Supported Cortex XSOAR versions: 5.5.0 and later.
The Cybersecurity and Infrastructure Security Agency’s (CISA’s) free Automated Indicator Sharing (AIS) capability enables the exchange of cyber threat indicators, at machine speed, to the Federal Government community.
Navigate to Settings > Integrations > Servers & Services.
Search for DHS Feed.
Click Add instance to create and configure a new integration instance.
Parameter Description Required Base URL True Key File as Text For more information, visit https://us-cert.cisa.gov/ais. True Certificate File as Text For more information, visit https://us-cert.cisa.gov/ais. True Feed Type True Filter by Traffic Light Protocol Color The Traffic Light Protocol (TLP) fetch from feed. False Indicator Reputation Indicators from this integration instance will be marked with this reputation. False Source Reliability Reliability of the source providing the intelligence data. True Tags Supports CSV values. False
Click Test to validate the URLs, token, and connection.
You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
Get the indicators.
|limit||The maximum number of indicators to return. Default is 20. Default is 20.||Required|
|tlp_color||The TLP color by which to filter the results. Possible values: "RED", "AMBER", "GREEN", "WHITE". Possible values are: RED, AMBER, GREEN, WHITE.||Optional|
|DHS.type||String||The indicator type (e.g., IP, Domain, Email, URL, File).|
|DHS.tlp||string||The traffic light protocol.|
!dhs-get-indicators limit=2 tlp_color=GREEN