topic File upload from XSOAR war room to Sentinel watchlist in Cortex XSOAR Discussions

File upload from XSOAR war room to Sentinel watchlist

A_Menon — Thu, 23 Feb 2023 06:27:31 GMT

Hi,

Newbie to Xsoar and working on an automation when a csv file is uploaded to war room, it should upload the csv to Azure Sentinel watchlist. From what I understand, I can do this by grabbing the file entry id of the latest file uploaded and then using the entry id upload it to Sentinel watchlist.

Is there a better way to do this ?
If no to the above question, what are the commands I can use to get the file entry id of the recent file uploaded

Thank you !!

Re: File upload from XSOAR war room to Sentinel watchlist

michaelsysec242 — Tue, 28 Feb 2023 14:15:40 GMT

Hello I a not familiar with the Azure Sentinel but I am sure the process is the same for most integrations.

Firstly use the Variable ${File.EntryID} that appears in the context when the file is added. What I recommend is to create a test incident to see how this feature works. If you have multiple files then it can make things confusing so I would recommend saving this EntryID in a different location when It is added to the XSOAR incident. Or, you could try tagging it and then querying the context but this can be a bit of over-kill. Another option is to loop over all the files in context using the variable ${File.[].EntryID}, notice the empty brackets allowed all the nested json to be iterated over like a loop and then specificy the pre-determined name of what you want.

To Be honest there are many options. Please elaborate some more including the playbook segment so that I can provide you a more direct solution to your issue.

Many thanks,

P.S. The Attached picture shows how the file is laid out in the context.

Re: File upload from XSOAR war room to Sentinel watchlist

A_Menon — Wed, 01 Mar 2023 04:28:07 GMT

this helps. The ${File.[].EntryID} sounds good and further narrowed it down on time based condition