Share Indicators Overview

You share indicators between tenant accounts by exporting a tenant’s indicators to a shared index and then configuring tenants to ingest from the shared index.
The share indicators feature requires a Cortex XSOAR Threat Intel Management license and that Cortex XSOAR runs using Elasticsearch.
Each tenant account has a dedicated shared index in Elasticsearch. When you export a tenant’s indicators, either manually or using the Share Indicators integration, the indicators are stored in the index. This is the index from which other tenants ingest the shared indicators.
There are two steps when sharing indicators. First, you export a tenant’s local indicators to a shared index. Second, you configure the other tenants to ingest indicators from the shared indexes. There are several ways that tenant accounts ingest, or receive, indicators from the shared index.
The Share Indicators integration serves two functions in the share indicators flow.
  • When configured on a tenant account, the Share Indicators integration defines which local indicators to export to the shared indicator index.
  • When configured on the main account, the Share Indicators integration defines which indicators to push (share) to tenant accounts. Indicators are shared according to the propagation labels that you apply to the tenant accounts.

