Fetch Incidents From an Integration Instance
Configure a third party integration instance to fetch incidents into Cortex XSOAR incidents for investigation.
You can poll third party integration instances for events and turn them into Cortex XSOAR incidents that trigger automations (fetching). There are a number of integrations that support fetching, but not all support this feature. You can view each integration in the Cortex XSOAR Developer Hub.
When setting up an instance, you can configure the integration instance to fetch events. You can also set the interval for which to fetch new incidents, by configuring the
Incident Fetch Intervalfield. The fetch interval default is 1 minute. This enables you to control the interval in which an integration instance reaches out to 3rd party platforms to fetch incidents into Cortex XSOAR. If the integration instance, does not have the
Incident Fetch Intervalfield, you can add this field by editing the integration settings.
You can add the field to any integration that fetches incidents. For out of the box integrations, to add the field, you need to create a copy of the integration. Editing the integration settings including adding the
Incident Fetch Intervalfield, breaks the connection to out of the box content. Any future updates to this integration will be applied to the out of the box integration and not to the copy integration.
You can change the default for all integration instances by setting the server configuration using the
serversiemincidents.schedulekey. The value is the interval in seconds (s), minutes (m) or hours (h). Setting the incident fetch interval when defining an instance overrides the server configuration settings.
. For example, type
120svalue. It is recommended that you do not set the value to less than one minute (1m).
If you turn off fetching for a period of time and then turn it on or disabled the instance and enabled it, the instance remembers the "last run" timestamp, and pulls all events that occurred while it was off. If you don't want this to happen, verify that the instance is enabled and then click
Reset the “last run” timestampin the settings window. Also, note that "last run" is retained when an instance is renamed.
You set the objects to be fetched and their mapping in
Classification & Mapping
- Select the integration instance you want to fetch incidents by going toand click the integration instance settings button.SettingsINTEGRATIONS
- Select theFetches incidentscheckbox.Once enabled, Cortex XSOAR searches for events that occurred within the time frame set for the integration, which is based on the specific integration. The default is 10 minutes prior, but can be changed in the integration script implementation.
- (Optional) In theIncident Fetch Intervalfield, set the number of hours or days, and the number of minutes the interval for which to fetch incidents (default 1 minute).
- (Optional) If theIncident Fetch Intervalfield does not appear, add it to the integration.Relevant for any incident fetching integration.
- For out of the box integrations, select the duplicate integration button.If you have already duplicated the integration, click the Edit integration’s source button.
- In theBasicsection, select theFetches incidentscheckbox.In theParameterssection, you can see that theincidentFetchIntervalparameter is added. Change the default value if necessary.
Recommended For You
Recommended videos not found.