iDefense Feed

Supported versions

Supported Cortex XSOAR versions: 5.5.0 and later.

Fetches indicators from a iDefense feed. You can filter returned indicators by indicator type, indicator severity, threat type, confidence, and malware family (each of these are an integration parameter). Ingesting the indicator is being done in an incremental manner. This feed integration was integrated and tested with version v2.61.1 of iDefense.

Configure iDefense Feed on Cortex XSOAR

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for iDefense Feed.

  3. Click Add instance to create and configure a new integration instance.

    ParameterDescriptionRequired
    feedFetch indicatorsFalse
    api_tokenAPI KeyTrue
    feedReputationIndicator ReputationFalse
    feedReliabilitySource ReliabilityTrue
    tlp_colorTraffic Light Protocol ColorFalse
    feedExpirationPolicyFalse
    feedExpirationIntervalFalse
    feedFetchIntervalFeed Fetch IntervalFalse
    feedIncrementalIncremental FeedFalse
    fetch_timeFirst fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days)False
    indicator_typeIndicator TypeTrue
    severityIndicator SeverityFalse
    threat_typeThreat TypeFalse
    confidence_fromConfidenceFalse
    malware_familyMalware FamilyFalse
    feedBypassExclusionListBypass exclusion listFalse
    feedTagsTagsFalse
    insecureTrust any certificate (not secure)False
    proxyUse system proxy settingsFalse
  4. Click Test to validate the URLs, token, and connection.

Commands

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

idefense-get-indicators


Gets the feed indicators.

Base Command

idefense-get-indicators

Input

Argument NameDescriptionRequired
limitThe maximum number of results to return. The default value is 50.Optional

Context Output

There is no context output for this command.

Command Example

!idefense-get-indicators limit=10

Context Example

There is no context output for this command.

Indicators

valuetyperawJSON
http://example.comURLconfidence: 50
display_text: http://example.com
index_timestamp: 2020-12-13T23:31:03.848Z
key: http://example.com
last_modified: 2020-12-13T23:29:13.000Z
last_published: 2020-12-07T14:50:44.000Z
last_seen: 2020-12-13T20:08:24.000Z
last_seen_as: MALWARE_DOWNLOAD
malware_family:
replication_id: xxx
severity: 3
threat_types: Cyber Crime
type: url
uuid: xxx