DHS Feed v2
DHS Feed Pack.#
This Integration is part of theSupported versions
Supported Cortex XSOAR versions: 6.5.0 and later.
The Cybersecurity and Infrastructure Security Agency’s (CISA’s) free Automated Indicator Sharing (AIS) capability enables the exchange of cyber threat indicators, at machine speed, to the Federal Government community. Use this version if your certificate supports TAXII 2 protocol.
Some changes have been made that might affect your existing content. If you are upgrading from a previous version of this integration, see Breaking Changes.
#
Configure DHS Feed v2 in CortexParameter | Description | Required |
---|---|---|
Fetch indicators | False | |
Discovery Service URL (e.g., https://ais2.cisa.dhs.gov/taxii2/) | True | |
Key File as Text | For more information, visit https://us-cert.cisa.gov/ais. | True |
Certificate File as Text | For more information, visit https://us-cert.cisa.gov/ais. | True |
Default API Root to use | The default API root to use (e.g., default, public). If left empty, the server default API root will be used. When the server has no default root, the first available API root will be used instead. The user must be authorized to reach the selected API root. | False |
Collection Name To Fetch Indicators From | Indicators will be fetched from this collection. Run the "dhs-get-collections" command to get a valid value. If left empty, the instance will try to fetch from all the collections in the given discovery service. | False |
Indicator Reputation | Indicators from this integration instance will be marked with this reputation. | False |
Source Reliability | Reliability of the source providing the intelligence data. | True |
Traffic Light Protocol Color | The Traffic Light Protocol (TLP) designation to apply to indicators fetched from the feed. | False |
Feed Fetch Interval | False | |
First Fetch Time | The time interval for the first fetch (retroactive) in the following format: <number> <time unit> of type minute/hour/day. For example, 1 minute, 12 hour. Limited to 48 hours. | False |
STIX Objects To Fetch | The objects to fetch, most likely indicators. Might slow down fetch time. | False |
Trust any certificate (not secure) | False | |
Use system proxy settings | False | |
Bypass exclusion list | When selected, the exclusion list is ignored for indicators from this feed. This means that if an indicator from this feed is on the exclusion list, the indicator might still be added to the system. | False |
Max Indicators Per Fetch | The maximum number of indicators that can be fetched per fetch. If this field is left empty, there will be no limit on the number of indicators fetched. | False |
Max STIX Objects Per Poll | Set the number of STIX objects that will be requested with each TAXII poll (http request). A single fetch is made of several TAXII polls. Changing this setting can help speed up fetches, or fix issues on slower networks. Please note server restrictions may apply, overriding and limiting the requested limit. | False |
Complex Observation Mode | Choose how to handle complex observations. Two or more Observation Expressions MAY be combined using a complex observation operator such as "AND", "OR". For example, `[ IP = 'b' ] AND [ URL = 'd' ]` | False |
Tags | Supports CSV values. | False |
#
CommandsYou can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
#
dhs-get-indicatorsAllows you to test your feed and to make sure you can fetch indicators successfully. Due to API limitations, running this command may take longer than the default 5 minutes. To overcome this issue increase the execution-timeout from 300 seconds to a higher value, the recommended value is 1800 seconds.
#
Base Commanddhs-get-indicators
#
InputArgument Name | Description | Required |
---|---|---|
raw | Will return only the rawJSON of the indicator object. Possible values are: true, false. Default is false. | Optional |
limit | Maximum number of indicators to return. Default is 10. | Optional |
added_after | Fetch only indicators that were added to the server after the given time. Provide a <number> and <time unit> of type minute/hour/day. For example, 1 minute, 12 hour, 24 days. Limited to 48 hours. Default is 24 hours. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
DHS.Indicators.value | String | Indicator value. |
DHS.Indicators.type | String | Indicator type. |
DHS.Indicators.rawJSON | String | Indicator rawJSON. |
#
Command Example!dhs-get-indicators limit=3 execution-timeout=1800
#
Context Example#
Human Readable OutputFound 3 results added after 2022-12-07T10:29:13.079493Z UTC:
#
DHS Indicators
value type coronashop.jp Domain 1.1.1.1 IP e6ecb146f469d243945ad8a5451ba1129c5b190f7d50c64580dbad4b8246f88e File
#
dhs-get-collectionsGets the list of collections from the discovery service.
#
Base Commanddhs-get-collections
#
InputThere are no input arguments for this command.
#
Context OutputPath | Type | Description |
---|---|---|
DHS.Collections.ID | String | Collection ID. |
DHS.Collections.Name | String | Collection name. |
#
Command Example!dhs-get-collections
#
Context Example#
Human Readable Output#
DHS Server Collections
Name ID Public Collection 3
#
Breaking ChangesThe following are the breaking changes from the previous version of this integration.
#
Arguments#
The following argument was removed in this version:In the dhs-get-indicators command, tlp_colorwas removed.
#
The behavior of the following arguments was changed:In the dhs-get-indicators command, the default value of the limit argument was changed to '10'.
#
Outputs#
The following outputs were removed in this version:In the dhs-get-indicators command:
- DHS.type - this output was replaced by DHS.Indicators.type.
- DHS.value - this output was replaced by DHS.Indicators.value.
- DHS.tlp - this output was removed.
#
Additional Considerations for this versionUse this version if your certificate supports TAXII 2 protocol.
#
Known Limitations"First Fetch Time" parameter can be configured for a maximum of 48 hours, due to limitations in DHS TAXII2 API. Therefore, it is not possible to fetch indicators that last appeared in the feed more than 48 hours ago.