Export indicators - Administrator Guide - Threat Intel Management Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Cloud Documentation

Cortex XSOAR
Creation date
Last date published
Administrator Guide

Export indicators from the Indicators table, using an integration, or playbook, or set up an External Dynamic list (EDL) by using the Generic Export Indicators integration.

In the Indicators table, you can export indicators in a CSV or STIX file. You can also export indicators using an integration or a playbook.

You can export indicators in a hosted text file (External Dynamic list) from Cortex XSOAR or an engine using the Generic Export Indicators Service integration. Exported indicators can be used for example in firewall block lists, allow lists, and monitoring and analysis in Splunk. See Generic Export Indicators Service.

The Generic Export Indicators Service integration can be configured to export specific fields in different output formats. Multiple instances of the integration can be configured for different indicator queries, and the output can be customized to work with a variety of third-party services.

You can set up the Generic Export Indicators Service integration by setting up a long-running integration. See Forward Requests to Long-Running Integrations.

If you configure the Generic Export Indicator to run on-demand, use the !export-indicators-list-update command for the first time to initialize the export process.

By default, when exporting an incident or an indicator to CSV format, Cortex XSOAR generates the report in UTF8 format. If you need to export an incident or an indicator that contains Cyrillic characters such as Russian or Greek, you need to change the format to UTF8-BOM.


When changing the format to UFT8-BOM you also change the format for incidents.

  1. Select Settings & InfoSettingsSystemServer SettingsAdd Server Configuration.

  2. Add the following key and value.

    Key: export.utf8bom

    Value: true

  3. Save the server configuration.

Cortex XSOAR provides numerous out-of-the-box playbooks for TIM, including playbooks that enable you to export indicators. All TIM-related playbooks have the 'TIM' prefix. Some are generic (for example, TIM - Process Indicators - Fully Automated), and some are dedicated to a specific vendor, like QRadar (for example, TIM - QRadar Add Domain Indicators) and ArcSight (for example, TIM- Arcsight Add IP Indicators).


For TIM-related playbooks, you need a TIM license.

If you define a playbook task input that pulls from indicators, the entire playbook runs in Quiet Mode. This means the task or playbook information is not written to the War Room, and inputs and outputs are not displayed in the playbook. However, errors and warnings are still written to the War Room.


You should not run a query on a field that you might change in the playbook flow. For example, you shouldn’t have a playbook with query Verdict:Malicious and then change the indicator verdict as a part of the playbook.