DHS Feed v2
DHS Feed Pack.#This Integration is part of the
Supported Cortex XSOAR versions: 6.5.0 and later.
The Cybersecurity and Infrastructure Security Agency’s (CISA’s) free Automated Indicator Sharing (AIS) capability enables the exchange of cyber threat indicators, at machine speed, to the Federal Government community. Use this version if your certificate supports TAXII 2 protocol.
Some changes have been made that might affect your existing content. If you are upgrading from a previous version of this integration, see Breaking Changes.
#Configure DHS Feed v2 on Cortex XSOAR
Navigate to Settings > Integrations > Servers & Services.
Search for DHS Feed v2.
Click Add instance to create and configure a new integration instance.
Parameter Description Required Fetch indicators False Discovery Service URL (e.g., https://ais2.cisa.dhs.gov/taxii2/) True Key File as Text For more information, visit https://us-cert.cisa.gov/ais. True Certificate File as Text For more information, visit https://us-cert.cisa.gov/ais. True Default API Root to use The default API root to use (e.g., default, public). If left empty, the server default API root will be used. When the server has no default root, the first available API root will be used instead. The user must be authorized to reach the selected API root. False Collection Name To Fetch Indicators From Indicators will be fetched from this collection. Run the "dhs-get-collections" command to get a valid value. If left empty, the instance will try to fetch from all the collections in the given discovery service. False Indicator Reputation Indicators from this integration instance will be marked with this reputation. False Source Reliability Reliability of the source providing the intelligence data. True Traffic Light Protocol Color The Traffic Light Protocol (TLP) designation to apply to indicators fetched from the feed. False Feed Fetch Interval False First Fetch Time The time interval for the first fetch (retroactive) in the following format: <number> <time unit> of type minute/hour/day. For example, 1 minute, 12 hour. Limited to 48 hours. False STIX Objects To Fetch The objects to fetch, most likely indicators. Might slow down fetch time. False Trust any certificate (not secure) False Use system proxy settings False Bypass exclusion list When selected, the exclusion list is ignored for indicators from this feed. This means that if an indicator from this feed is on the exclusion list, the indicator might still be added to the system. False Max Indicators Per Fetch The maximum number of indicators that can be fetched per fetch. If this field is left empty, there will be no limit on the number of indicators fetched. False Max STIX Objects Per Poll Set the number of STIX objects that will be requested with each TAXII poll (http request). A single fetch is made of several TAXII polls. Changing this setting can help speed up fetches, or fix issues on slower networks. Please note server restrictions may apply, overriding and limiting the requested limit. False Complex Observation Mode Choose how to handle complex observations. Two or more Observation Expressions MAY be combined using a complex observation operator such as "AND", "OR". For example, `[ IP = 'b' ] AND [ URL = 'd' ]` False Tags Supports CSV values. False
Click Test to validate the URLs, token, and connection.
You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
Allows you to test your feed and to make sure you can fetch indicators successfully. Due to API limitations, running this command may take longer than the default 5 minutes. To overcome this issue increase the execution-timeout from 300 seconds to a higher value, the recommended value is 1800 seconds.
|raw||Will return only the rawJSON of the indicator object. Possible values are: true, false. Default is false.||Optional|
|limit||Maximum number of indicators to return. Default is 10.||Optional|
|added_after||Fetch only indicators that were added to the server after the given time. Provide a <number> and <time unit> of type minute/hour/day. For example, 1 minute, 12 hour, 24 days. Limited to 48 hours. Default is 24 hours.||Optional|
!dhs-get-indicators limit=3 execution-timeout=1800
#Human Readable Output
Found 3 results added after 2022-12-07T10:29:13.079493Z UTC:
value type coronashop.jp Domain 188.8.131.52 IP e6ecb146f469d243945ad8a5451ba1129c5b190f7d50c64580dbad4b8246f88e File
Gets the list of collections from the discovery service.
There are no input arguments for this command.
#Human Readable Output
#DHS Server Collections
Name ID Public Collection 3
The following are the breaking changes from the previous version of this integration.
#The following argument was removed in this version:
In the dhs-get-indicators command, tlp_colorwas removed.
#The behavior of the following arguments was changed:
In the dhs-get-indicators command, the default value of the limit argument was changed to '10'.
#The following outputs were removed in this version:
In the dhs-get-indicators command:
- DHS.type - this output was replaced by DHS.Indicators.type.
- DHS.value - this output was replaced by DHS.Indicators.value.
- DHS.tlp - this output was removed.
#Additional Considerations for this version
Use this version if your certificate supports TAXII 2 protocol.
"First Fetch Time" parameter can be configured for a maximum of 48 hours, due to limitations in DHS TAXII2 API. Therefore, it is not possible to fetch indicators that last appeared in the feed more than 48 hours ago.