Ingest Indicators from the Shared Indicators Index - Multi-Tenant Guide - EoL - 6.11 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Multi-Tenant Guide

Product
Cortex XSOAR
Version
6.11
Creation date
2022-12-12
Last date published
2024-07-16
Category
Multi-Tenant Guide
End of Life > EoL
Abstract

Configure the Elasticsearch Feed integration on a tenant account to ingest indicators from the shared indexes in a Cortex XSOAR multi-tenant deployment.

When you configure the Elasticsearch Feed integration to fetch indicators for a tenant, all indicators are fetched from the shared indexes. You cannot define a subset of indicators for the tenant to ingest.

  1. Access the tenant account for which to share the indicators.

  2. Go to SettingsINTEGRATIONSInstances.

  3. Search for Elasticsearch Feed.

  4. Configure the integration instance.

    Parameter

    Description

    Example

    Name

    A meaningful name for the integration instance.

    Elasticsearch_Feed_domains_ips

    Fetch indicators

    Make sure you select this option if you want this integration instance to fetch indicators from the shared index.

    N/A

    Feed Type

    Predefined configuration of indexes to fetch from. For sharing indicators, it should be Cortex XSOAR MT Shared Feed.

    Cortex XSOAR MT Shared Feed

    Server URL

    The URL of the Elasticsearch server.

    Note

    If Elasticsearch is installed on the same machine as the Cortex XSOAR instance, the following system configuration should be added to the tenant configuration under SettingsABOUTTroubleshooting: key:python.pass.extra.keys and value: --network=host.

    http://elasticsearch.<companyA>.com

    Fetch interval

    How often to fetch indicators from the shared index. You can specify the interval in days, hours, or minutes.

    5 minutes

    Indicator Reputation

    The reputation to apply to indicators ingested from the shared index.

    Suspicious

    Source Reliability

    The reliability of the source providing the intelligence data, which affects how this indicator's fields and reputation are populated.

    B - Usually reliable

    Indicator Expiration Method

    The method by which indicators from this instance are expired.

    Never Expire

    Bypass exclusion list

    When selected, the exclusion list is ignored for indicators from this feed. This means that if an indicator from this feed is on the exclusion list, the indicator might still be added to the system.

    N/A