Upload IOC from file to firewall via XSOAR

asernova — Fri, 19 Aug 2022 12:00:36 GMT

Hi,

I want to find a way of maximum automatization of the next process: IOC are extracted from CSV file to Cortex XSOAR and than only this indicators are uploaded to firewalls.

I found automations for each step separately but maybe exist any playbook or integration with such functionality?

And another less important question is how to compare IOC what XSOAR had before enrichment from file with this new? I know that it's possible to give additional attribute field during extracting from file but don't understand how to compare with all another's.

Re: Upload IOC from file to firewall via XSOAR

chrking — Mon, 22 Aug 2022 01:07:49 GMT

The simplest way to do this wouldn't require a playbook at all - import the indicators with the CSV feed integration then export them out to the firewalls with an integration compatible with your firewalls such as Generic Export Indicator Service or TAXII.

A playbook is really only required if you want to do something specific with/to the indicators other than, as well as, or before exporting them. One common example is tagging indicators if/when they meet specific conditions, and then using that tag as part of the indicator query when doing the export. This playbook provides a good example of tagging indicators for that purpose: https://xsoar.pan.dev/docs/reference/playbooks/tag-massive-and-internal-io-cs-to-avoid-edl-listing

The timeline section on the indicator summary page will show you a list of changes since the creation of the indicator, which includes changes made due to enrichment.

topic Upload IOC from file to firewall via XSOAR in Cortex XSOAR Discussions

Upload IOC from file to firewall via XSOAR

Re: Upload IOC from file to firewall via XSOAR