Configure Threat Intel feed integrations - Threat Intel Management Guide - Administrator Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Cloud Documentation

Product
Cortex XSOAR
Version
8
Creation date
2024-03-07
Last date published
2024-11-28
Category
Administrator Guide
Solution
Cloud

You can download and install Threat Intel content packs including the following Threat Intel integrations such as:

  • MITRE ATT&CK

  • Unit 42 ATOMs

  • Unit 42 Intel Objects Feed

    If you have a TIM license, this feed is preinstalled.

  • AlienVault

  • AWS

Note

If you have a TIM license you can set up unlimited feeds. If not, you are limited to 5 active feeds and 100 indicators. For more information, see Understand Cortex XSOAR licenses.

How to configure threat intel feed integrations
  1. Go to Marketplace and install the relevant Threat Intel content pack.

  2. Configure the Threat Intel integration by going to SettingsSettings & InfoIntegrationsInstances, search for your integration, and click Add Instance.

    The following table is a non-exhaustive list of the most common feed integration parameters. Each feed integration may have parameters unique to that integration. Read the documentation for specific feed integrations for more details.

    Parameter

    Description

    Fetches indicators

    Select this option for the integration instance to fetch indicators.

    Some integrations can fetch indicators or incidents. Select the relevant option for what you need to fetch in the instance.

    URL

    The URL of the feed.

    Feed Fetch Interval

    When the integration instance should fetch indicators from the feed.

    Indicator verdict

    The indicator verdict that will apply to all indicators fetched from this integration instance. See Indicator verdict.

    Source reliability

    The reliability of the source that provides the threat intelligence data.

    Indicator Expiration Method

    The method by which to expire indicators from this integration instance. The default expiration method is the interval configured for the indicator type to which this indicator belongs.

    • Indicator Type: The expiration method defined for the indicator type to which this indicator belongs (interval or never).

    • Time Interval: Expires indicators from this instance after the specified time interval, in days or hours.

    • Never Expire: Indicators from this instance never expire.

    • When removed from the feed: When the indicators are removed from the feed they are expired in the system.

    Bypass exclusion list

    When selected, the exclusion list is ignored for indicators from this feed. This means that if an indicator from this feed is on the exclusion list, the indicator might still be added to the system.

    Trust any certificate (not secure)

    When selected, certificates are not checked.

    Use system proxy settings

    Runs the integration instance using the proxy server (HTTP or HTTPS) when an engine is selected.

    Do not use in CLI by default

    Excludes this integration instance when running a generic command that uses all available integrations.