https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/custom-web-server-on-xsoar/m-p/536875#M1948 <P>Thanks&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/159920">@MBeauchamp2</a>&nbsp;for reply. The problem with your suggestion is that I will get 1 incident per 1 POST. But I'ld like to aggregate all the posts (e.g. 1000 of them) within the timeframe in 1 incident.</P> Wed, 29 Mar 2023 07:11:45 GMT Antanas 2023-03-29T07:11:45Z https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/custom-web-server-on-xsoar/m-p/534701#M1898 <P>Hi,</P> <P>&nbsp;</P> <P>I'ld like to run a simple web server on demand, which would listen for POST requests and put the data posted in a file (or context).</P> <P>So far I achieved similar by modifying community integration XSOAR-Web-Server, which use long lasting instance mode and creates web server using Python Bottle. Server is started by an integration in a simple oneliner:</P> <P>run(host='0.0.0.0', port=listen_port, debug=True)</P> <P>&nbsp;</P> <P>I then deal with&nbsp; POST requests with:</P> <P>@route('post-uri', method='POST')&nbsp;</P> <P>def post-uri():</P> <P>&nbsp; &nbsp; &nbsp;...&nbsp; &nbsp; # write to a file /tmp/data.txt locally</P> <P>&nbsp;</P> <P>After web server received all the posts, I get the data form the XSOAR file system container ../diff/tmp/data.txt.</P> <P>&nbsp;</P> <P>Is there a way to access the data from the container using the commands in that integration? Cause at the time the data is collected, there are no incidents associated with it. If i create a new command and try to access /tmp/data.txt - it seem to be executed in different container and does not have access to that file.</P> <P>&nbsp;</P> Thu, 16 Mar 2023 12:15:52 GMT https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/custom-web-server-on-xsoar/m-p/534701#M1898 Antanas 2023-03-16T12:15:52Z https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/custom-web-server-on-xsoar/m-p/534721#M1899 <P>I think you'd be better off using something like the Generic Webhook integration to receive the post request, and then have the created Incident write the data to a file.&nbsp;&nbsp;</P> <P>&nbsp;</P> <P>The POST would need to be JSON, but you could then map the data to a field, or drop it to labels.&nbsp; &nbsp;Then have your automation create the file and return it to the war room using the fileResult method (check the script helper)</P> <P>&nbsp;</P> <P><A href="https://xsoar.pan.dev/docs/reference/integrations/generic-webhook" target="_blank">https://xsoar.pan.dev/docs/reference/integrations/generic-webhook</A></P> Thu, 16 Mar 2023 14:35:07 GMT https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/custom-web-server-on-xsoar/m-p/534721#M1899 MBeauchamp2 2023-03-16T14:35:07Z https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/custom-web-server-on-xsoar/m-p/536875#M1948 <P>Thanks&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/159920">@MBeauchamp2</a>&nbsp;for reply. The problem with your suggestion is that I will get 1 incident per 1 POST. But I'ld like to aggregate all the posts (e.g. 1000 of them) within the timeframe in 1 incident.</P> Wed, 29 Mar 2023 07:11:45 GMT https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/custom-web-server-on-xsoar/m-p/536875#M1948 Antanas 2023-03-29T07:11:45Z https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/custom-web-server-on-xsoar/m-p/536906#M1949 <P>Then I'd use a preprocessing script to handle that part.&nbsp; And have it add an entry to the first Incident.&nbsp;</P> Wed, 29 Mar 2023 14:17:57 GMT https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/custom-web-server-on-xsoar/m-p/536906#M1949 MBeauchamp2 2023-03-29T14:17:57Z