XSOAR - domain_name and domain_id not mapped - Even not reflecting in past incidents

A.Hussain514562 — Mon, 09 Dec 2024 08:23:10 GMT

I get the hard time to mapped the domain_id under the Label section coming from Qradar data.

The mentioned fields not parsed at the first place, luckily the domain_id is found in the Qradar_instance and mapped by creating the new incident field.

Issue: The new incident field for domain_id not being updated in the past incident, need support to reflect the same in past incident which become handy to filter out the different domains.

Re: XSOAR - domain_name and domain_id not mapped - Even not reflecting in past incidents

JStephan — Thu, 09 Jan 2025 08:44:33 GMT

hey there,

sorry, I dont fully understand, but from what I am guessing:

So you adjusted the mapper to meet the requirements of mapping the domain_id field to an incident field.

This will NOT affect old incidents, as the mapper is run before ... or better between ingestion and incident creation, so a re-run is not possible, sorry

what you could try (no guaranty)

Identify where the data is stored,
if not mapped we would expect to find them under "incident.labels"
from the incident overview run a script against all old incidents (depends of course on the amount)

Example (far fetched one)

search for status:closed -category:job domainoffense:""
Select all incidents and Run Command like
!setIncident domainoffense=${incident.labels.WHEREVER}

Honestly not sure if it works

topic XSOAR - domain_name and domain_id not mapped - Even not reflecting in past incidents in Cortex XSOAR Discussions

XSOAR - domain_name and domain_id not mapped - Even not reflecting in past incidents

Re: XSOAR - domain_name and domain_id not mapped - Even not reflecting in past incidents