Manage Indicators and Incidents Using Actions
The Intel Exchange integration for Cortex XSOAR v8 provides commands that allow you to manage threat intelligence directly from Cortex XSOAR. You can run these commands from the War Room during investigations or use them in playbooks to automate threat intelligence workflows.
Using these commands, you can retrieve indicator details, manage tags, update indicator status, search threat intelligence data, and retrieve incidents from Cyware Intel Exchange
Integration Commands
Integration commands in Cortex XSOAR run through the Command Line Interface (CLI) in the War Room or as tasks within playbooks. These commands interact with the Intel Exchange API to retrieve and update indicators and incidents between the two platforms.
Where to Use These Actions
War Room (CLI): Run commands manually during an investigation to retrieve or update indicators and incidents from Cyware Intel Exchange. For example, !cyware-get-indicator-details.
Playbooks: Add commands as tasks within playbooks to automate threat intelligence workflows such as tagging indicators, updating indicator status, retrieving incidents, or marking indicators to review.
For the complete list of supported commands, including arguments, input and output parameters, and API mappings, see Cortex XSOAR documentation.
Frequently Asked Questions (FAQs)
The following Cyware Intel Exchange API endpoints are used by Cortex XSOAR to perform workflow actions on indicators and incidents:
Method | Endpoint | Description |
|---|---|---|
GET |
| Verify connectivity between Cortex XSOAR and Intel Exchange |
GET |
| Retrieves enrichment and relationship data for indicators |
GET |
| Retrieves the indicators using the fetch indicators command. |
GET |
| Retrieves reports using the fetch incidents command. |
GET |
| Retrieves relationship data for reports |