Connect to the FS-ISAC IntelX Exchange in Cortex XSOAR - Learn how to connect to the FS-ISAC IntexX Exchange in Cortex XSOAR 8. - Tutorials - 8 - Cortex XSOAR - Cortex

Abstract

Learn how to connect to the FS-ISAC IntexX Exchange in Cortex XSOAR 8.

This quick start guide is intended to assist FS-ISAC member firms in connecting and configuring Cortex XSOAR through a STIX/TAXII feed integration with the FS-ISAC Threat Intelligence Exchange Repository (IntelX Repo).

Cortex XSOAR, a Security Orchestration, Automation, and Response Platform, offers valuable integration capabilities with the FS-ISAC STIX/TAXII Server. This integration allows FS-ISAC Member Firms to connect and configure Cortex XSOAR to receive threat intelligence feeds from the FS-ISAC Threat Intelligence Exchange Repository (IntelX Repo) through the STIX/TAXII feed.

Configuration

Multiple STIX/TAXII collections can be configured using the TAXII feed Integration using multiple instances. Cortex XSOAR supports all TAXII server versions, but we recommend using TAXII2.1.

Configuration Steps

Install the TAXII Feed integration

Go to Marketplace.
To find the TAXII Feed content pack, search for ingest Taxii.
Select the TAXII Feed content pack and install it.
For more information, see TAXIII Feed Content Pack.

Set up the FS-ISAC instance in Cortex XSOAR

Go to Settings & Info → Settings → Integrations → Instances.
Search for TAXII, and on the relevant integration (TAXII 2 Feed for a 2.x server), click Add Instance.

Define the integration instance parameters

The following setup is relevant for the TAXII 2 Feed integration.

In the Connect section, add the following parameters:

Parameter	Description
Name	Adjust the instance feed name. Tip We recommend the name to be in the form of `FS-ISAC-<collection name>`.
Discovery Service URL	Should be set to: `https:/taxii.fsisac.com/ctixapi/ctix21/taxii2/`
Username/API Key	As provided by FS-ISAC.
Password	As provided by FS-ISAC.
API Root to Use	Leave empty.
Collection Name to Fetch Indicators From	Use the collection name to fetch a specific collection. If not given the Integration, will try to fetch ALL collections from the server. Note The Collection Name is required and NOT the ID.

In the Collection section, add the following parameters:

Parameter	Description
Source Reliability	Tip We recommend setting the reliability to B. We use A for raw data such as allowed IPs of a service (for example, IPs published by AWS).
Traffic Light Protocol Color	Should be set according to FS-ISAC guidelines (Amber and above).
Max Indicators Per Fetch (disabled for Full Feed Fetch)	Leave empty.
First Fetch Time	This setting will determine how far back Cortex XSOAR will pull in the FIRST FETCH. The default is 1 year but can be adjusted if needed.
STIX Object to Fetch	Leave as is, unless you want the feed to fetch a specific type of SCO. Note This only refers to the STIX object type, not the actual indicator (For example, an Indicator STIX object with an IP pattern will not be fetched if only IP is selected).
Max STIX Objects Per Poll	The default is 100. Unless there is an issue, it should not be changed.
Indicator Expiration Method	Tip We recommend using the By Indicator type.
Feed Fetch Interval	Should be set according to FS-ISAC guidelines. By default, it is 4 hours in Cortex XSOAR.
Incremental Feed	Select the checkbox.
Full Feed Fetch	Deselect the checkbox.
Tags	Tip We recommend adding `FS-ISAC-<Collection name>` to the tags for easy querying.

Click Test.
A new window should appear and show Success.
Close the test window and click Save & Exit.
Your new FS-ISAC instance is up and running.

Connect to the FS-ISAC IntelX Exchange in Cortex XSOAR - Learn how to connect to the FS-ISAC IntexX Exchange in Cortex XSOAR 8. - Tutorials - 8 - Cortex XSOAR - Cortex - Security Operations

FS-ISAC STIX/TAXII Guide for Cortex XSOAR