Skip to main content

DHS Feed

This Integration is part of the DHS Feed Pack.#

Supported versions

Supported Cortex XSOAR versions: 5.5.0 and later.

The Cybersecurity and Infrastructure Security Agency’s (CISA’s) free Automated Indicator Sharing (AIS) capability enables the exchange of cyber threat indicators, at machine speed, to the Federal Government community. Use this version if your certificate supports TAXII 1 protocol.

Configure DHS Feed on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for DHS Feed.

  3. Click Add instance to create and configure a new integration instance.

    Base URLTrue
    Key File as TextFor more information, visit
    Certificate File as TextFor more information, visit
    Feed TypeTrue
    Filter by Traffic Light Protocol ColorThe Traffic Light Protocol (TLP) fetch from feed.False
    Indicator ReputationIndicators from this integration instance will be marked with this reputation.False
    Source ReliabilityReliability of the source providing the intelligence data.True
    TagsSupports CSV values.False
  4. Click Test to validate the URLs, token, and connection.


You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.


Get the indicators.

Base Command#



Argument NameDescriptionRequired
limitThe maximum number of indicators to return. Default is 20. Default is 20.Required
tlp_colorThe TLP color by which to filter the results. Possible values: "RED", "AMBER", "GREEN", "WHITE". Possible values are: RED, AMBER, GREEN, WHITE.Optional

Context Output#

DHS.typeStringThe indicator type (e.g., IP, Domain, Email, URL, File).
DHS.valuestringThe indicator.
DHS.tlpstringThe traffic light protocol.

Command Example#

!dhs-get-indicators limit=2 tlp_color=GREEN