Cortex XSOAR Discussions

Fetching CrowdStrike Next-Gen SIEM Alerts into SOAR

Hi everyone,

How can I fetch Next-Gen SIEM alerts from CrowdStrike into XSOAR? I have already set up my Falcon integration, and I can fetch categories like endpoint detection.

As seen in the image, there is a query section available to fetch differen

XSOAR 8 cloud incident retention policy query

Hi Team,

The standard XSOAR customer, wants to know how the incident retention policy works on V8 cloud instance.

Data retention policy:
1. Is the default retention period is 6 months (180 days)? 

Yes , the default retention period is 6 months (18

Playbook Showing Keep Running & Running

Dear All,

I am facing really annoying issue. I have setup integration(mapper,type) and playbook hit very well on incident but the problem is the playbook showing running and running for all incidents and not run. I try to pause and resume but it also

Is there a way to check all scheduled entries in XSOAR?

Is there a way to check all scheduled entries regardless of the incident you're in? I've been using ShowScheduledEntries in the playground to test an automation (let's call it X), but after a week, when using the ShowScheduledEntries command it retur

How to "empty" a field value in XSOAR, or remove the value?

Tried to remove a value of a field to "empty" 

For example "setIncident fieldname=None and !setIncident fieldname="" 

But that doesn't work, does anyone how how to remove the value? 

CSV Feed Same Indicators

Hi,

I am using CSV Feed integration and a delta triggered Job, that is triggering whenever there is a new item (IP indicator) in CSV feed. The playbook under job is adding only new and modified indicators which have "tag":"pending_ip".

Now, I underst

Engine in cloud - design concept

I have a cloud instance of XSOAR, with set of technologies in cloud and on prem as well, my initial thought is to have an engine for each group, that means two engines, and separate the technologies accordingly, any thought on that and what is challe

Running Playbooks on the Engine

Can I configure XSOAR Engine used to run playbooks, instead of the XSOAR instance itself, and if yes what is the configuration steps, sizing, ..etc

Cortex XSOAR

How to Delete War Room Entries or Clear War Room

Hello LiveComm,

is there a way to remove an entry from an XSOAR incident ? This is needed for general entries and not just files as files can be deleted with Core API. An example of this can be a comment by an analyst or any textual entry. Perhaps th

Service Limit Information for On-Premises Deployment Cortex XSOAR

Hi everyone,

I have been searching for documentation related to the system’s performance limits, but most of the available information seems to focus on cloud deployments. I am specifically looking for service limit details for an on-premises deploym

Integration not able to invoke fetch-incidents command at given interval

I am trying to create a custom integration and have read that xsoar will invoke fetch-incident command at the given incidentfetchinterval timeframe on its own. But when i run the integration to fetch incidents i dont see it adhering to the given inte

ElasticSearch integration es-eql

Can someone, anyone, post a properly formatted (working) !es-eql-query command run in XSOAR.  I am apparently too dumb to get it working.  For context, here's the ES|QL query I'm trying to make work.

FROM logs-* | WHERE winlog.event_data.LogonProcessN

Increasing docker image pull timeout

Hey everyone,

I am looking for a way to increase the docker image pull timeout from its 5 minutes default.

The error occurs due to a combination of very slow network connection (a traffic shaping option which I cannot change) and big images (e.g. dem

XSAOR - 503 Service Temporarily Unavailable Issue

Hello,

I'm currently implementing Cortex XSOAR On-Prem 8.8. I'm fairly new to this product. 

I have deployed the VM and cluster configuration completed successfully. I was able access GUI and do the basic configurations. After I updated the versi