Feed Integrations - Threat Intel Management Guide - 6.9 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Threat Intel Management Guide

Product
Cortex XSOAR
Version
6.9
Creation date
2022-09-29
Last date published
2024-03-05
End_of_Life
EoL
Category
Threat Intel Management Guide
Abstract

Feed integrations fetch indicators from a threat intelligence feed and add them to Cortex XSOAR for processing and handling.

Cortex XSOAR includes a number of threat intelligence feed integrations, which you can install from content packs in Marketplace. For example:

  • Unit 42 ATOMs

  • Unit 42 Intel Objects

  • TAXII

  • AlienVault

  • AWS

  • MITRE ATT&CK

Common feed integration parameters

This is a non-exhaustive list of the most common feed integration parameters. Each feed integration might have parameters unique to that integration. Read the documentation for specific feed integrations.

Parameter

Description

Name

A meaningful name for the integration instance. For example, if you have separate instances to fetch indicator types, you can include the name of the indicator type that the instance fetches.

Fetches indicators

Select this option for the integration instance to fetch indicators.

Some integrations can fetch indicators or incidents. Make sure you select the relevant option for what you need to fetch in the instance.

URL

The URL of the feed.

Feed Fetch Interval

How often the integration instance should fetch indicators from the feed.

Indicator Reputation

The Indicator Verdict to apply to all indicators fetched from this integration instance.

Source Reliability

The reliability of the source providing the threat intelligence data.

Indicator Expiration Method

The method by which to expire indicators from this integration instance. The default expiration method is the interval configured for the indicator type to which this indicator belongs.

  • Indicator Type: the expiration method defined for the indicator type to which this indicator belongs (interval or never).

  • Time Interval: expires indicators from this instance after the specified time interval, in days or hours.

  • Never Expire: indicators from this instance never expire.

  • When removed from the feed: when the indicators are removed from the feed they are expired in the system.

Bypass exclusion list

When selected, the exclusion list is ignored for indicators from this feed. This means that if an indicator from this feed is on the exclusion list, the indicator might still be added to the system.

Trust any certificate

When selected, certificates are not checked.

Use system proxy settings

Runs the integration instance using the proxy server (HTTP or HTTPS) that you defined in the server configuration.

Do not use by default

Excludes this integration instance when running a generic command that uses all available integrations.

Feed-Triggered Jobs

You can define a job triggered by a delta in a feed to run a playbook when the specified feed or feeds finish a fetch operation that included a modification to the feed. The modification can be a new indicator, a modified indicator, or a removed indicator. For example, you want to update your firewall every time a URL is added to, modified, or removed from the Office 365 feed.Create a Job Triggered by a Delta in Feed

Note

You can customize the new job form by editing the Indicator Feed incident type.

You can run an indicator search query and taking action, by configuring Threat Intelligence Management Playbooks. For example, the TIM-Process Indicators - Manual Review playbook, tags indicators and creates an incident of those indicators that require review. For an example, see Process Indicators Using a Job Triggered By Delta.Process Indicators Using a Job Triggered By Delta