This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew
Cortex XSOAR Discussions
Cortex XSOAR enables SOC analysts to manage alerts across all sources, standardize processes with playbooks, take action on threat intel, and automate response for any security use case.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Cortex XSOAR Discussions
Cortex XSOAR enables SOC analysts to manage alerts across all sources, standardize processes with playbooks, take action on threat intel, and automate response for any security use case.
About Cortex XSOAR Discussions
Cortex XSOAR enables SOC analysts to manage alerts across all sources, standardize processes with playbooks, take action on threat intel, and automate response for any security use case.

Discussions

Start a conversation

Engine in cloud - design concept

I have a cloud instance of XSOAR, with set of technologies in cloud and on prem as well, my initial thought is to have an engine for each group, that means two engines, and separate the technologies accordingly, any thought on that and what is challenges, pros and cons? Cortex XSOAR

ahmad by L0 Member
  • 768 Views
  • 1 replies
  • 0 Likes

Resolved! Extrahop Reveal X Integration - Stop fetching of Hidden Detections possible?

We've recently use the Extrahop integration to create tickets in XSOAR for our analysts to keep track of Extrahop tickets without having to go into Extrahop's console. However, we're trying to stop it from fetching "Hidden" or tuned detections I'm tuning out in Extrahop. I only fetch for 60+ Risk Scores and for "Open" or .none per the filtering,...

C.Perez by L1 Bithead
  • 2505 Views
  • 2 replies
  • 0 Likes

How to Delete War Room Entries or Clear War Room

Hello LiveComm, is there a way to remove an entry from an XSOAR incident ? This is needed for general entries and not just files as files can be deleted with Core API. An example of this can be a comment by an analyst or any textual entry. Perhaps the war room can be fully cleared ? I see that every entry has a URL but this does not work with th...

Service Limit Information for On-Premises Deployment Cortex XSOAR

Hi everyone, I have been searching for documentation related to the system’s performance limits, but most of the available information seems to focus on cloud deployments. I am specifically looking for service limit details for an on-premises deployment, including how they correlate with the system’s CPU and RAM resources. I have reviewed the in...

Duxgbk by L1 Bithead
  • 745 Views
  • 0 replies
  • 0 Likes

ElasticSearch integration es-eql

Can someone, anyone, post a properly formatted (working) !es-eql-query command run in XSOAR. I am apparently too dumb to get it working. For context, here's the ES|QL query I'm trying to make work.FROM logs-* | WHERE winlog.event_data.LogonProcessName LIKE "User32 " and host.hostname LIKE "computername" | LIMIT10

Increasing docker image pull timeout

Hey everyone, I am looking for a way to increase the docker image pull timeout from its 5 minutes default. The error occurs due to a combination of very slow network connection (a traffic shaping option which I cannot change) and big images (e.g. demisto/qrcode) and we get Error from Scripts is : Script failed to run: Pulling docker Image "demis...

JanDrees by L0 Member
  • 2296 Views
  • 1 replies
  • 0 Likes

How do I find the *meaning* of fields listed for APIs?

I see the API documentation (e.g., https://cortex-panw.stoplight.io/docs/cortex-xsoar-8/qqt4382rrk8vo-create-an-incident-from-json), but it seems that in many cases the actual meaning and usage are not defined for some of the input fields. Because of this, I can't figure out how to use the /incident/json endpoint, even though I did figure out h...

Urgent !! Cortex XSOAR User Licence Support

Would you please assists on picking a user for cortex xsoar, we have been bought a 1 year license for cortex xsoar starter (1 in quantity with support 2 users) and full user (4 in quantity) which is total of 6 users. However, currently we are planning to extend the license for next 1 year and decide to proceed with only the full user (quantity o...

Yonas_A by L0 Member
  • 908 Views
  • 1 replies
  • 0 Likes

Reminder Follow-Up Mail Playbook

I need to create a simple JOB in Demisto that does the following: Sends an email to the user - with the text "Reminder to perform action XXX"Give the user half an hour to reply by email (the user can reply with any text they want),Wait half an hourIf they replied something, close the eventIf they didn't reply within half an hour,Send another ema...

NivNet by L1 Bithead
  • 1425 Views
  • 3 replies
  • 0 Likes

Help with retrieving list of XSOAR items

Hi all, I am looking to build an inventory list of everything we have within XSOAR, such as:All playbooks, dashboards, integrations regardless of whether or not we use them. Extra points if we also know the author of each item, and / or the last person that modified the item. I know that we can check the web console but it would be great if w...

Resolved! How to include the initial Email as attachment OR how to reply on the same Email sent

I am trying to develop a playbook that sends reminder after 24 hours if no response by user received. I was able to create a timer task that sleeps for 24 hours and runs without a worker. But i don't know how i can send a reply on the same email that was initially sent by EmailAskUser automation or send it as attachment on the reminder email x...

Getting Vulnerability Findings from Tenable SC for a Specific Host

Hello LiveComm, I have a use-case that requires the extraction of vulnerabilities found on a specific host on Tenable SC (not tenable.io !). I have tried a combination of commands but I have not been able to to do this. When accessing the tenant GUI there is Host Assets in which you can see the vulnerabilities found on a specific host. Based on ...

How to join slack {{#demisto-developers }} channel

Hi, I registered my account and received an email with following content: Join the Slack workspace Cortex XSOAR DFIR Community now to start collaborating! by clicking here or the button below. However, the link seems expired and I got following msg: This link is no longer active To join this workspace, you’ll need to ask the person who o...

TonyZhu by L2 Linker
  • 7323 Views
  • 12 replies
  • 1 Likes

Demisto-sdk upload doesn't allow override

Hi Community! I have a question since i can't find answer anywhere. I wonder how the demisto-sdk community update the content pack when there is a code change, in my experience. i need to upload the same pack sometimes because I changed one script but the command doesn't allow me and there is not force option. the error message is like :Could ...

  • 1302 Posts
  • 45 Subscriptions
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks