Fetch Incidents From an Integration Instance - Administrator Guide - 6.6 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Product
Cortex XSOAR
Version
6.6
Creation date
2022-09-29
Last date published
2024-03-21
End_of_Life
EoL
Category
Administrator Guide
Abstract

Configure a third party integration instance to fetch incidents into Cortex XSOAR incidents for investigation.

You can poll third party integration instances for events and turn them into Cortex XSOAR incidents that trigger automations (fetching). There are a number of integrations that support fetching, but not all support this feature. You can view each integration in the Cortex XSOAR Developer Hub.

You set the objects to be fetched and their mapping in SettingsOBJECTS SETUPIncidentsClassification & Mapping.

When setting up an instance, you can configure the integration instance to fetch events. You can also set the interval for which to fetch new incidents, by configuring the Incidents Fetch Interval field. The fetch interval default is 1 minute. This enables you to control the interval in which an integration instance reaches out to third-party platforms to fetch incidents into Cortex XSOAR. If the integration instance, does not have the Incidents Fetch Interval field, you can add this field by editing the integration settings.

Note

  • In some integrations the Incidents Fetch interval is called Feed Fetch Interval.

  • If the integration instance does not have the Incidents Fetch Interval field, you need to add this field by editing the integration settings. If the integration is from a content pack, you need to create a copy of the integration. Any future updates to this integration will not be applied to the copy integration.

You can change the default for all integration instances by setting the server configuration using the serversiemincidents.schedule key. The value is the interval in seconds (s), minutes (m) or hours (h). Setting the incident fetch interval when defining an instance overrides the server configuration settings.

Go to SettingsAboutTroubleshooting. For example, type jobs.serversiemincidents.schedule key and 120s value. It is recommended that you do not set the value to less than one minute (1m).

Note

If you turn off fetching for a period of time and then turn it on or disabled the instance and enabled it, the instance remembers the "last run" timestamp, and pulls all events that occurred while it was off.

  1. Select the integration instance you want to fetch incidents by going to SettingsINTEGRATIONS and click the integration instance settings button.

  2. Select the Fetches incidents checkbox.

    Once enabled, Cortex XSOAR searches for events that occurred within the time frame set for the integration, which is based on the specific integration. The default is 10 minutes prior, but can be changed in the integration script implementation.

  3. (Optional) In the Incidents Fetch Interval field, set the number of hours or days, and the number of minutes the interval for which to fetch incidents (default 1 minute).

  4. (Optional) If the Incidents Fetch Interval field does not appear, add it to the integration.

    Relevant for any incident fetching integration.

    1. For out-of-the-box integrations, select the duplicate integration button.

      If you have already duplicated the integration, click the Edit integration’s source button.

    2. In the Basic section, select the Fetches incidents checkbox.

      In the Parameters section, you can see that the incidentsFetchInterval parameter is added. Change the default value if necessary.

      integration-fetch.png
    3. Click Save.