Cortex XDR - IOC

Cortex XDR is the world's first detection and response app that natively integrates network, endpoint and cloud data to stop sophisticated attacks.

Use the Cortex XDR - IOCs feed integration to sync indicators between Cortex XSOAR and Cortex XDR. The integration will sync indicators according to the defined fetch interval. At each interval, the integration will push new and modified indicators defined in the Sync Query from Cortex XSOAR to Cortex XDR. Additionally, the integration will check if there are manual modifications of indicators on Cortex XDR and sync back to Cortex XSOAR. Once per day, the integration will perform a complete sync which will also remove indicators that have been deleted/expired in Cortex XSOAR, from Cortex XDR.

This integration was integrated and tested with Branch: stable-50 of XDR.

Configure Cortex XDR - IOC on Cortex XSOAR

  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for Cortex XDR - IOC.
  3. Click Add instance to create and configure a new integration instance.
ParameterDescriptionRequired
urlServer URL (e.g. https://example.net\)True
apikey_idAPI Key IDTrue
apikeyAPI KeyTrue
feedFetch indicatorsFalse
severitythe severity in Cortex XDRTrue
querySync QueryTrue
insecureTrust any certificate (not secure)False
proxyUse system proxy settingsFalse
feedReputationIndicator ReputationFalse
feedReliabilitySource ReliabilityTrue
feedExpirationPolicyFalse
feedExpirationIntervalFalse
feedFetchIntervalFeed Fetch IntervalFalse
feedBypassExclusionListBypass exclusion listFalse
  1. Click Test to validate the URLs, token, and connection.

Commands

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook.
After you successfully execute a command, a DBot message appears in the War Room with the command details.

xdr-iocs-sync


run once when configure the integration (do NOT run this twice!). will all the indicators that was synced with XDR and then resync.

Base Command

xdr-iocs-sync

Input

There are no input arguments for this command.

Context Output

There is no context output for this command.

Command Example

!xdr-iocs-sync

Human Readable Output

sync with XDR completed.

xdr-iocs-push


Push new IOCs to XDR. run This every minute (without indicator argument) or ioc trigerd (using indicator argument).

Base Command

xdr-iocs-push

Input

Argument NameDescriptionRequired
indicatorthe indicatorsOptional

Context Output

There is no context output for this command.

Command Example

xdr-iocs-push

Human Readable Output

push success.

xdr-iocs-enable


Enable iocs in XDR server

Base Command

xdr-iocs-enable

Input

Argument NameDescriptionRequired
indicatorThe indicator to enableRequired

Context Output

There is no context output for this command.

Command Example

!xdr-iocs-enable indicator=11.11.11.11

Human Readable Output

indicators 11.11.11.11 enabled.

xdr-iocs-disable


Disable iocs in XDR server

Base Command

xdr-iocs-disable

Input

Argument NameDescriptionRequired
indicatorThe indicator to enableRequired

Context Output

There is no context output for this command.

Command Example

!xdr-iocs-disable indicator=22.22.22.22

Human Readable Output

indicators 22.22.22.22 disabled.