topic Re: Limitations Cortex XDR Pro with Threat Intelligence Feeds in Cortex XDR Discussions

Limitations Cortex XDR Pro with Threat Intelligence Feeds

RFeyertag — Wed, 15 Feb 2023 21:12:17 GMT

Hello dear community,

I'd like to know more about how you fill your IOCs in Cortex XDR Pro.

There are so many TI Feeds outside:

https://www.comparitech.com/net-admin/best-threat-intelligence-feeds/

I'd would prefer the low cost variant (XDR Pro is not the cheapest one). Here are my questions:

1. Does Cortex XDR Pro offer a API for uploading IOCs?

2. When uploading it manually, what are the limitations and requiements?

3. Will there be a better service in future for TI enrichment without to spend 100k (like for XSOAR + TI Feeds)

4. How do you get the data to Cortex XDR Pro ?

5. What are the limitations for uploading feed data through a new lookup in a dataset into Cortex XDR Pro?

Rob

Re: Limitations Cortex XDR Pro with Threat Intelligence Feeds

etugriceri — Thu, 16 Feb 2023 08:44:51 GMT

Hi @RFeyertag

1 Yes, with the API below, You can upload indicators by CSV or Json format.
https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-API-Reference/Insert-Simple-Indicators-CSV
2 There is no known size limitation but ofcourse file format should be correct.
3 With current API endpoints, You can write your code (parsing data, uploading via api). If you are asking, will TI Management be part of the XDR ? Currently Yes, XSIAM already has capability to manage TI.
4 If this is for any type of data, You cannot. You need to have XDR Pro per TB license. If you have, There multiple ways like using BrokerVM, XDR Collectors etc.
5 This is not possible with XDR Pro. You can upload IOC data with XDR Pro license But IOC uploading is not uploading data into specific dataset if you would like to keep your indicators in specific dataset, XDR Pro per TB requires.

Re: Limitations Cortex XDR Pro with Threat Intelligence Feeds

RFeyertag — Sun, 19 Feb 2023 21:58:21 GMT

Hi !

1 Yes, with the API below, You can upload indicators by CSV or Json format.
https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-API-Reference/Insert-Simple-Indicat...

1. Thank you, I will have look. Why are there different informations about the scanning IOCs? Or is it not the same which is written here?

https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Working-with-IOCs

https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-API-Reference/Start-an-XQL-Query 2 There is no known size limitation but ofcourse file format should be correct.

2. Isn't a 4 Million IOC Storage a limitation?

3 With current API endpoints, You can write your code (parsing data, uploading via api). If you are asking, will TI Management be part of the XDR ? Currently Yes, XSIAM already has capability to manage TI.

3. I am not amused about this product marketing, there could be one product with all the add-ons, but the core should get more and better features like in XSIAM.

4 If this is for any type of data, You cannot. You need to have XDR Pro per TB license. If you have, There multiple ways like using BrokerVM, XDR Collectors etc.

4. Thank you!
5 This is not possible with XDR Pro. You can upload IOC data with XDR Pro license But IOC uploading is not uploading data into specific dataset if you would like to keep your indicators in specific dataset, XDR Pro per TB requires.

5. Thank you!

BR

Rob

@etugriceri