Export Indicators Service

Use the Export Indicators Service integration to provide an endpoint with a list of indicators as a service for the system indicators.

Use Cases


  1. Export a list of malicious IPs to block via a firewall.
  2. Export a list of indicators to a service such as Splunk, using a supported output format.

Configure ExportIndicators on Demisto


  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for ExportIndicators.
  3. Click Add instance to create and configure a new integration instance.
    • Name: a textual name for the integration instance.
    • Indicator Query: The query to run to update its list. To view expected results, you can run the following command from the Demisto CLI !findIndicators query=<your query>
    • Outbound Format: The default format of the entries in the service. Supported formats: text, json, json-seq, csv, XSAOR json, XSAOR json-seq, XSOAR csv, PAN-OS URL, Symantec ProxySG and McAfee Web Gateway.
    • List Size: Max amount of entries in the service instance.
    • Update On Demand Only: When set to true, will only update the service indicators via eis-update command.
    • Refresh Rate: How often to refresh the export indicators list (<number> <time unit>, e.g., 12 hours, 7 days, 3 months, 1 year)
    • Collapse IPs: Whether to collapse IPs and if so - to ranges or CIDRs.
    • Show CSV Formats as Text: If checked, csv and XSOAR-csv formats will create a textual web page instead of downloading a csv file.
    • Listen Port: Will run the Export Indicators Service on this port from within Cortex XSOAR. If you have multiple Export Indicators Service integration instances, make sure to use different listening ports to separate the outbound feeds.
    • Certificate (Required for HTTPS): HTTPS Certificate provided by pasting its values into this field.
    • Private Key (Required for HTTPS): HTTPS private key provided by pasting its valuies into this field.
    • HTTP Server: Ignores certificate and private key, and will run the export indicators service in HTTP. (Not recommended.)
    • Username: The username with which to authenticate when fetching the indicators.
    • Password: The password with which to authenticate when fetching the indicators.
    • Mcafee Gateway Indicator List Type: For use with McAfee Web Gateway format to indicate the list type.
    • PAN-OS URL Format Port Strip: For use with PAN-OS URL format - if checked will strip the port off urls. If not checked - url with ports will be ignored.
    • PAN-OS URL Format Drop Invalid Entries: For use with PAN-OS URL format - if checked any URL entry which is not compliant with PAN-OS EDL URL format the entry is dropped instead of being rewritten.
    • Symantec ProxySG Default Category: For use with Symantec ProxySG format - set the default category for the output.
    • Symantec ProxySG Listed Categories: For use with Symantec ProxySG format - set the categories that should be listed in the output. If not set will list all existing categories.
  4. Click Test to validate the URLs, token, and connection.

Access the Export Indicators Service by Instance Name (HTTPS)

Note: By default, the route will be open without security hardening and might expose you to network risks. Cortex XSOAR recommends that you use credentials to connect to connect to the integration.

To access the Export Indicators service by instance name, make sure Instance execute external is enabled.

  1. In Demisto, go to Settings > About > Troubleshooting.
  2. In the Server Configuration section, verify that the instance.execute.external key is set to true. If this key does not exist, click + Add Server Configuration and add the instance.execute.external and set the value to true. See this documentation for further information.
  3. In a web browser, go to https://*<demisto_address>*/instance/execute/*<instance_name>* .

Update values in the export indicators service


Updates values stored in the export indicators service (only avaialable On-Demand).

URL Inline Arguments


Use the following arguments in the URL to change the request:

Argument NameDescriptionExample
nThe maximum number of entries in the output. If no value is provided, will use the value specified in the List Size parameter configured in the instance configuration.https://{server_host}/instance/execute/{instance_name}?n=50
sThe starting entry index from which to export the indicators.https://{server_host}/instance/execute/{instance_name}?s=10&n=50
vThe output format. Supports text, csv, json, json-seq,xsoar-json, xsoar-seq, xsoar-csv, mwg, panosurl and proxysg (alias: bluecoat).https://{server_host}/instance/execute/{instance_name}?v=json
qThe query used to retrieve indicators from the system.https://{server_host}/instance/execute/{instance_name}?q="type:ip and sourceBrand:my_source"
tOnly with mwg format. The type indicated on the top of the exported list. Supports: string, applcontrol, dimension, category, ip, mediatype, number and regex.https://{server_host}/instance/execute/{instance_name}?v=mwg&t=ip
spOnly with panosurl format. If set will strip ports off URLs, otherwise will ignore URLs with ports.https://{server_host}/instance/execute/{instance_name}?v=panosurl&sp
diOnly with panosurl format. If set will ignore urls which are not compliant with PAN-OS URL format instead of being re-written.https://{server_host}/instance/execute/{instance_name}?v=panosurl&di
cdOnly with proxysg format. The default category for the exported indicators.https://{server_host}/instance/execute/{instance_name}?v=proxysg&cd=default_category
caOnly with proxysg format. The categories which will be exported. Indicators not falling to these categories will be classified as the default category.https://{server_host}/instance/execute/{instance_name}?v=proxysg&ca=category1,category2
trWhether to collapse IPs. 0 - to not collapse, 1 - collapse to ranges or 2 - collapse to CIDRshttps://{server_host}/instance/execute/{instance_name}?q="type:ip and sourceBrand:my_source"&tr=1
txWhether to output csv or xsoar-csv formats as textual web pages.https://{server_host}/instance/execute/{instance_name}?v=xsoar-csv&tx
Base Command

eis-update

Input
Argument NameDescriptionRequired
queryThe query used to retrieve indicators from the system. Leave empty to use the query from the integration parameters.Optional
formatThe output format.Optional
list_sizeThe maximum number of entries in the output. If no value is provided, will use the value specified in the List Size parameter configured in the instance configuration.Optional
offsetThe starting entry index from which to export the indicators.Optional
print_indicatorsIf set to true will print the indicators the that were saved to the export indicators serviceRequired
mwg_typeFor use with McAfee Web Gateway format to indicate the list type.Optional
strip_portFor use with PAN-OS URL format - if True will strip the port off urls. If not checked - url with ports will be ignored.Optional
drop_invalidsFor use with PAN-OS URL format - if checked any URL entry which is not compliant with PAN-OS EDL URL format the entry is dropped instead of being rewritten.Optional
category_attributeFor use with Symantec ProxySG format - set the categories that should be listed in the output. If not set will list all existing categories.Optional
category_defaultFor use with Symantec ProxySG format - set the default category for the output.Optional
collapse_ipsWhether to collapse IPs, and if so - to ranges or CIDRsOptional
csv_textIf True, will output csv and XSOAR-csv formats as textual web pagesOptional
Context Output

There is no context output for this command.

Command Example

!eis-update print_indicators=true query=type:IP format=text list_size=4

Human Readable Output
Indicators
1.1.1.1
2.2.2.2
3.3.3.3
4.4.4.4