1. Home
    2. Security Operations
    3. Cortex XSOAR
    4. Cortex XSOAR Multi-Tenant Guide
    5. Share Indicators
    6. Configure Tenants to Ingest Shared Indicators
    7. Share Indicators with Tenants Using Propagation Labels

    Share Indicators with Tenants Using Propagation Labels

    The Share Indicators integration is an integration that you configure on the master account to share indicators to tenants, using propagation labels. XSOAR
    The share indicators feature requires a Cortex XSOAR Threat Intel Management license and that Cortex XSOAR runs using Elasticsearch.
    The Share Indicators integration is a dedicated integration that you configure on the main account to share indicators with tenants. In order for a tenant to receive the shared indicators, you need to assign corresponding propagation labels to the integration instance, the integration, and the tenants.
    For example, if you want to share the indicators from the Share Indicators integration instance A to three tenant accounts, you need to assign the same propagation label to:
    • Share Indicators integration
    • Share Indicators integration instance A
    • Tenant 1
    • Tenant 2
    • Tenant 3
    1. Go to
      Settings
      Integrations
      Instances
      .
    2. Search for
      Share Indicators
      .
    3. Configure the integration instance.
      Parameter
      Description
      Example
      Name
      A meaningful name for the integration instance.
      indicators-share_domains_ips
      Fetch indicators
      Make sure you select this option if you want this integration instance to export indicators from the shared indexes to the tenant accounts with corresponding propagation labels
      N/A
      Fetch interval
      How often to fetch indicators from the shared indexes and export them to the tenant accounts with corresponding propagation labels. You can specify the interval in days, hours, or minutes.
      5 minutes
      Indicators Query
      The query that defines which indicators to fetch from the tenant and export to the shared index. The Query is in Elasticsearch syntax.
      type:Domain or type:IP
      Propagation Labels
      These labels define which tenants will receive the indicators fetched from this integration instance. Make sure whatever labels you apply here are also applied on the Elasticsearch Feed integration itself, and the relevant tenants. The default label is
      all
      , which will send indicators from this integration instance to all tenants, whether or not propagation labels are assigned to the tenant accounts.
      Premium

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2022 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo