Cortex XSOAR Discussions
Cortex XSOAR enables SOC analysts to manage alerts across all sources, standardize processes with playbooks, take action on threat intel, and automate response for any security use case.
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Cortex XSOAR Discussions
Cortex XSOAR enables SOC analysts to manage alerts across all sources, standardize processes with playbooks, take action on threat intel, and automate response for any security use case.
About Cortex XSOAR Discussions
Cortex XSOAR enables SOC analysts to manage alerts across all sources, standardize processes with playbooks, take action on threat intel, and automate response for any security use case.

Discussions

Timeout in task not working

Hello, Timeout configuration does not function in "ScheduleCommand" task using an automation. The timeout is set inside the task in Advanced Tab->"Execution timeout(seconds)" and inside the automation in Settings->Advanced->Timeout(seconds), but is not working. Am I missing something?

Josep by L4 Transporter
  • 1396 Views
  • 1 replies
  • 0 Likes

Filter out incidents having email communications associated with it

From all the incidents I have, I want to filter out the incidents having email communications associated with them.There are several fields in the context and in the incident of the context that identifies an incident as email communications associated.Can anybody help me with this ? maybe using any specific field from context or incident.

Help ML models

Hello, I need some help to understand how ML models work in XSOAR. In the documentation, I can only see models related to emails. I'd like to create a model just with the close reason, False Positive or True Positive. I already trained the model, however, I don't know exactly which are the inputs of the training or the inputs to use the model.

Josep by L4 Transporter
  • 1630 Views
  • 1 replies
  • 0 Likes

Question Regarding Mirroring Integration In Cortex XSOAR

I've a couple of questions regarding mirroring in Cortex XSOAR which are listed below. 1. Is it possible to change the status of the XSOAR incident from Pending to Active in the get-remote-data command? I have checked couple of mirroring integration (e.g. ServiceNow v2, XSOAR Mirroring) and they are only closing the XSOAR incident once the remot...

Multiple Question realted to assign owner from playbook

Guys, I Have Phishing Playbook consists of two big parts: a- L1 Phishing playbook. b- L2 Phishing playbook. The flow starts from L1 doing the needed automation and tasks like (Extracting IOCs, Headers, Doing Enrichment, making Splunk searches, .... etc.) Then it will stop at the stopping point which ask the Analyst to categorize which type ...

Demisto.db Read only Error

Dears, I am facing an issue in one of the tenants as below once I am trying to press anything and as I check the directory I found that demisto is the owner and the permissions are drwxr. Appreciate any Support. "Write /var/lib/demisto/tenents/(tenant Name)/data/demisto.db: read-only file system "

mkhalil5 by L0 Member
  • 1486 Views
  • 1 replies
  • 0 Likes

How to run playbook on scheduled interval for all XSOAR Incidents?

Hello team, I've use-case where I need to fetch related events for a particular incident periodically. For that, I've prepared a playbook which will pull the events related to each XSOAR incident and link that data in Contex of a particular XSOAR incident. As this needs to be applied to all incidents of selected custom incident type and I want m...

SHadfa by L0 Member
  • 5245 Views
  • 4 replies
  • 0 Likes

Resolved! How to set a war room entry as evidence from a single automation

Hi everyone, The task looks simple with "markAsEvidence" but I have to run 2 tasks to get it done. Is there a way to send an entry to the war room and mark it as evidence from the same automation without having to run the automation twice. As it seems an automation can access only the initial state of the the incident that is when automation ...

EnesOzdemir_0-1673605185180.png
EnesOzdemir_1-1673605250812.png

closing multiple incidents with postprocessing scripts causes xsoar to hang

Hi all, I am working with Carbon Black EDR so I want incidents to be closed not only on xsoar but also on carbon black instance. To achieve that I implemented a post processing script. when an incident on xsoar is closed the script closes the alert on carbon black edr too . It works fine when working with a single incident. Things get complica...

EnesOzdemir_0-1665045390481.png

XSOAR License URI

Hello everyone,I want to access the XSOAR license date, but whatever I type in the 'uri' field does not return results (for demisto-api-get and internalHTTPRequest). How can I access it?I tried many uri like "!demisto-api-get uri=/license" but I could not access it.

Use TensorFlow models inside XSOAR automation

Hello, We'd like to create our own TensorFlow models to improve the system. The model will be trained and tested outside XSOAR, while the production model will be set inside an automation. The main problem here is whether XSOAR containers could have enough resources to make it work. The other option is to create a server to communicate via API w...

Josep by L4 Transporter
  • 1380 Views
  • 1 replies
  • 0 Likes

Resolved! Display flags in long XSOAR automation

Hello, A long automation with no time limit is created. However, when we execute it, there's no way to know if it's executing properly. We've tried: "demisto.results" and putting information in the context but it only appears when it's completely executed. How can we display flags to know the progress of an automation?

SanDev by L2 Linker
  • 4024 Views
  • 7 replies
  • 0 Likes
  • 1305 Posts
  • 45 Subscriptions