You can download and install Threat Intel content packs including the following Threat Intel integrations such as:
MITRE ATT&CK
Unit 42 ATOMs
Unit 42 Intel Objects Feed
If you have a TIM license, this feed is preinstalled.
AlienVault
AWS
Note
If you have a TIM license you can set up unlimited feeds. If not, you are limited to 5 active feeds and 100 indicators. For more information, see Understand Cortex XSOAR licenses.
Go to Marketplace and install the relevant Threat Intel content pack.
Configure the Threat Intel integration by going to Add Instance.
→ → → , search for your integration, and clickThe following table is a non-exhaustive list of the most common feed integration parameters. Each feed integration may have parameters unique to that integration. Read the documentation for specific feed integrations for more details.
Parameter
Description
Fetches indicators
Select this option for the integration instance to fetch indicators.
Some integrations can fetch indicators or incidents. Select the relevant option for what you need to fetch in the instance.
URL
The URL of the feed.
Feed Fetch Interval
When the integration instance should fetch indicators from the feed.
Indicator verdict
The indicator verdict that will apply to all indicators fetched from this integration instance. See Indicator verdict.
Source reliability
The reliability of the source that provides the threat intelligence data.
Indicator Expiration Method
The method by which to expire indicators from this integration instance. The default expiration method is the interval configured for the indicator type to which this indicator belongs.
Indicator Type: The expiration method defined for the indicator type to which this indicator belongs (interval or never).
Time Interval: Expires indicators from this instance after the specified time interval, in days or hours.
Never Expire: Indicators from this instance never expire.
When removed from the feed: When the indicators are removed from the feed they are expired in the system.
Bypass exclusion list
When selected, the exclusion list is ignored for indicators from this feed. This means that if an indicator from this feed is on the exclusion list, the indicator might still be added to the system.
Trust any certificate (not secure)
When selected, certificates are not checked.
Use system proxy settings
Runs the integration instance using the proxy server (HTTP or HTTPS) when an engine is selected.
Do not use in CLI by default
Excludes this integration instance when running a generic command that uses all available integrations.