Skip to main content

Flashpoint Ignite Feed v2

This Integration is part of the Flashpoint Feed Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.10.0 and later.

Flashpoint Ignite Feed V2 Integration allows importing indicators of compromise using the V2 API that provides a more concise, context-rich response structure. It includes sightings of IOCs over time and IOC relationships, providing visibility into an IOC's evolution. The indicators of compromise are ingested into Cortex XSOAR and displayed in the War Room.

This integration was integrated and tested with API v2 of Flashpoint Ignite.

Fetch Indicators#

Fetching the Ignite indicators. The indicators that are created or updated after the provided "First fetch time" will be fetched in the ascending order.

If you are upgrading from a Flashpoint Feed integration, please refer to the Migration Guide for guidance.

Configure Flashpoint Ignite Feed v2 in Cortex#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for Flashpoint Ignite Feed v2.

  3. Click Add instance to create and configure a new integration instance.

    ParameterDescriptionRequired
    Server URLServer URL to connect to Ignite.True
    API KeyAPI key used for secure communication with the Ignite platform.True
    Types of the indicators to fetchTypes of the indicators to fetch. If not specified, it fetches all the indicators. Options: IPv4, IPv6, Domain, URL, File, Extracted Config.False
    CIDR Range of an IPv4 or IPv6 indicatorCIDR range to filter IPv4 or IPv6 indicators.

    Note: This parameter is applied only if the "Types of the indicators to fetch" is IPv4 or IPv6.    		False
    Maximum Severity Level of an indicatorFilter indicators by their maximum severity level. If not specified, it fetches all the indicators. Options: Informational, Suspicious, Malicious.False
    Minimum Severity Level of an indicatorFilter indicators by their minimum severity level. If not specified, it fetches all the indicators. Options: Informational, Suspicious, Malicious.False
    MITRE ATTACK IDs of an indicatorFilter indicators by their MITRE ATTACK IDs.

    Example: T1003, T1004.    		False
    Tags of an indicatorFilter indicators by their tags. Must be exact tag matches.

    Example: malware:cobaltstrike, actor:apt.    		False
    Actor Tags of an indicatorFilter indicators by their actor tags. Must be exact tag matches. Inclusion of the actor: prefix is optional.

    Example: actor:apt37, apt1.    		False
    Malware Tags of an indicatorFilter indicators by their malware tags. Must be exact tag matches. Inclusion of the malware: prefix is optional.

    Example: malware:cobaltstrike, amadey.    		False
    Source Tags of an indicatorFilter indicators by their source tags. Must be exact tag matches. Inclusion of the source: prefix is optional.

    Example: source:flashpoint_extraction, flashpoint_detection.    		False
    First fetch timeBackfill indicators by providing date or relative timestamp. Default is '3 days'.

    Formats accepted: 2 minutes, 2 hours, 2 days, 2 weeks, 2 months, 2 years, yyyy-mm-dd, yyyy-mm-ddTHH:MM:SSZ, etc.    		False
    Fetch indicatorsEnable to fetch indicators.False
    Indicator ReputationIndicators from this integration instance will be marked with this reputation.False
    Source ReliabilityReliability of the source providing the intelligence data.True
    Traffic Light Protocol ColorThe Traffic Light Protocol (TLP) designation to apply to indicators fetched from the feed.False
    Default Indicator MappingWhen selected, all the incoming indicators will map to the Ignite Indicator.False
    TagsProvides the tags to be added to the indicators. Supports CSV values.False
    feedIncrementalTo indicate to the Cortex XSOAR server that a feed is incremental. Generally feeds that fetch based on a time range. For example, a daily feed which provides new indicators for the last day or a feed which is immutable and provides indicators from a search date onwards.False
    feedExpirationPolicyFalse
    feedExpirationIntervalFalse
    Feed Fetch IntervalInterval in minutes to fetch indicators.False
    Bypass exclusion listWhen selected, the exclusion list is ignored for indicators from this feed. This means that if an indicator from this feed is on the exclusion list, the indicator might still be added to the system.False
    Create relationshipsCreate relationships between indicators as part of Enrichment.False
    Trust any certificate (not secure)Indicates whether to allow connections without verifying SSL certificate's validity.False
    Use system proxy settingsIndicates whether to use XSOAR's system proxy settings to connect to the API.False

  4. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

flashpoint-ignite-v2-get-indicators#

Retrieves indicators from the Ignite V2 API. It displays the content of the fetch-indicators command.

Base Command#

flashpoint-ignite-v2-get-indicators

Input#

Argument NameDescriptionRequired
limitThe maximum number of result objects to return. Maximum allowed limit is 500. Default is 10.Optional
updated_sinceOnly retrieve values after the given timestamp. This parameter operates on the timestamp when an IOC was last modified.

Formats accepted: 2 minutes, 2 hours, 2 days, 2 weeks, 2 months, 2 years, yyyy-mm-dd, yyyy-mm-ddTHH:MM:SSZ, etc. Default is 3 days.		Optional
typesSearch by Indicator types. Supports comma separated values. Possible values are: IPv4, IPv6, Domain, URL, File, Extracted Config.Optional
fromFetch indicators after the given count of indicators. Default is 0.Optional
cidr_rangeCIDR range to filter IPv4 or IPv6 indicators.

Note: This parameter is applied only if the "types" is IPv4 or IPv6.		Optional
max_severity_levelFilter indicators by their maximum severity level. If not specified, it fetches all the indicators. Possible values are: Informational, Suspicious, MaliciousOptional
min_severity_levelFilter indicators by their minimum severity level. If not specified, it fetches all the indicators. Possible values are: Informational, Suspicious, MaliciousOptional
mitre_attack_idsFilter indicators by their MITRE ATTACK IDs. Supports comma-separated values.Optional
tagsFilter indicators by their tags. Must be exact tag matches. Supports comma-separated values.Optional
actor_tagsFilter indicators by their actor tags. Must be exact tag matches. Inclusion of the actor: prefix is optional. Supports comma-separated values.Optional
malware_tagsFilter indicators by their malware tags. Must be exact tag matches. Inclusion of the malware: prefix is optional. Supports comma-separated values.Optional
source_tagsFilter indicators by their source tags. Must be exact tag matches. Inclusion of the source: prefix is optional. Supports comma-separated values.Optional

Context Output#

There is no context output for this command.

Command example#

!flashpoint-ignite-v2-get-indicators limit=2 types=URL updated_since="3 days"

Human Readable Output#

Indicator(s)#

IDIndicator TypeIndicator ValueScoreModified AtCreated AtLast Seen AtAPT DescriptionMITRE Attack IDsSightingsExternal ReferencesTotal Sightings
dummy-id-1ipv40.0.0.1malicious2026-01-01T00:00:00Z2026-01-01T00:00:00Z2026-01-01T00:00:00ZN/A- id: T0001
name: Dummy Technique
tactics:
values: Defense-Evasion
tactic: Defense-Evasion
- id: T0002
name: Dummy Discovery
tactics:
values: Discovery
tactic: Discovery		- id: dummy-sighting-1
href: https://api.example.com/sightings/dummy-sighting-1
source: dummy_source
sighted_at: 2026-01-01T00:00:00Z
tags:
values: malware:dummy-malware, source:dummy_source
related_iocs:
- id: dummy-related-id-1
type: file
value: dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd
href: https://api.example.com/indicators/dummy-related-id-1
mitre_attack_ids:
- id: T0001
name: Dummy Technique
tactics:
values: Defense-Evasion
tactic: Defense-Evasion
- id: T0002
name: Dummy Discovery
tactics:
values: Discovery
tactic: Discovery
apt_description: N/A
malware_description: N/A
description: Observation: dummy-malware [2026-01-01T00:00:00Z]		- source_name: Dummy Source
url: https://dummy.example.com		1
dummy-id-2fileeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeunknown2026-01-01T00:00:00Z2026-01-01T00:00:00Z2026-01-01T00:00:00Z- id: dummy-sighting-2
href: https://api.example.com/sightings/dummy-sighting-2
source: dummy_source
sighted_at: 2026-01-01T00:00:00Z
tags:
values: malware:dummy-malware-2, source:dummy_source
description: Observation: dummy-malware-2 [2026-01-01T00:00:00Z]		1

Migration Guide#

Migrated Commands#

Some of the previous integration's commands have been migrated to new commands. Below is the table showing the commands that have been migrated to the new ones.

Flashpoint Ignite CommandFlashpoint Ignite v2 Command
flashpoint-ignite-get-indicatorsflashpoint-ignite-v2-get-indicators
Edit this page
Report an Issue