End-of-Life (EoL)

Share Indicators with Tenants Using Propagation Labels

The Share Indicators integration is a dedicated integration that you configure on the main account to share indicators to tenants, using propagation labels.
The share indicators feature requires a Cortex XSOAR Threat Intel Management license and that Cortex XSOAR runs using Elasticsearch.
The Share Indicators integration is a dedicated integration that you configure on the main account to share indicators with tenants. In order for a tenant to receive the shared indicators, you need to assign corresponding propagation labels to the integration instance, the integration, and the tenants.
For example, if you want the indicators from the Share Indicators integration instance A to three tenant accounts, you need to assign each the same propagation label to the following items:
  • Share Indicators integration
  • Share Indicators integration instance A
  • Tenant 1
  • Tenant 2
  • Tenant 3
  1. Go to
    Settings
    Integrations
    Servers & Services
    .
  2. Search for
    Share Indicators
    .
  3. Configure the integration instance.
    Parameter
    Description
    Example
    Name
    A meaningful name for the integration instance.
    indicators-share_domains_ips
    Fetch indicators
    Make sure you select this option if you want this integration instance to export indicators from the shared indexes to the tenant accounts with corresponding propagation labels
    N/A
    Fetch interval
    How often to fetch indicators from the shared indexes and export them to the tenant accounts with corresponding propagation labels. You can specify the interval in days, hours, or minutes.
    5 minutes
    Indicators Query
    The query that defines which indicators to fetch from the tenant and export to the shared index. The Query is in Elasticsearch syntax.
    type:Domain or type:IP
    Propagation Labels
    These labels define which tenants will receive the indicators fetched from this integration instance. Make sure whatever labels you apply here are also applied on the Elasticsearch v2 integration itself, and the relevant tenants. The default label is
    all
    , which will send indicators from this integration instance to all tenants, whether or not propagation labels are assigned to the tenant accounts.
    Premium

Recommended For You