https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/mcafee-integration-not-sending-summary-of-alerts-to-xsoar-for/m-p/518849#M1312 <P>I have an integration between McAfee ESM (SIEM) that produces Alerts. 95% of alerts are received by the XSOAR including the "Summary" which is essentially the Alert Packet. Every few days some alerts are received that do not contain the summary. So essentially the time-stamp and the Alert Name appears yet there are no Summary details. The context data has been analysed and does not show any details.&nbsp;</P> <UL> <LI>The Integration has is updated to the latest version.&nbsp;</LI> <LI>The McAfee ESM is of a recent version.&nbsp;</LI> <LI>This is a relatively new phenomenon yet no explanation has been found.</LI> <LI>A new integration has been defined with a new Instance in order to attempt to fix this problem, unfortunately without results.&nbsp;</LI> <LI>A playbook for Unclassified events has been set to attempt to retrieve the summary for every anomalous alert through the Instance. Which also doesn't work 100% of the time.&nbsp;</LI> <LI>The XSOAR is community edition.</LI> </UL> <P>I have two questions;</P> <OL> <LI>Does anyone have a solution or workaround for this problem ?&nbsp;</LI> <LI>Is there a way to ensure 100% Alert transfer for this usually static use case ?</LI> </OL> <P>Thanks in advance.&nbsp;</P> <P><LI-PRODUCT title="Cortex XSOAR" id="Cortex_XSOAR"></LI-PRODUCT>&nbsp; #McafeeESM</P> <P>&nbsp;</P> Sun, 23 Oct 2022 07:25:17 GMT michaelsysec242 2022-10-23T07:25:17Z https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/mcafee-integration-not-sending-summary-of-alerts-to-xsoar-for/m-p/518849#M1312 <P>I have an integration between McAfee ESM (SIEM) that produces Alerts. 95% of alerts are received by the XSOAR including the "Summary" which is essentially the Alert Packet. Every few days some alerts are received that do not contain the summary. So essentially the time-stamp and the Alert Name appears yet there are no Summary details. The context data has been analysed and does not show any details.&nbsp;</P> <UL> <LI>The Integration has is updated to the latest version.&nbsp;</LI> <LI>The McAfee ESM is of a recent version.&nbsp;</LI> <LI>This is a relatively new phenomenon yet no explanation has been found.</LI> <LI>A new integration has been defined with a new Instance in order to attempt to fix this problem, unfortunately without results.&nbsp;</LI> <LI>A playbook for Unclassified events has been set to attempt to retrieve the summary for every anomalous alert through the Instance. Which also doesn't work 100% of the time.&nbsp;</LI> <LI>The XSOAR is community edition.</LI> </UL> <P>I have two questions;</P> <OL> <LI>Does anyone have a solution or workaround for this problem ?&nbsp;</LI> <LI>Is there a way to ensure 100% Alert transfer for this usually static use case ?</LI> </OL> <P>Thanks in advance.&nbsp;</P> <P><LI-PRODUCT title="Cortex XSOAR" id="Cortex_XSOAR"></LI-PRODUCT>&nbsp; #McafeeESM</P> <P>&nbsp;</P> Sun, 23 Oct 2022 07:25:17 GMT https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/mcafee-integration-not-sending-summary-of-alerts-to-xsoar-for/m-p/518849#M1312 michaelsysec242 2022-10-23T07:25:17Z https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/mcafee-integration-not-sending-summary-of-alerts-to-xsoar-for/m-p/518869#M1314 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/209373">@michaelsysec242</a>, you'll need to check the data coming into the mapper to verify where the issue is. Screenshot below shows the raw vs mapped fields.&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screen Shot 2022-10-24 at 1.28.44 pm.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/44830i3B968105307C9DC9/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Screen Shot 2022-10-24 at 1.28.44 pm.png" alt="Screen Shot 2022-10-24 at 1.28.44 pm.png" /></span></P> <P>1. Select the source of the alerts, this would McAfee ESM for you.</P> <P>2. Look at the raw data that is being sent from the API call. Ensure you can see the missing data here. If missing here its an API issue with McAfee's API.</P> <P>3. If the missing data is found above, map it to a field.&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Mon, 24 Oct 2022 02:36:57 GMT https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/mcafee-integration-not-sending-summary-of-alerts-to-xsoar-for/m-p/518869#M1314 jfernandes1 2022-10-24T02:36:57Z https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/mcafee-integration-not-sending-summary-of-alerts-to-xsoar-for/m-p/518989#M1320 <P>Thanks for your message. The incidents that do not contain the required "Summary" is not a mapping issue. Even after ingestion the Context Data doesn't contain any event details, just time stamps. As I mentioned before these are the same alerts that most of the time provide a static set of fields that do not change.&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/208028">@jfernandes1</a>&nbsp;is it recommended to speak with McAfee or PAN CSP regarding this issue ?</P> Tue, 25 Oct 2022 08:07:25 GMT https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/mcafee-integration-not-sending-summary-of-alerts-to-xsoar-for/m-p/518989#M1320 michaelsysec242 2022-10-25T08:07:25Z