Configure the Elasticsearch Feed integration on a tenant account to ingest indicators from the shared indexes in a Cortex XSOAR multi-tenant deployment.
When you configure the Elasticsearch Feed integration to fetch indicators for a tenant, all indicators are fetched from the shared indexes. You cannot define a subset of indicators for the tenant to ingest.
Access the tenant account for which to share the indicators.
Go to
→ → .Search for
Elasticsearch Feed
.Configure the integration instance.
Parameter
Description
Example
Name
A meaningful name for the integration instance.
Elasticsearch_Feed_domains_ips
Fetch indicators
Make sure you select this option if you want this integration instance to fetch indicators from the shared index.
N/A
Feed Type
Predefined configuration of indexes to fetch from. For sharing indicators, it should be
Cortex XSOAR MT Shared Feed
.Cortex XSOAR MT Shared Feed
Server URL
The URL of the Elasticsearch server.
Note
If Elasticsearch is installed on the same machine as the Cortex XSOAR instance, the following system configuration should be added to the tenant configuration under
→ → : key:python.pass.extra.keys
and value:--network=host
.http://elasticsearch.<
companyA
>.comFetch interval
How often to fetch indicators from the shared index. You can specify the interval in days, hours, or minutes.
5 minutes
Indicator Reputation
The reputation to apply to indicators ingested from the shared index.
Suspicious
Source Reliability
The reliability of the source providing the intelligence data, which affects how this indicator's fields and reputation are populated.
B - Usually reliable
Indicator Expiration Method
The method by which indicators from this instance are expired.
Never Expire
Bypass exclusion list
When selected, the exclusion list is ignored for indicators from this feed. This means that if an indicator from this feed is on the exclusion list, the indicator might still be added to the system.
N/A