1. Home
    2. Security Operations
    3. Cortex XSOAR
    4. Cortex XSOAR Threat Intel Management Guide
    5. Threat Intel Feeds
    6. Feed Integrations

    Feed Integrations

    Feed integrations fetch indicators from a threat intelligence feed and add them to Cortex XSOAR for processing and handling. Common feed integration parameters.
    Cortex XSOAR has out-of-the-box threat intelligence feed integrations, including:
    • MITRE ATT&CK
    • Unit 42 ATOMs
    • Unit 42 Intel Objects
    • TAXII (1, 2.0/1)
    • Microsoft Office 365
    • Abuse.ch SSL Blacklist
    • Feodo Tracker IP Blocklist
    • Spamhaus
    • AlienVault
    • TOR Exit Addresses
    • AWS
    • Recorded Future
    • Proofpoint
    Common feed integration parameters
    This is a non-exhaustive list of the most common feed integration parameters. Each feed integration might have parameters unique to that integration. Ensure to read the documentation for specific feed integrations.
    Parameter
    Description
    Name
    A meaningful name for the integration instance. For example, if you have separate instances to fetch indicator types, you can include the name of the indicator type that the instance fetches.
    Fetches indicators
    Select this option for the integration instance to fetch indicators.
    Some integrations can fetch indicators or incidents. Make sure you select the relevant option for what you need to fetch in the instance.
    Sub-Feeds
    Some feeds might have several lists or files that provide indicators. The sub-feeds parameter enables you to select the specific list or file from which to fetch indicators. For example, Bambenek Consulting provides different lists for IPs and domains. Each of the Bambenek lists are available as sub-feeds.
    URL
    The URL of the feed.
    Fetch Interval
    How often the integration instance should fetch indicators from the feed.
    Indicator Reputation
    The Indicator Verdict to apply to all indicators fetched from this integration instance.
    Source Reliability
    The reliability of the source providing the threat intelligence data.
    Indicator Expiration Method
    The method by which to expire indicators from this integration instance. The default expiration method is the interval configured for the indicator type to which this indicator belongs.
    • Indicator Type: the expiration method defined for the indicator type to which this indicator belongs (interval or never).
    • Time Interval: expires indicators from this instance after the specified time interval, in days or hours.
    • Never Expire: indicators from this instance never expire.
    • When removed from the feed: when the indicators are removed from the feed they are expired in the system.
    Bypass exclusion list
    When selected, the exclusion list is ignored for indicators from this feed. This means that if an indicator from this feed is on the exclusion list, the indicator might still be added to the system.
    Trust any certificate
    When selected, certificates are not checked.
    Use system proxy settings
    Runs the integration instance using the proxy server (HTTP or HTTPS) that you defined in the server configuration.
    Do not use by default
    Excludes this integration instance when running a generic command that uses all available integrations.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2022 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo