indicators integration.

In the Indicators table, you can export indicators in a CSV or STIX file. You can also export indicators using an integration or a playbook.

Export indicators using the Generic Export Indicators Integration

You can export indicators in a hosted text file (External Dynamic list) from Cortex XSOAR or an engine using the Generic Export Indicators Service integration. Exported indicators can be used for example in firewall block lists, allow lists, and monitoring and analysis in Splunk. See Generic Export Indicators Service.

The Generic Export Indicators Service integration can be configured to export specific fields in different output formats. Multiple instances of the integration can be configured for different indicator queries, and the output can be customized to work with a variety of third-party services.

You can set up the Generic Export Indicators Service integration by setting up a long-running integration. See Forward Requests to Long Running Integrations.Forward Requests to Long Running Integrations

If you configure the Generic Export Indicator to run on-demand, use the !export-indicators-list-update command for the first time to initialize the export process.

Export incidents and indicators to CSV using the UTF8-BOM format

By default, when exporting an incident or an indicator to CSV format, Cortex XSOAR generates the report in UTF8 format. If you need to export an incident or an indicator that contains Cyrillic characters such as Russian or Greek, you need to change the format to UTF8-BOM.

  1. Select Settings & InfoSettingsSystemServer SettingsAdd Server Configuration.

  2. Add the following key and value.

    Key: export.utf8bom

    Value: true

  3. Save the server configuration.

Export indicators using playbooks

Cortex XSOAR provides numerous out-of-the-box playbooks for TIM, including playbooks that enable you to export indicators. All TIM-related playbooks have the 'TIM' prefix. Some are generic (for example, TIM - Process Indicators - Fully Automated), and some are dedicated to a specific vendor, like QRadar (for example, TIM - QRadar Add Domain Indicators) and ArcSight (for example, TIM- Arcsight Add IP Indicators).

Note

For TIM-related playbooks, you need a TIM license.

If you define a playbook task input that pulls from indicators, the entire playbook runs in Quiet Mode. This means the task or playbook information is not written to the War Room, and inputs and outputs are not displayed in the playbook. However, errors and warnings are still written to the War Room.

Caution

You should not run a query on a field that you might change in the playbook flow. For example, you shouldn’t have a playbook with query Verdict:Malicious and then change the indicator verdict as a part of the playbook.