To integrate your external IOC (Indicator of Compromise) list into Cortex XSOAR, you can utilize the Generic Export Indicators Service. This service allows you to host and manage your IOC list within XSOAR, making it accessible to other security tools like firewalls and SIEMs.
Cortex XSOAR Version: Ensure you are using Cortex XSOAR version 5.5.0 or later, as the Generic Export Indicators Service integration is supported from this version onward.
Network Configuration: Ensure that the necessary ports are open and accessible for the integration to function correctly.
IOC List Format: Your external IOC list should be in .txt format, containing one indicator per line. Supported IOC types include:
Indicator Extraction: Utilize the ExtractIndicatorsFromTextFile automation script to parse the .txt file and create indicators within XSOAR.
Tagging: Assign specific tags to the imported indicators to facilitate filtering and exporting.
.txt IOC file.<entry_id> with the actual entry ID of the uploaded file:| Backend | Maximum Indicator Capacity | Disk Usage |
|---|---|---|
| BoltDB | 5–7 million | ~30 GB |
| Elasticsearch | 100 million | ~70 GB |
Indicator Types: The integration does not perform indicator type validation. Indicators are added to the EDL exactly as entered
Security Considerations: Ensure that appropriate security measures are in place when exposing the EDL over HTTP/HTTPS, including the use of certificates and access controls .
https://xsoar.pan.dev/docs/reference/integrations/edl?utm_source
https://xsoar.pan.dev/docs/reference/playbooks/pan-os-edl-service-configuration?utm_source
https://xsoar.pan.dev/docs/reference/playbooks/modify-edl?utm_source