topic How do I send an alert to XSOAR? in Cortex XSOAR Discussions

How do I send an alert to XSOAR?

J.Knoke935922 — Fri, 14 Feb 2025 20:56:30 GMT

I see the classify, map and playbook logic in XSOAR and I see that a playbook can ask/pull/poll for info *from* and external tool, which might be done through an integration. But is there a way for an external tool to aynchronously *send/push* an *alert* (not incident) to XSOAR and have XSOAR receive the alert in real time? I can send new *incidents* to XSOAR at the /incident endpoint, but it looks like the external tool must send the JSON that the endpoint expects, and that the classification and mapping logic is bypassed in that case. It appears that the integrations I have looked at will pull/poll the external tool, so the potential efficiency of a push architecture is lost, and the opportunity for real-time reaction is also lost. I'm not sure if the /incident/json endpoint helps.

Re: How do I send an alert to XSOAR?

michaelsysec242 — Mon, 21 Apr 2025 11:06:16 GMT

@J.Knoke935922 , It isn't easy to understand what you are trying to achieve here. What do you intend to do with the "Alert" you push to the XSOAR from the external tool ? If you want to actively push an alert to the XSOAR you could use Webhooks. You can then update an existing incident at the pre-processing level rather than creating a new incident. If you want to cause a pending task in a playbook to continue you could use this method or perhaps the XSOAR REST API or even entitlement (more advanced email method to receive responses by emails without creating an incident). I know that I have suggested a few possible solutions but you need to be more specific so that we can understand what you want to achieve.

MSysec