Elasticsearch Feed
This Integration is part of the Elasticsearch Feed Pack.#
Supported versions
Supported Cortex XSOAR versions: 5.5.0 and later.
Overview#
Fetch indicators stored in an Elasticsearch database.
- The Cortex XSOAR Feed contains system indicators saved in an Elasticsearch index.
- The Cortex XSOAR MT Shared Feed contains indicators shared by a tenant account in a multi-tenant environment.
- The Generic Feed contains a feed in a format specified by the user.
Configure ElasticsearchFeed on Cortex XSOAR#
- Navigate to Settings > Integrations > Servers & Services.
- Search for SharedTenantElasticsearchFeed.
- Click Add instance to create and configure a new integration instance.
- Server URL: Elasticsearch database URL.
- Name: Used for authentication via Username + Password or API ID + API Key (If you wish to use API Key authorization enter _api_key_id: followed by your API key ID).
- Password: Used for authentication via Username + Password or API ID + API Key (If you wish to use API Key authorization enter your API key).
- Trust any certificate (not secure): Ignore HTTPS certificates.
- Use system proxy settings: Enable/Disable
- Feed Type: Choose the feed type saved into the Elasticsearch database. Cortex XSOAR Feed are indicators saved by Cortex XSOAR in an Elasticsearch configured enviornment. Cortex XSOAR MT Shared Feed are indicators shared by a tenant in a MT env. Generic Feed is a feed in a format dictated by the user
- Fetch indicators: Enable/Disable
- First Fetch Time: Determine how far to look back for fetched indicators (<number> <time unit>, e.g., 12 hours, 7 days).
- Indicator Reputation: Indicators from this integration instance will be marked with this reputation.
- Source Reliability: Reliability of the source providing the intelligence data.
- Traffic Light Protocol Color: The Traffic Light Protocol (TLP) designation to apply to indicators fetched from the feed. More information about the protocol can be found at https://us-cert.cisa.gov/tlp.
- Indicator Value Field: Source field that contains the indicator value in the index.
- Indicator Type Field: Source field that contains the indicator type in the index.
- Indicator Type: Default indicator type used in case no "Indicator Type Field" was provided
- Index From Which To Fetch Indicators: Multiple indices may be used by separating them with a comma. If none is provided, will search in all indices
- Time Field Type: Time field type used in the database.
- Index Time Field: Used for sorting sort and limiting data. If left empty, no sorting will be done.
- Query: Elasticsearch query to be executed when fetching indicators from Elasticsearch.
- Click Test to validate the URLs, token, and connection.
Fetched Incidents Data#
Commands#
You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
- get-shared-indicators
1. get-shared-indicators#
Gets indicators shared with this tenant (MT only).
Base Command#
get-shared-indicators
Input#
| Argument Name | Description | Required |
|---|---|---|
| limit | The maximum number of indicators to fetch. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| ElasticsearchFeed.SharedIndicators.Indicators | Unknown | Indicators shared from other tenants without enrichments. |
| ElasticsearchFeed.SharedIndicators.Enrichments | Unknown | Enrichment indicators shared from other tenants. |
Command Example#
!get-shared-indicators
Context Example#
Human Readable Output#
Indicators#
| name |
|---|
| 1.1.1.1 |
| 2.2.2.2 |
es-get-indicators#
Gets indicators available in the configured Elasticsearch database.
Base Command#
es-get-indicators
Input#
| Argument Name | Description | Required |
|---|---|---|
| limit | The maximum number of indicators to fetch. The default is 50. Default is 50. | Required |
Context Output#
There is no context output for this command.