08-19-2022 05:00 AM
Hi,
I want to find a way of maximum automatization of the next process: IOC are extracted from CSV file to Cortex XSOAR and than only this indicators are uploaded to firewalls.
I found automations for each step separately but maybe exist any playbook or integration with such functionality?
And another less important question is how to compare IOC what XSOAR had before enrichment from file with this new? I know that it's possible to give additional attribute field during extracting from file but don't understand how to compare with all another's.
08-21-2022 06:07 PM
The simplest way to do this wouldn't require a playbook at all - import the indicators with the CSV feed integration then export them out to the firewalls with an integration compatible with your firewalls such as Generic Export Indicator Service or TAXII.
A playbook is really only required if you want to do something specific with/to the indicators other than, as well as, or before exporting them. One common example is tagging indicators if/when they meet specific conditions, and then using that tag as part of the indicator query when doing the export. This playbook provides a good example of tagging indicators for that purpose: https://xsoar.pan.dev/docs/reference/playbooks/tag-massive-and-internal-io-cs-to-avoid-edl-listing
The timeline section on the indicator summary page will show you a list of changes since the creation of the indicator, which includes changes made due to enrichment.
08-21-2022 06:07 PM
The simplest way to do this wouldn't require a playbook at all - import the indicators with the CSV feed integration then export them out to the firewalls with an integration compatible with your firewalls such as Generic Export Indicator Service or TAXII.
A playbook is really only required if you want to do something specific with/to the indicators other than, as well as, or before exporting them. One common example is tagging indicators if/when they meet specific conditions, and then using that tag as part of the indicator query when doing the export. This playbook provides a good example of tagging indicators for that purpose: https://xsoar.pan.dev/docs/reference/playbooks/tag-massive-and-internal-io-cs-to-avoid-edl-listing
The timeline section on the indicator summary page will show you a list of changes since the creation of the indicator, which includes changes made due to enrichment.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
