Security Intelligence Services Feed

A PassiveTotal with Security Intelligence Services Feed provides you with newly observed Domain, Malware, Phishing, Content, and Scam Blacklist with Hourly ingestion available. This integration was integrated and tested with version 1.0 of Security Intelligence Services Feed.

The XSOAR instance with ElasticSearch is required as this integration would ingest large amount of indicators from SIS to XSOAR.

For that same reason, in case this integration fails to fetch indicators with timeout error, the feedIntegrationScript.timeout configuration should be configured with value 45 or more.

Configure Security Intelligence Services Feed on Cortex XSOAR

  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for Security Intelligence Services Feed.
  3. Click Add instance to create and configure a new integration instance.
ParameterDescriptionRequired
accessKeyS3 Access KeyTrue
secretKeyS3 Secret KeyTrue
feedTypeFeed TypeTrue
feedFetch indicatorsFalse
feedReputationIndicator ReputationFalse
feedReliabilitySource ReliabilityTrue
feedExpirationPolicyFalse
feedExpirationIntervalFalse
feedFetchIntervalFeed Fetch IntervalFalse
feedTagsTagsFalse
MaxIndicatorsMax Indicators Per IntervalTrue
firstFetchIntervalFirst Fetch Time Range (<number> <time unit>, e.g., 12 hours, 7 days, 3 months, 1 year)True
feedBypassExclusionListBypass exclusion listFalse
insecureTrust any certificate (not secure)False
proxyUse system proxy settingsFalse
  1. Click Test to validate the S3 Access Key, S3 Secret Key, Feed Types, and connection.

Commands

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

sis-get-indicators


Gets indicators from Security Intelligence Services feed. Note- Indicators will fetch from the latest found object.

Base Command

sis-get-indicators

Input

Argument NameDescriptionRequired
limitThe maximum number of indicators to return from S3. Note- The maximum limit supported is 1000.Optional
feed_typeIndicators will be fetched based on feed_type.Optional
searchIndicators that match the given search pattern will be fetched.Optional

Context Output

There is no context output for this command.

Command Example

!sis-get-indicators limit=2 type=Domain

Human Readable Output

Total indicators fetched: 2

Indicators from Security Intelligence Services feed

ValueType
0363059571.onlineDomain
0363059571.xyzDomain