Skip to main content

Security Intelligence Services Feed

This Integration is part of the Security Intelligence Services Feed Pack.#

Supported versions

Supported Cortex XSOAR versions: 5.5.0 and later.

A PassiveTotal with Security Intelligence Services Feed provides you with newly observed Domain, Malware, Phishing, Content, and Scam Blacklist with Hourly ingestion available. This integration was integrated and tested with version 1.0 of Security Intelligence Services Feed.

The XSOAR instance with ElasticSearch is required as this integration would ingest large amount of indicators from SIS to XSOAR.

For that same reason, in case this integration fails to fetch indicators with timeout error, the feedIntegrationScript.timeout configuration should be configured with value 45 or more.

Configure Security Intelligence Services Feed in Cortex#

ParameterDescriptionRequired
accessKeyS3 Access KeyTrue
secretKeyS3 Secret KeyTrue
feedTypeFeed TypeTrue
feedFetch indicatorsFalse
feedReputationIndicator ReputationFalse
feedReliabilitySource ReliabilityTrue
tlp_colorThe Traffic Light Protocol (TLP) designation to apply to indicators fetched from the feed. More information about the protocol can be found at https://us-cert.cisa.gov/tlpFalse
feedExpirationPolicyFalse
feedExpirationIntervalFalse
feedFetchIntervalFeed Fetch IntervalFalse
feedTagsTagsFalse
MaxIndicatorsMax Indicators Per IntervalTrue
firstFetchIntervalFirst Fetch Time Range (<number> <time unit>, e.g., 12 hours, 7 days, 3 months, 1 year)True
feedBypassExclusionListBypass exclusion listFalse
insecureTrust any certificate (not secure)False
proxyUse system proxy settingsFalse

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

sis-get-indicators#


Gets indicators from Security Intelligence Services feed. Note- Indicators will fetch from the latest found object.

Base Command#

sis-get-indicators

Input#

Argument NameDescriptionRequired
limitThe maximum number of indicators to return from S3. Note- The maximum limit supported is 1000.Optional
feed_typeIndicators will be fetched based on feed_type.Optional
searchIndicators that match the given search pattern will be fetched.Optional

Context Output#

There is no context output for this command.

Command Example#

!sis-get-indicators limit=2 type=Domain

Human Readable Output#

Total indicators fetched: 2#

Indicators from Security Intelligence Services feed#

ValueType
0363059571.onlineDomain
0363059571.xyzDomain