Tag massive and internal IOCs to avoid EDL listing
This Playbook is part of the Generic Export Indicators Service Pack.#
Supported versions
Available on Cortex XSOAR (versions 5.5.0 and later) and Cortex XSIAM.
This playbook tags internal assets and massive IOCs (TLD wildcards and CIDRs) to be avoided by the EDL. The playbook does the following according to indicator type:
- CIDRs - If the CIDR prefix is larger than the set max prefix it tags it with
Massive_CIDRand also withskip_edl. - TLD Wildcards - If a DomainGlob is a TLD wildcard (for example *.net) it tags it with
TLD_Wildcardand also withskip_edl. - Internal IPs - If an IP is internal and also part of the CIDR configured by the user in the "Internal Assets" list it is checked as
internaland tagged withskip_edl. - Internal Domains - If a domain is a subdomain of the domains configured in the "Internal Assets" list it is checked as
internaland tagged withskip_edl.
We recommend running the playbook as a job to keep tags up to date on new indicators.
Playbook Inputs#
| Name | Description | Default Value | Required |
|---|---|---|---|
| Indicator Query | This query retrieves the following indicator types - IP, IPv6, CIDR, and IPv6CIDR | type:CIDR or type:IP or type:DomainGlob or type:IPv6CIDR or type:Domain | Optional |
| Internal Assets | A list of internal assets consisting of CIDRs and domains that belong to the user. | lists.Internal assets | Optional |
| Maximum CIDR Prefix | The maximum prefix to allow, any prefix bigger than the specified is tagged to be ignored by the EDL. | 8 | Optional |
Playbook Image#
