Supported Cortex XSOAR versions: 5.5.0 and later.
A PassiveTotal with Security Intelligence Services Feed provides you with newly observed Domain, Malware, Phishing, Content, and Scam Blacklist with Hourly ingestion available. This integration was integrated and tested with version 1.0 of Security Intelligence Services Feed.
The XSOAR instance with ElasticSearch is required as this integration would ingest large amount of indicators from SIS to XSOAR.
For that same reason, in case this integration fails to fetch indicators with timeout error, the
feedIntegrationScript.timeout configuration should be configured with value 45 or more.
Configure Security Intelligence Services Feed on Cortex XSOAR
- Navigate to Settings > Integrations > Servers & Services.
- Search for Security Intelligence Services Feed.
- Click Add instance to create and configure a new integration instance.
|accessKey||S3 Access Key||True|
|secretKey||S3 Secret Key||True|
|tlp_color||The Traffic Light Protocol (TLP) designation to apply to indicators fetched from the feed. More information about the protocol can be found at https://us-cert.cisa.gov/tlp||False|
|feedFetchInterval||Feed Fetch Interval||False|
|MaxIndicators||Max Indicators Per Interval||True|
|firstFetchInterval||First Fetch Time Range (<number> <time unit>, e.g., 12 hours, 7 days, 3 months, 1 year)||True|
|feedBypassExclusionList||Bypass exclusion list||False|
|insecure||Trust any certificate (not secure)||False|
|proxy||Use system proxy settings||False|
- Click Test to validate the S3 Access Key, S3 Secret Key, Feed Types, and connection.
You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
Gets indicators from Security Intelligence Services feed. Note- Indicators will fetch from the latest found object.
|limit||The maximum number of indicators to return from S3. Note- The maximum limit supported is 1000.||Optional|
|feed_type||Indicators will be fetched based on feed_type.||Optional|
|search||Indicators that match the given search pattern will be fetched.||Optional|
There is no context output for this command.
!sis-get-indicators limit=2 type=Domain
Human Readable Output
Total indicators fetched: 2
Indicators from Security Intelligence Services feed
Value Type 0363059571.online Domain 0363059571.xyz Domain