09-11-2022 04:26 AM
Dears, we want to enrich our indicators from McAfee sitelook and Symantec Sitelook, suppose that we have a scipt that get the results?? how can we create the custom threat intelligence feeds in xsoar ??
09-11-2022 07:01 PM
Just to clarify: Indicator enrichment and indicator feeds are different things which serve different purposes.
Indicator enrichment queries for information about a specific indicator, and then adds that information to XSOAR. Think of this as a "pull" type method, where specific information is "pulled" on request. XSOAR needs to know what indicator to request in order to do enrichment.
Indicator feeds are just a list of indicators which meet specific criteria for inclusion. Usually the condition is just that they're malicious, but there are exceptions (Cloud provider IP address feeds, top website lists, etc). Think of this as a "push" method - XSOAR just requests "all indicators" or "all new indicators" and the feed sends whatever it deems appropriate, without XSOAR requesting any specific indicator.
Indicator enrichments and feeds are both done through integrations, but the features that the integration needs to implement for each are different, and the way the results are used are usually different.
I'd suggest starting with the marketplace ( https://xsoar.pan.dev/marketplace ) to see if there is already an integration for the sources that you use. If there is not, then you could either create one (see https://xsoar.pan.dev/docs/tutorials/tut-integration-ui ) or you could consider switching to a threat intel provider with a pre-built integration.
09-24-2022 04:59 AM
Thanks for this information but my question is different.
My case is that I want to make enrichments for some indicators on non- out-of-the-box integrations (threat intelligence platforms), like:
https://sitelookup.mcafee.com/
https://sitereview.bluecoat.com/#/
I know that Xsoar has out-of-the-box integrations like (virus total, urlscan,..etc) but i want to make enrichment from the above-mentioned platforms.
what I know as a solution for this issue is to do custom integration and get the results of the enrichment.
My question is the following:
How can I include these results to be calculated through the score of the indicator??
for example, I am trusting these two threat sources, so how can change the reputation of the indicator based on the coming result?
09-25-2022 06:01 PM
The problem with sites like these is that they're not intended for bulk use.
They generally don't have an API, so any integration you create is going to be fragile and potentially break on any website changes. Using them within your XSOAR may also be against their TOS/EULA/etc. If possible I'd suggesting reaching out to these providers to see if they have a service with an API intended for bulk use that references the same data instead.
For the technical part of your question: Your integration needs to return an indicator result with a score. See https://xsoar.pan.dev/docs/integrations/context-and-outputs#return-ip-reputation for reference.
Where you have multiple integrations which return results, the rules described here: https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-5/cortex-xsoar-admin/manage-indicators/under... will apply.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
