Contact sales
Details

This workflow appears in the pivot menu and allows you to add an observable to a threat intelligence feed in Cisco XDR. These feeds can be used by other products to get lists of observables from Cisco XDR. For example, a feed of domains could be used by a firewall to block matching traffic.

Description

This workflow appears in the pivot menu and allows you to add an observable to a threat intelligence feed in Cisco XDR. These feeds can be used by other products to get lists of observables from Cisco XDR. For example, a feed of domains could be used by a firewall to block matching traffic. Supported observables: domain, ip, sha256

Target: Private Intelligence API

Steps:

  • Convert the observable type to uppercase
  • Search for the indicator the workflow needs
  • Check if the indicator was found:
    • If it was, extract its ID and set the local ID variable
    • If it wasn't, attempt to create it and set the local ID variable
  • Search for the feed for this observable type
  • Check if the feed was found:
    • If it was, extract its ID and set the local ID variable
    • If it wasn't, attempt to create it and set the local ID variable
  • Create a malicious judgement for the observable (end the workflow if this fails)
  • Relate the judgement to the indicator (end the workflow if this fails)
Required targets

This workflow requires the following targets to be available before it can be run.

Integration targets

  • Cisco XDR
About
Author
Cisco
Version
v1.0
Intent
Pivot Menu
Average rating
5.0 out of 5
Authorship
Cisco Managed
Contact and support information
https://support.cisco.com
External links

Content Licensing

Developer Community