Supported Cortex XSOAR versions: 5.5.0 and later.
Use the Export Indicators Service integration to provide an endpoint with a list of indicators as a service for the system indicators.
- Export a list of malicious IPs to block via a firewall.
- Export a list of indicators to a service such as Splunk, using a supported output format.
- Navigate to Settings > Integrations > Servers & Services.
- Search for ExportIndicators.
- Click Add instance to create and configure a new integration instance.
- Name: a textual name for the integration instance.
- Indicator Query: The query to run to update its list. To view expected results, you can run the following command from the Cortex XSOAR CLI
!findIndicators query=<your query>
- Outbound Format: The default format of the entries in the service. Supported formats: text, json, json-seq, csv, XSOAR json, XSOAR json-seq, XSOAR csv, PAN-OS URL, Symantec ProxySG and McAfee Web Gateway.
- List Size: Max amount of entries in the service instance.
- Update On Demand Only: When set to true, will only update the service indicators via eis-update command.
- Refresh Rate: How often to refresh the export indicators list (<number> <time unit>, e.g., 12 hours, 7 days, 3 months, 1 year)
- Collapse IPs: Whether to collapse IPs and if so - to ranges or CIDRs.
- Show CSV Formats as Text: If checked, csv and XSOAR-csv formats will create a textual web page instead of downloading a csv file.
- Listen Port: Will run the Export Indicators Service on this port from within Cortex XSOAR. If you have multiple Export Indicators Service integration instances, make sure to use different listening ports to separate the outbound feeds.
- Certificate (Required for HTTPS): HTTPS Certificate provided by pasting its values into this field.
- Private Key (Required for HTTPS): HTTPS private key provided by pasting its values into this field.
- HTTP Server: Ignores certificate and private key, and will run the export indicators service in HTTP. (Not recommended.)
- Username: The username with which to authenticate when fetching the indicators.
- Password: The password with which to authenticate when fetching the indicators.
- Mcafee Gateway Indicator List Type: For use with McAfee Web Gateway format to indicate the list type.
- PAN-OS URL Format Port Strip: For use with PAN-OS URL format - if checked will strip the port off urls. If not checked - url with ports will be ignored.
- PAN-OS URL Format Drop Invalid Entries: For use with PAN-OS URL format - if checked any URL entry which is not compliant with PAN-OS EDL URL format the entry is dropped instead of being rewritten.
- Symantec ProxySG Default Category: For use with Symantec ProxySG format - set the default category for the output.
- Symantec ProxySG Listed Categories: For use with Symantec ProxySG format - set the categories that should be listed in the output. If not set will list all existing categories.
- Click Test to validate the URLs, token, and connection.
Note: By default, the route will be open without security hardening and might expose you to network risks. Cortex XSOAR recommends that you use credentials to connect to connect to the integration.
To access the Export Indicators service by instance name, make sure Instance execute external is enabled.
- In Cortex XSOAR, go to Settings > About > Troubleshooting.
- In the Server Configuration section, verify that the instance.execute.external key is set to true. If this key does not exist, click + Add Server Configuration and add the instance.execute.external and set the value to true. See this documentation for further information.
- In a web browser, go to
Updates values stored in the export indicators service (only avaialable On-Demand).
Use the following arguments in the URL to change the request:
|n||The maximum number of entries in the output. If no value is provided, will use the value specified in the List Size parameter configured in the instance configuration.|
|s||The starting entry index from which to export the indicators.|
|v||The output format. Supports |
|q||The query used to retrieve indicators from the system.|
|t||Only with |
|sp||Only with |
|di||Only with |
|cd||Only with |
|ca||Only with |
|tr||Whether to collapse IPs. 0 - to not collapse, 1 - collapse to ranges or 2 - collapse to CIDRs|
|tx||Whether to output |
|sf||The field by which to sort the indicators by. Only applicable with the |
|so||The direction by which to order the indicators. The options are |
|query||The query used to retrieve indicators from the system. Leave empty to use the query from the integration parameters.||Optional|
|format||The output format.||Optional|
|list_size||The maximum number of entries in the output. If no value is provided, will use the value specified in the List Size parameter configured in the instance configuration.||Optional|
|offset||The starting entry index from which to export the indicators.||Optional|
|print_indicators||If set to true will print the indicators the that were saved to the export indicators service||Required|
|mwg_type||For use with McAfee Web Gateway format to indicate the list type.||Optional|
|strip_port||For use with PAN-OS URL format - if True will strip the port off urls. If not checked - url with ports will be ignored.||Optional|
|drop_invalids||For use with PAN-OS URL format - if checked any URL entry which is not compliant with PAN-OS EDL URL format the entry is dropped instead of being rewritten.||Optional|
|category_attribute||For use with Symantec ProxySG format - set the categories that should be listed in the output. If not set will list all existing categories.||Optional|
|category_default||For use with Symantec ProxySG format - set the default category for the output.||Optional|
|collapse_ips||Whether to collapse IPs, and if so - to ranges or CIDRs||Optional|
|csv_text||If True, will output csv and XSOAR-csv formats as textual web pages||Optional|
|sort_field||The field by which to sort the indicators by. Only applicable with the ||Optional|
|sort_order||The direction by which to order the indicators. The options are ||Optional|
There is no context output for this command.
!eis-update print_indicators=true query=type:IP format=text list_size=4