End-of-Life (EoL)

Ingest Indicators from the Shared Indicators Index

Configure the Elasticsearch Feed integration on a tenant account to ingest indicators from the shared indexes in a Cortex XSOAR multi-tenant deployment.
When you configure the Elasticsearch Feed integration to fetch indicators for a tenant, all indicators are fetched from the shared indexes. You cannot define a subset of indicators for the tenant to ingest.
  1. Access the tenant account for which to share the indicators.
  2. Go to
    Settings
    Integrations
    Servers & Services
    .
  3. Search for
    Elasticsearch Feed
    .
  4. Configure the integration instance.
    Parameter
    Description
    Example
    Name
    A meaningful name for the integration instance.
    Elasticsearch_Feed_domains_ips
    Fetch indicators
    Make sure you select this option if you want this integration instance to export indicators to the shared index.
    N/A
    Feed Type
    Predefined configuration of indexes to fetch from. For sharing indicators, it should be
    Cortex XSOAR MT Shared Feed
    .
    Cortex XSOAR MT Shared Feed
    Server URL
    The URL of the Elasticsearch server.
    Note
    : If Elasticsearch is installed in the same machine as the Cortex XSOAR instance, the following system configuration should be added to the tenant configuration under
    Settings
    About
    Troubleshooting
    : key:
    python.pass.extra.keys
    and value:
    --network=host
    .
    http://elasticsearch.<
    companyA
    >.com
    Fetch interval
    How often to fetch indicators from this tenant and export them to the shared index. You can specify the interval in days, hours, or minutes.
    5 minutes
    Indicator Reputation
    The reputation to apply to indicators ingested from this integration instance.
    Suspicious
    Source Reliability
    The reliability of the source providing the intelligence data, which affects how this indicator's fields and reputation are populated.
    B - Usually reliable
    Indicator Expiration Method
    The method by which indicators from this instance are expired.
    Never Expire
    Bypass exclusion list
    When selected, the exclusion list is ignored for indicators from this feed. This means that if an indicator from this feed is on the exclusion list, the indicator might still be added to the system.
    N/A

Recommended For You