Crowdstrike falcon incident fetching issue
Hi team, In the crowdstrike builtin integration instance we have included the query to fetch detections as: status:['new'], but still the alerts with False Positive status are also getting fetched in XSOAR.
Hi team, In the crowdstrike builtin integration instance we have included the query to fetch detections as: status:['new'], but still the alerts with False Positive status are also getting fetched in XSOAR.
I've been trying to send a block message from the SlackBlockBuilder automation. However, when I try to test it out via the debugger panel, it would result in an error. Spoiler (Highlight to read) Command: !SlackBlockBuilder list_name="SLACKV3_BLOCK_ASK_URLALERT" channel_id="[redacted]" persistent="false" reply="Thank you for your res...
Hi all, I have a multi-tenant production and i have created a host but this host doesn't appear in the hosts in the main account. How can i fix this problem?
Hi everyone, I would like to ask is it possible to permanently delete the downloaded file in War Room? My team wants to make use of the Jobs function in XSOAR to handle files, and the file should be deleted in XSOAR after handling it.Thanks,Eliza
Hello everybody, after reading through some of the threads here, most people run into a similar issue as I did. Not receiving the URL to download - has anyone found a suitable solution? I used a company email, I waited a week for it to come after the approval - yet nothing came, does anyone have the link for me? Thanks in advance.
Hey all, I was exploring O365 graph API and wondering what are some of the best practices for this integration. One thing we came up was to IP restriction (Palo alto IP) in Microsoft side. Are there any other condition access policies that can be added to make sure we follow best practices, other than securing the Palo alto tenant and Micr...
Hello LiveComm, I am working on using MFA for authentication to xsoar on a server that has Active Directory (On-Prem) SAML authentication already in use. The use case is to require the user to authenticate using the Microsoft Authenticator app. I have searched around and have not found any documentation regarding this except for DUO though this ...
Hello, I have signed up for the community edition, however I have never received the download URL. Also, I signed up for the DFIR, but cannot access the slack, as the link is expired when sent.
Hi,I filled out the form for the community edition at https://start.paloaltonetworks.com/sign-up-for-community-edition.html. I have received a confirmation email and an email for more information I have replied. unfortunately I get no response to use the Cortex / Paloalto. How can I get the cortex community edition? MP
Hello all, I am working with Slack from the playbook level where a message summarizing an incident is sent followed by Slackask automation to ask users on a channel to confirm the information with two interactive buttons. Take note that the flow has two different messages, the first is the summary using Slacknotification and the second task is ...
soemtimes for testing purpose we need to create similar incident again but I am stuck at this phase. I have exisiting incident and i want to re run it(either manually create, duplicate and re run it or just simply re run exisitng incident, or importing it) but the question is how?. How to get this? Cortex XSOAR
Cortex XSOAR 8 will have a new FQDN and IP Address in the new platform. May I know is there any existing playbook have pulled the XSOAR data, and export to third-party platform automatically? If yes, it may require to re-configure the IP Address. Cortex XSOAR
Need help We have several analysts on schedule to perform ticket review bi-weekly. I have used a demisto xsoar job to generate a ticket review ticket every 2 weeks. However, how do i assign this ticket to the analyst automatically based on the shift schedule I have. For example, first is A doing the ticket review and then B doing the ticket re...
Hi All, We have a requirement to create a ServiceNow ticket by taking the slack user responses. I have built a playbook which does send the SlackBlockBuilder to the specified Slack channel but the playbook runs only when an incident is attached to it.(I'm running the playbook by creating an empty incident manually in xsoar), but I want to playbo...
Hi, I've created a playbook to analyze some alerts related to SOC and GPO, but the alerts come with ObjectGUID and I need to convert the GUID to DisplayName. In PowerShell, the command is simple: (Get-GPO -Guid "$GUID").DisplayName. I tried running this command in the war room, but it didn't work... Does anyone know how I can do this?"

