Back to Documentation
Integrations

External Integration – XSOAR

External Integration – XSOAR

To integrate your external IOC (Indicator of Compromise) list into Cortex XSOAR, you can utilize the Generic Export Indicators Service. This service allows you to host and manage your IOC list within XSOAR, making it accessible to other security tools like firewalls and SIEMs.

1.Prerequisites

Cortex XSOAR Version: Ensure you are using Cortex XSOAR version 5.5.0 or later, as the Generic Export Indicators Service integration is supported from this version onward.

Network Configuration: Ensure that the necessary ports are open and accessible for the integration to function correctly.

2.Requirements

IOC List Format: Your external IOC list should be in .txt format, containing one indicator per line. Supported IOC types include:

  • IP addresses
  • Domain names
  • URLs
  • File hashes (e.g., MD5, SHA1, SHA256)

Indicator Extraction: Utilize the ExtractIndicatorsFromTextFile automation script to parse the .txt file and create indicators within XSOAR.

Tagging: Assign specific tags to the imported indicators to facilitate filtering and exporting.

3.Configuration

Step 1: Import IOC List into XSOAR

  1. Navigate to Settings > Advanced > Lists.
  2. Click on Import and select your .txt IOC file.
  3. Name the list appropriately for easy identification.

Step 2: Extract Indicators from the Imported List

  1. Open the Playground in XSOAR.
  2. Run the following command, replacing <entry_id> with the actual entry ID of the uploaded file: !ExtractIndicatorsFromTextFile entryID=<entry_id>
  3. Tag the Extracted Indicators
  • Navigate to Threat Intel > Indicators.
  • Filter the indicators based on the recent extraction.
  • Select the relevant indicators and apply a unique tag (e.g., external_ioc_list)
  1. Configure the Generic Export Indicators Service Integration
    • Go to Settings > Integrations > Servers & Services.
    • Search for Generic Export Indicators Service and click Add instance.
    • Configure the instance with the following parameters: - Name: Descriptive name for the service. - Indicator Query: Use a query to select indicators, such as tags:external_ioc_list. - Export Format: Choose between plain text, JSON, or CSV. - Listen Port: Specify a port (e.g., 7000) for the service to run on. - Authentication: Set up credentials if required.
    • Click Test to validate the configuration and then Save the instance.

4.Limitation

  1. the indicator capacity limits for Cortex XSOAR, based on the backend database
BackendMaximum Indicator CapacityDisk Usage
BoltDB5–7 million~30 GB
Elasticsearch100 million~70 GB

  1. Indicator Types: The integration does not perform indicator type validation. Indicators are added to the EDL exactly as entered

  2. Security Considerations: Ensure that appropriate security measures are in place when exposing the EDL over HTTP/HTTPS, including the use of certificates and access controls .

Official Documentation

https://xsoar.pan.dev/docs/reference/integrations/edl?utm_source

https://xsoar.pan.dev/docs/reference/playbooks/pan-os-edl-service-configuration?utm_source

https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Administrator-Guide/Manage-External-Dynamic-Lists?utm_source=

https://xsoar.pan.dev/docs/reference/playbooks/modify-edl?utm_source