Fetch Incidents From an Integration Instance

Configure a third party integration instance to fetch incidents into Cortex XSOAR incidents for investigation.
You can poll third party integration instances for events and turn them into Cortex XSOAR incidents that trigger automations (fetching). There are a number of integrations that support fetching, but not all support this feature. You can view each integration in the Cortex XSOAR Developer Hub.
When setting up an instance, you can configure the integration instance to fetch events. You can also set the interval for which to fetch new incidents, by configuring the
Incident Fetch Interval
field. The fetch interval default is 1 minute. This enables you to control the interval in which an integration instance reaches out to 3rd party platforms to fetch incidents into Cortex XSOAR. If the integration instance, does not have the
Incident Fetch Interval
field, you can add this field by editing the integration settings.
You can add the field to any integration that fetches incidents. For out of the box integrations, to add the field, you need to create a copy of the integration. Editing the integration settings including adding the
Incident Fetch Interval
field, breaks the connection to out of the box content. Any future updates to this integration will be applied to the out of the box integration and not to the copy integration.
You can change the default for all integration instances by setting the server configuration using the
serversiemincidents.schedule
key. The value is the interval in seconds (s), minutes (m) or hours (h). Setting the incident fetch interval when defining an instance overrides the server configuration settings.
Go to
Settings
About
Troubleshooting
. For example, type
jobs.serversiemincidents.schedule
key and
120s
value. It is recommended that you do not set the value to less than one minute (1m).
If you turn off fetching for a period of time and then turn it on or disabled the instance and enabled it, the instance remembers the "last run" timestamp, and pulls all events that occurred while it was off. If you don't want this to happen, verify that the instance is enabled and then click
Reset the “last run” timestamp
in the settings window. Also, note that "last run" is retained when an instance is renamed.
You set the objects to be fetched and their mapping in
Settings
INTEGRATIONS
Classification & Mapping
.
  1. Select the integration instance you want to fetch incidents by going to
    Settings
    INTEGRATIONS
    and click the integration instance settings button.
  2. Select the
    Fetches incidents
    checkbox.
    Once enabled, Cortex XSOAR searches for events that occurred within the time frame set for the integration, which is based on the specific integration. The default is 10 minutes prior, but can be changed in the integration script implementation.
  3. (
    Optional
    ) In the
    Incident Fetch Interval
    field, set the number of hours or days, and the number of minutes the interval for which to fetch incidents (default 1 minute).
  4. (
    Optional
    ) If the
    Incident Fetch Interval
    field does not appear, add it to the integration.
    Relevant for any incident fetching integration.
    1. For out of the box integrations, select the duplicate integration button.
      If you have already duplicated the integration, click the Edit integration’s source button.
    2. In the
      Basic
      section, select the
      Fetches incidents
      checkbox.
      In the
      Parameters
      section, you can see that the
      incidentFetchInterval
      parameter is added. Change the default value if necessary.
    3. Click
      Save
      .

Recommended For You