Skip to main content

JSON Feed

This Integration is part of the JSON Feed Pack.#

Supported versions

Supported Cortex XSOAR versions: 5.5.0 and later.

Use the JSON feed integration to fetch indicators from a JSON feed. This integration allows for a wide variety of user configuration to support different types of JSON feeds.

Configure JSON Feed in Cortex#


ParameterDescription
NameA meaningful name for the integration instance.
Fetch indicatorsWhether to fetch indicators, if checked.
Indicator ReputationThe reputation applied to indicators from this integration instance. The default value is "Bad".
Source ReliabilityThe reliability of the source providing the intelligence data. The default value is "C - Fairly reliable"
Traffic Light Protocol ColorThe Traffic Light Protocol (TLP) designation to apply to indicators fetched from the feed. More information about the protocol can be found at https://us-cert.cisa.gov/tlp
Indicator Expiration MethodThe method by which to expire indicators from this feed for this integration instance.
Feed Fetch IntervalHow often to fetch indicators from the feed for this integration instance (in minutes). The default value is 60.
URLThe URL of the feed.
Auto detect indicator typeWhether a type auto detection mechanism will take place for each indicator, if checked.
Indicator TypeThe type of the indicator in the feed. This is relevant only if Auto detect is not checked.
Username + PasswordThe credentials used to access feeds that require basic authentication. These fields also support the use of API key headers. To use API key headers, specify the header name and value in the following format: _header:<header_name> in the Username field and the header value in the Password field.
JMESPath ExtractorThe JMESPath expression for extracting the indicators from. You can check the expression in the JMESPath site to verify this expression will return the following array of objects.
JSON Indicator AttributeThe JSON attribute whose value is the indicator. The default is "indicator".
POST DataSend specified data in a POST request. When specified, by default will add the header: Content-Type: application/x-www-form-urlencoded. To specify a different Content-Type (for example: application/json) use the Headers config param.
HeadersHeaders to add to the http request. Specify each header on a single line in the format: Name: Value.
Include indicator type for mappingWhen using a custom classifier and mapper with this feed, use this option to include the indicator type in the raw json used for classification and mapping. The type will be included under the key _indicator_type.
Bypass Exclusion ListWhether the exclusion list is ignored for indicators from this feed. This means that if an indicator from this feed is on the exclusion list, the indicator might still be added to the system.

Step-by-step configuration#


IP address ranges from Amazon AWS will be used as examples. The feed will ingest indicators of the CIDR type. These are the feed instance configuration parameters for our example.

URL: https://ip-ranges.amazonaws.com/ip-ranges.json

Auto detect indicator type: Checked.

Indicator Type - Leave this empty and the system will identify the indicator type.

Credentials - This feed does not require authentication.

The following parameters will be configured based on the feed in the web browser.

JMESPath Extractor - prefixes[?service=='AMAZON'] This means that the desired objects to extract the indicators from is prefixes, and the objects will be filtered by where the field service is equal to AMAZON.

JSON Indicator Attribute - The ip_prefix.

At this point, an instance for the IP ranges from Amazon AWS has been successfully configured. After Fetches indicators have been enabled, the instance will start pulling indicators.

By clicking Mapping in the integration instance, the field names we previously configured can be mapped to the actual indicator fields (except value which is the indicator value). We can use Set up a new classification rule using actual data from the feed.

Commands#


You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

Get indicators from the feed#


Gets the feed indicators.

Base Command#

!json-get-indicators

Input#
Argument NameDescriptionRequired
limitThe maximum number of results to return. The default value is 50.Optional
Context Output#

There is no context output for this command.

Demo Video#