Server version 5.5.0 adds support for Feed Integrations. Feed Integrations allow fetching indicators from feeds, for example TAXII, AutoFocus, Office 365, and so on.
An example Feed Integration can be seen here.
Feed Integrations are developed the same as other Integrations. They provide a few extra configuration parameters and APIs.
Feed Integration names (
display fields) should end with the word Feed. This consistent naming convention ensures that users can easily understand what the Integration is used for.
Supported Server Version
Feed Integration's YAML file must have the following field
fromversion: 5.5.0. This is because Feed Integrations are only supported from Server version 5.5.0 and onwards.
Every Feed integration should have the following parameters in the integration YAML file:
defaultvalue of the
feedFetchInterval parameters should be set according to the qualities associated with the feed source for which you are developing a feed integration.
Every Feed Integration will at minimum have three commands:
test-module- this is the command that is run when the
Testbutton in the configuration panel of an integration is clicked.
<product-prefix>is replaced by the name of the Product or Vendor source providing the feed. So for example, if you were developing a feed integration for Microsoft Intune this command might be called
msintune-get-indicators. This command should fetch a limited number of indicators from the feed source and display them in the war room.
fetch-indicators- this command will initiate a request to the feed endpoint, format the data fetched from the endpoint to conform to Cortex XSOAR's expected input format and create new indicators. If the integration instance is configured to
Fetch indicators, then this is the command that will be executed at the specified
Feed Fetch Interval.
API Command: demisto.createIndicators()
demisto.createIndicators() function when the
fetch-indicators command is executed. Let's look at an example
main() from an existing Feed Integration.
batch function is imported from
CommonServerPython. We see that indicators are returned from calling
fetch_indicators_command and are passed to
demisto.createIndicators in batches.
Indicator Objects passed to
demisto.createIndicators. Let's look at an example,
Let's review the object key and values.
"value"- required. The indicator value, e.g.
"type"- required. The indicator type (types as defined in Cortex XSOAR), e.g.
"IP". One can use the
FeedIndicatorTypeclass to populate this field. This class, which is imported from
CommonServerPythonhas all of the indicator types that come out of the box with Cortex XSOAR. It appears as follows,class FeedIndicatorType(object):"""Type of Indicator (Reputations), used in TIP integrations"""Account = "Account"CVE = "CVE"Domain = "Domain"DomainGlob = "DomainGlob"Email = "Email"File = "File"FQDN = "Domain"MD5 = "File MD5"SHA1 = "File SHA-1"SHA256 = "File SHA-256"Host = "Host"IP = "IP"CIDR = "CIDR"IPv6 = "IPv6"IPv6CIDR = "IPv6CIDR"Registry = "Registry Key"SSDeep = "ssdeep"URL = "URL"
"rawJSON"- required. This dictionary should contain the
"type"fields as well as any other unmodified data returned from the feed source about an indicator.
"fields"- optional. A dictionary that maps values to existing indicator fields defined in Cortex XSOAR where the key is the
clinameof an indicator field. To see the full list of possible fields:
- Go to the
Settingssection in Cortex XSOAR.
- Click the
- Go to the
Fieldssection and filter
- To inspect a specific field - tick the box near the field name and click
Edit. Note that when inspecting a field, it's
clinameis listed as
- Go to the
Note: In indicators of type "File", if you have multiple hash types for the same file (i.e. MD5, SHA256, etc.), you can use the corresponding
"fields" to associate all hashes to the same object. The supported fields are:
ssdeep. You can use any of the aforementioned hash types as the indicator value for an indicator of type "File".