Set the Source Reliability of Enrichment Integrations - Threat Intel Management Guide - 6.11 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Threat Intel Management Guide

Product
Cortex XSOAR
Version
6.11
Creation date
2022-12-12
Last date published
2024-03-05
Category
Threat Intel Management Guide
Abstract

Set the source reliability of enrichment integrations for Cortex XSOAR. servers

The source reliability of enrichment integrations is set by the reliability parameter. If an enrichment integration does not have a reliability parameter, the default source reliability is A+. You can change the source reliability for a specific instance from the UI when configuring the integration instance.

Some integrations allow you to clear the source reliability at the instance level and instead use a server configuration to set the source reliability across all instances of the integration. In addition, you can use a server configuration to set the source reliability across all enrichment integration instances that do not have a source reliability set.

You can set the source reliability through the following methods:
  • Through a server configuration, for all enrichment integrations.

  • Through a server configuration, for a specific integration. If a source reliability is set for a specific integration, this overrides the setting for all enrichment integrations.

  • In the settings for a specific integration instance. If you set the source reliability for a specific instance, this overrides the setting for the specific integration and the setting for all enrichment integrations.

Note

For either server configuration to affect an enrichment integration instance, the source reliability must be cleared first from the instance. To remove the current source reliability score, go to SettingsIntegrationsInstances, find the relevant instance, and click on the gear icon to access the integration instance settings. In the Source Reliability field click the x next to the source reliability score. Note that if the Source Reliability field is a required field (a red asterisk displays next to Source Reliability) for this integration, you are not able to clear the source reliability and use server configurations to affect this instance.

To sett the source reliability for all enrichment integrations and for a specified integration do the following:

  1. Remove the current source reliability score from the enrichment integration instance.

    1. Go to SettingsINTEGRATIONSInstances.

    2. Search for the integration that you want to set the source reliability score for and click access the instance parameters.

    3. In the Source Reliability field click the x next to the source reliability score.

    4. Click Done.

  2. Go to SettingsABOUTTroubleshooting.

  3. In the Server Configuration section click Add Server Configuration.

  4. To set the source reliability for all enrichment integrations:

    1. Remove any integrations.enrichment.reliability.<integration_name> advanced configurations if they exist.

    2. In the Key field, enter integrations.enrichment.reliability.

  5. To set the source reliability for a specific integration, in the Key field, enter integrations.enrichment.reliability.<integration_name>, where <integration_name> is the vendor name of the enrichment integration for which to set the reliability score the reliability score (applies to all instances of the specified integration). The vendor name can be found in the indicator summary view. Type the vendor name as it appears.

  6. In the Value field enter the source reliability score for the enrichment integration. You can enter only the letter or both the letter and the description in the Value field.

    • A+ - 3rd party enrichment

    • A - Completely reliable

    • B - Usually reliable

    • C - Fairly reliable

    • D - Not usually reliable

    • E - Unreliable

    • F - Reliability cannot be judged

  7. Click Save.