https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/how-to-prevent-iocs-and-incident-cases-from-being-created-when/m-p/505593#M998 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/208955">@pottapitot</a>, every job run creates a new incident. This cannot be stopped. There might be other work arounds available. You could looks at using a scheduled command to run the <EM><FONT face="courier new,courier">!setPlaybook</FONT></EM> command every X minutes. This would mimic the job run but consume a single incident ID.&nbsp;</P><P>&nbsp;</P><P>Regarding your second question, indicator extraction is enabled by default on XSOAR. As a part of best practises we recommend disabling it. You should disable it at a platform level and allow extraction on a specific task or command level. For more information refer - <A href="https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-8/cortex-xsoar-admin/manage-indicators/auto-extract-indicators" target="_blank">https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-8/cortex-xsoar-admin/manage-indicators/auto-extract-indicators</A></P><P>&nbsp;</P><P>To disable it I would recommend adding the below server configs with the value set to 1 (Refer above link for possible values):-</P><P>&nbsp;- reputation.calc.algorithm</P><P>&nbsp;- reputation.calc.algorithm.fields.change</P><P>&nbsp;- reputation.calc.algorithm.tasks</P><P>&nbsp;- reputation.calc.algorithm.manual</P><P>&nbsp;</P><P>You can then override the above by forcing extraction:-</P><P>1. At CLI - Add <EM><FONT face="courier new,courier">auto-extract=</FONT></EM>&nbsp;to the end of a command</P><P>2. At Task - <STRONG>Edit Task</STRONG> -&gt; <STRONG>Advanced</STRONG> -&gt; <STRONG>Indicator Extraction Mode</STRONG> - <A href="https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/playbooks/playbook-tasks/playbook-task-fields" target="_self">Refer</A></P><P>3. At Field\Incident - <STRONG>Settings</STRONG> -&gt; <STRONG>Object Setup</STRONG> -&gt; <STRONG>Incidents</STRONG> -&gt; <STRONG>Type</STRONG> -&gt; <EM><STRONG>&lt;Incident Type&gt;</STRONG></EM> -&gt; <STRONG>Indicator Extraction Rules</STRONG> - <A href="https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/manage-indicators/auto-extract-indicators/define-indicator-extraction-rules-for-an-indicator-type" target="_self">Refer</A></P><P>&nbsp;</P> Thu, 23 Jun 2022 00:53:03 GMT jfernandes1 2022-06-23T00:53:03Z https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/how-to-prevent-iocs-and-incident-cases-from-being-created-when/m-p/505455#M997 <P>Hi,</P><P>&nbsp;</P><P>I was making 2 playbooks.</P><P>In the first playbook, after creating the same I scheduled it as a job. Each time the job runs, it creates a incident case. How do I prevent the incident case from being created when the job runs?</P><P>&nbsp;</P><P>In the second playbook, I was creating playbook which pulls MISP feeds which I want to send to another solution. Since it is pulling feeds containing IOCs, it is creating indicators in the Threat Intel section. I do not want the IOCs from the feeds to be added to the Threat Intel section. I just want to pull the IOCs from the feeds and send the same to the external solution. How can I do this?</P><P>&nbsp;</P><P>Thanks in advance.</P><P>&nbsp;</P> Wed, 22 Jun 2022 16:51:38 GMT https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/how-to-prevent-iocs-and-incident-cases-from-being-created-when/m-p/505455#M997 pottapitot 2022-06-22T16:51:38Z https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/how-to-prevent-iocs-and-incident-cases-from-being-created-when/m-p/505593#M998 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/208955">@pottapitot</a>, every job run creates a new incident. This cannot be stopped. There might be other work arounds available. You could looks at using a scheduled command to run the <EM><FONT face="courier new,courier">!setPlaybook</FONT></EM> command every X minutes. This would mimic the job run but consume a single incident ID.&nbsp;</P><P>&nbsp;</P><P>Regarding your second question, indicator extraction is enabled by default on XSOAR. As a part of best practises we recommend disabling it. You should disable it at a platform level and allow extraction on a specific task or command level. For more information refer - <A href="https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-8/cortex-xsoar-admin/manage-indicators/auto-extract-indicators" target="_blank">https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-8/cortex-xsoar-admin/manage-indicators/auto-extract-indicators</A></P><P>&nbsp;</P><P>To disable it I would recommend adding the below server configs with the value set to 1 (Refer above link for possible values):-</P><P>&nbsp;- reputation.calc.algorithm</P><P>&nbsp;- reputation.calc.algorithm.fields.change</P><P>&nbsp;- reputation.calc.algorithm.tasks</P><P>&nbsp;- reputation.calc.algorithm.manual</P><P>&nbsp;</P><P>You can then override the above by forcing extraction:-</P><P>1. At CLI - Add <EM><FONT face="courier new,courier">auto-extract=</FONT></EM>&nbsp;to the end of a command</P><P>2. At Task - <STRONG>Edit Task</STRONG> -&gt; <STRONG>Advanced</STRONG> -&gt; <STRONG>Indicator Extraction Mode</STRONG> - <A href="https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/playbooks/playbook-tasks/playbook-task-fields" target="_self">Refer</A></P><P>3. At Field\Incident - <STRONG>Settings</STRONG> -&gt; <STRONG>Object Setup</STRONG> -&gt; <STRONG>Incidents</STRONG> -&gt; <STRONG>Type</STRONG> -&gt; <EM><STRONG>&lt;Incident Type&gt;</STRONG></EM> -&gt; <STRONG>Indicator Extraction Rules</STRONG> - <A href="https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/manage-indicators/auto-extract-indicators/define-indicator-extraction-rules-for-an-indicator-type" target="_self">Refer</A></P><P>&nbsp;</P> Thu, 23 Jun 2022 00:53:03 GMT https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/how-to-prevent-iocs-and-incident-cases-from-being-created-when/m-p/505593#M998 jfernandes1 2022-06-23T00:53:03Z