End-of-Life (EoL)

Fetch Incidents from an Integration Instance

servers Describes the fetch incidents from a third party instance.
You can poll third party integration instances for events and turn them into Cortex XSOAR incidents that trigger automations (fetching).
There a number of integrations that support fetching, but not all support this feature. You can view each integration in the Cortex XSOAR Developer Hub.
You can set an integration to fetch events, when defining an integration from the
tab in the
page, by selecting the
Fetches incidents
check box.
Once enabled, Cortex XSOAR searches for events that occurred within the time frame set for the integration, which is based on the specific integration. The default is 10 minutes prior, but can be changed in the integration script implementation.
The next fetch depends on the “systemwide interval”. The default is 1 minute, but it is possible to override this by setting server configuration server siem incidents schedule. The value is the interval in seconds (s), minutes (m) or hours (h). You add a server configuration in
. For example, type
key and
value. It is recommended that you do not set the value to less than one minute (1m).
If you turn off fetching for a period of time and then turn it on or disabled the instance and enabled it, the instance remembers the "last run" timestamp, and pull all events that occurred while it was off. If you don't want this to happen, verify that the instance is enabled and then click
Reset the “last run” timestamp
in the settings window. Also, note that "last run" is retained when an instance is renamed.
You set the objects to be fetched and their mapping in
Classification & Mapping

Recommended For You