End-of-Life (EoL)

Fetch Incidents from an Integration Instance

servers Describes the fetch incidents from a third party instance.
You can poll third party integration instances for events and turn them into Cortex XSOAR incidents that trigger automations (fetching).
There a number of integrations that support fetching, but not all support this feature. You can view each integration in the Demisto Developer Hub.
You can set an integration to fetch events, when defining an integration from the
INTEGRATIONS
tab in the
Settings
page, by selecting the
Fetches incidents
check box.
Once enabled, Cortex XSOAR searches for events that occurred within the time frame set for the integration, which is based on the specific integration. The default is 10 minutes prior, but can be changed in the integration script implementation.
The next fetch depends on the “systemwide interval”. The default is 1 minute, but it is possible to override this by setting server configuration server siem incidents schedule. The value is the interval in seconds (s), minutes (m) or hours (h). You add a server configuration in
Settings
About
Troubleshooting
. For example, type
jobs.serversiemincidents.schedule
key and
120s
value.
If you turn off fetching for a period of time and then turn it on or disabled the instance and enabled it, the instance remembers the "last run" timestamp, and pull all events that occurred while it was off. If you don't want this to happen, verify that the instance is enabled and then click
Reset the “last run” timestamp
in the settings window. Also, note that "last run" is retained when an instance is renamed.
You set the objects to be fetched and their mapping in
Settings
INTEGRATIONS
Classification & Mapping
.

Recommended For You