Limitations Cortex XDR Pro with Threat Intelligence Feeds

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Limitations Cortex XDR Pro with Threat Intelligence Feeds

L4 Transporter

Hello dear community, 

 

I'd like to know more about how you fill your IOCs in Cortex XDR Pro. 

There are so many TI Feeds outside:

 

https://www.comparitech.com/net-admin/best-threat-intelligence-feeds/

 

I'd would prefer the low cost variant (XDR Pro is not the cheapest one). Here are my questions:

 

1. Does Cortex XDR Pro offer a API for uploading IOCs?

2. When uploading it manually, what are the limitations and requiements? 

3. Will there be a better service in future for TI enrichment without to spend 100k (like for XSOAR + TI Feeds)

4. How do you get the data to Cortex XDR Pro ? 

5. What are the limitations for uploading feed data through a new lookup in a dataset into Cortex XDR Pro? 

 

BR

 

Rob

 

 

 

2 REPLIES 2

L3 Networker

Hi @RFeyertag 

 

1 Yes, with the API below, You can upload indicators by CSV or Json format.
https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-API-Reference/Insert-Simple-Indicat...
2 There is no known size limitation but ofcourse file format should be correct.
3 With current API endpoints, You can write your code (parsing data, uploading via api). If you are asking, will TI Management be part of the XDR ? Currently Yes, XSIAM already has capability to manage TI.
4 If this is for any type of data, You cannot. You need to have XDR Pro per TB license. If you have, There multiple ways like using BrokerVM, XDR Collectors etc.
5 This is not possible with XDR Pro. You can upload IOC data with XDR Pro license But IOC uploading is not uploading data into specific dataset if you would like to keep your indicators in specific dataset, XDR Pro per TB requires.

Hi ! 

1 Yes, with the API below, You can upload indicators by CSV or Json format.
https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-API-Reference/Insert-Simple-Indicat...

1. Thank you, I will have look. Why are there different informations about the scanning IOCs? Or is it not the same which is written here? 

https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Working-wit...

 https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-API-Reference/Start-an-XQL-Query 2 ...

2. Isn't a 4 Million IOC Storage a limitation?

 

3 With current API endpoints, You can write your code (parsing data, uploading via api). If you are asking, will TI Management be part of the XDR ? Currently Yes, XSIAM already has capability to manage TI.

3. I am not amused about this product marketing, there could be one product with all the add-ons, but the core should get more and better features like in XSIAM. 

 

4 If this is for any type of data, You cannot. You need to have XDR Pro per TB license. If you have, There multiple ways like using BrokerVM, XDR Collectors etc.

4. Thank you! 
5 This is not possible with XDR Pro. You can upload IOC data with XDR Pro license But IOC uploading is not uploading data into specific dataset if you would like to keep your indicators in specific dataset, XDR Pro per TB requires.

5. Thank you! 

 

BR

Rob

RFeyertag_1-1676843330132.png

RFeyertag_0-1676843224906.png

@etugriceri

  • 1167 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!