Share Indicators Overview
Share indicators between tenant accounts by exporting
a tenant’s indicators to a shared index and configuring tenants
to ingest from shared index. XSOAR
The share indicators feature
requires a Cortex XSOAR Threat Intel Management license and that
Cortex XSOAR runs using Elasticsearch.
Each tenant account has a dedicated shared index
in Elasticsearch. When you export a tenant’s indicators, either
manually or using the Share Indicators integration, the indicators
are stored in the index. This is the index from which other tenants ingest
the shared indicators.
There are two steps when sharing indicators. First, you export
a tenant’s local indicators to a shared index. Second, you configure
the other tenants to ingest indicators from the shared indexes.
There are several ways that tenant accounts ingest, or receive,
indicators from the shared index.
The Share Indicators integration serves two functions in the
share indicators flow.
When configured on a tenant account, the Share Indicators
integration defines which local indicators to export to the shared
indicator index.
When configured on the main account, the Share Indicators
integration defines which indicators to push (share) to tenant accounts.
Indicators are shared according to the
propagation labels that
you apply to the tenant accounts.
