Skip to main content

DHS Feed v2

This Integration is part of the DHS Feed Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.5.0 and later.

The Cybersecurity and Infrastructure Security Agency’s (CISA’s) free Automated Indicator Sharing (AIS) capability enables the exchange of cyber threat indicators, at machine speed, to the Federal Government community. Use this version if your certificate supports TAXII 2 protocol.

Some changes have been made that might affect your existing content. If you are upgrading from a previous version of this integration, see Breaking Changes.

Configure DHS Feed v2 in Cortex#

ParameterDescriptionRequired
Fetch indicatorsFalse
Discovery Service URL (e.g., https://ais2.cisa.dhs.gov/taxii2/)True
Key File as TextFor more information, visit https://us-cert.cisa.gov/ais.True
Certificate File as TextFor more information, visit https://us-cert.cisa.gov/ais.True
Default API Root to useThe default API root to use (e.g., default, public). If left empty, the server default API root will be used. When the server has no default root, the first available API root will be used instead. The user must be authorized to reach the selected API root.False
Collection Name To Fetch Indicators FromIndicators will be fetched from this collection. Run the "dhs-get-collections" command to get a valid value. If left empty, the instance will try to fetch from all the collections in the given discovery service.False
Indicator ReputationIndicators from this integration instance will be marked with this reputation.False
Source ReliabilityReliability of the source providing the intelligence data.True
Traffic Light Protocol ColorThe Traffic Light Protocol (TLP) designation to apply to indicators fetched from the feed.False
Feed Fetch IntervalFalse
First Fetch TimeThe time interval for the first fetch (retroactive) in the following format: <number> <time unit> of type minute/hour/day. For example, 1 minute, 12 hour. Limited to 48 hours.False
STIX Objects To FetchThe objects to fetch, most likely indicators. Might slow down fetch time.False
Trust any certificate (not secure)False
Use system proxy settingsFalse
Bypass exclusion listWhen selected, the exclusion list is ignored for indicators from this feed. This means that if an indicator from this feed is on the exclusion list, the indicator might still be added to the system.False
Max Indicators Per FetchThe maximum number of indicators that can be fetched per fetch. If this field is left empty, there will be no limit on the number of indicators fetched.False
Max STIX Objects Per PollSet the number of STIX objects that will be requested with each TAXII poll (http request). A single fetch is made of several TAXII polls. Changing this setting can help speed up fetches, or fix issues on slower networks. Please note server restrictions may apply, overriding and limiting the requested limit.False
Complex Observation ModeChoose how to handle complex observations. Two or more Observation Expressions MAY be combined using a complex observation operator such as "AND", "OR". For example, `[ IP = 'b' ] AND [ URL = 'd' ]`False
TagsSupports CSV values.False

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

dhs-get-indicators#


Allows you to test your feed and to make sure you can fetch indicators successfully. Due to API limitations, running this command may take longer than the default 5 minutes. To overcome this issue increase the execution-timeout from 300 seconds to a higher value, the recommended value is 1800 seconds.

Base Command#

dhs-get-indicators

Input#

Argument NameDescriptionRequired
rawWill return only the rawJSON of the indicator object. Possible values are: true, false. Default is false.Optional
limitMaximum number of indicators to return. Default is 10.Optional
added_afterFetch only indicators that were added to the server after the given time. Provide a <number> and <time unit> of type minute/hour/day. For example, 1 minute, 12 hour, 24 days. Limited to 48 hours. Default is 24 hours.Optional

Context Output#

PathTypeDescription
DHS.Indicators.valueStringIndicator value.
DHS.Indicators.typeStringIndicator type.
DHS.Indicators.rawJSONStringIndicator rawJSON.

Command Example#

!dhs-get-indicators limit=3 execution-timeout=1800

Context Example#

{
"DHS.Indicators": [
{
"fields": {
"tags": [
"cisa-proprietary-false"
]
},
"rawJSON": {
"created": "2021-08-09T00:42:54.000Z",
"created_by_ref": "identity--e8",
"id": "indicator--e0",
"indicator_types": [
"anomalous-activity",
"attribution"
],
"labels": [
"cisa-proprietary-false"
],
"modified": "2021-09-26T04:16:13.000Z",
"name": "sometimes",
"object_marking_refs": [
"marking-definition--633",
"marking-definition--f51"
],
"pattern": "[domain-name:value = 'coronashop.jp']",
"pattern_type": "stix",
"pattern_version": "2.1",
"spec_version": "2.1",
"type": "Domain",
"valid_from": "2021-09-26T00:09:38Z",
"value": "coronashop.jp"
},
"type": "Domain",
"value": "coronashop.jp"
},
{
"fields": {
"description": "A totally famous IP Address",
"tags": [
"elevated"
]
},
"rawJSON": {
"created": "2022-03-01T14:17:59.000Z",
"created_by_ref": "identity--a9",
"description": "A totally famous IP Address",
"id": "indicator--2f5",
"labels": [
"elevated"
],
"modified": "2022-03-01T14:17:59.000Z",
"object_marking_refs": [
"marking-definition--633"
],
"pattern": "[ipv4-addr:value = '1.1.1.1']",
"pattern_type": "stix",
"spec_version": "2.1",
"type": "IP",
"valid_from": "2022-03-01T14:17:59.000000Z",
"value": "1.1.1.1"
},
"type": "IP",
"value": "1.1.1.1"
},
{
"fields": {
"tags": [
"elevated"
]
},
"rawJSON": {
"created": "2022-02-28T13:18:49.000Z",
"created_by_ref": "identity--8c4",
"id": "indicator--9a6",
"indicator_types": [
"file-hash-watchlist"
],
"labels": [
"elevated"
],
"modified": "2022-02-28T13:18:49.000Z",
"object_marking_refs": [
"marking-definition--633"
],
"pattern": "[file:hashes.MD5 = 'e6ecb146f469d243945ad8a5451ba1129c5b190f7d50c64580dbad4b8246f88e']",
"pattern_type": "stix",
"spec_version": "2.1",
"type": "File",
"valid_from": "2022-02-28T13:18:49.000000Z",
"value": "e6ecb146f469d243945ad8a5451ba1129c5b190f7d50c64580dbad4b8246f88e"
},
"type": "File",
"value": "e6ecb146f469d243945ad8a5451ba1129c5b190f7d50c64580dbad4b8246f88e"
}
]
}

Human Readable Output#

Found 3 results added after 2022-12-07T10:29:13.079493Z UTC:

DHS Indicators#

valuetype
coronashop.jpDomain
1.1.1.1IP
e6ecb146f469d243945ad8a5451ba1129c5b190f7d50c64580dbad4b8246f88eFile

dhs-get-collections#


Gets the list of collections from the discovery service.

Base Command#

dhs-get-collections

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
DHS.Collections.IDStringCollection ID.
DHS.Collections.NameStringCollection name.

Command Example#

!dhs-get-collections

Context Example#

{
"DHS.Collections": [
{
"ID": "3",
"Name": "Public Collection"
}
]
}

Human Readable Output#

DHS Server Collections#

NameID
Public Collection3

Breaking Changes#

The following are the breaking changes from the previous version of this integration.

Arguments#

The following argument was removed in this version:#

In the dhs-get-indicators command, tlp_colorwas removed.

The behavior of the following arguments was changed:#

In the dhs-get-indicators command, the default value of the limit argument was changed to '10'.

Outputs#

The following outputs were removed in this version:#

In the dhs-get-indicators command:

  • DHS.type - this output was replaced by DHS.Indicators.type.
  • DHS.value - this output was replaced by DHS.Indicators.value.
  • DHS.tlp - this output was removed.

Additional Considerations for this version#

Use this version if your certificate supports TAXII 2 protocol.

Known Limitations#

"First Fetch Time" parameter can be configured for a maximum of 48 hours, due to limitations in DHS TAXII2 API. Therefore, it is not possible to fetch indicators that last appeared in the feed more than 48 hours ago.