Cortex XSOAR Discussions

Setting an incident field and getting the new value of it

Hi everyone, I noticed that automations cannot set a new value and fetch it from the same incident field . Why is that? demisto.executeCommand('setIncident', {'details': 'mycustomvalue'})return_results(demisto.get(demisto.incident(), 'details'))

How to avoid "...NOTE, too much data to present, content was truncated."

Hello again, I'm using a task to obtain IPs from a source and put them inside the context. However, the variable is truncated and it shows: "NOTE, too much data to present, content was truncated." How can this be avoid? and use the whole context variable? Thanks.

Resolved! Resetting Qradar integration and keep mapped alerts.

Hello colleagues, I'm using Qradar integration with all the alerts mapped and parameters configured. In order to solve a "fetch events" puntual problem is recommended to reset the integration with empty parameters and the use again the already working parameters. This will reset the integration and will solve some bugs, however, I don't know if ...

community license for cortex XSOAR for mac

Hi all, Do we community license available for cortex XSOAR to be used on mac? Thanks

Resolved! Pre-process Rule Assistance

We are trying to create a pre-process rule to link and close the incident when certain field values are identical but still incidents are getting created for identical values. Please find the attached snip.Please note you are posting a public message where community members and experts can provide assistance. Sharing private information such as ...

Resolved! Playbook Creates Incidents from Table.

I'm trying to create incidents from a Cortex XSOAR SIEM integration. The integration allows me to list alerts and I'm trying to create an incident for each one. When I run the playbook, the list alerts command returned multiple entries, but the create incident task is only creating 2 incidents opposed to 10 alerts. I want to ensure that we're ...

Resolved! Check dormant instance in multitenant.

Hi, I need a job or another mechanism to detect if last incident creation time is older than 1 hour or a given time period to detect if there is an incident pull problem in SOAR or a siem centric problem. Regards.

Resolved! DEVO integration into XSOAR

Hi we need to integrate DEVO with XSOAR, in order to manage all alerts and be abe to query DEVO. First step is to get all alerts, so we have installed the "Devo v2 (Partner Contribution)" addon into XSOAR and followed the instructions, from https://xsoar.pan.dev/docs/reference/integrations/devo-v2 We have the Token for all tables generated: A...

Open zip file in automation

Hello, I'm downloading a zip file via API with this request: response = doHttpRequest(url=zip, method='GET', headers=headers) it's supposed that my "response" variable now it's the zip file, however when I try to open, I can't, it's like it doesn't exist. How can be unzipped and extract the .txt file inside?

Script failed to run: Timeout Error: Docker code script failed due to timeout, consider changing timeout value for this automation, (2604) (2603)

We have a playbook task that sends a query to run on Splunk using the SplunkPy but it keeps failing and returning the following error#22: Splunk Search Query Command: !splunk-search query="index= test blah blah" earliest_time="1666679348" latest_time="1666852148" batch_limit="25000" update_context="true" interval_in_seconds="30"ReasonError from ...

Resolved! Configuration file to playbook

Hi all, I need to provide an externally uploaded configuration file to a playbook whose content varies periodically (it's a list of names). What is the best way to do this? The user who uploads the file can access the XSOAR GUI interface with an Analyst profile.

Rename XSOAR tenant

Receiving more business from a customer for some of their other entities. I need to rename an XSOAR tenant to be more pointed - Is there any instructions on renaming.Can i just stop the tenant and rename the folder on the backend; assume there's more to it than that -

Using Await for an email only for expected answers

Hello, I'm sending an email to the users and I wait for 3 possible answers. However, sometimes the users are outside the office and I receive and automatic answer. How can avoid this, and only wait for the 3 possible ones.

Phone call from XSOAR

How can i make Phone calls from a playbook? I found the twilio integration which is able to send SMS, but I'd rather make a phone call to the incident manager somehow. Have you found any solution to this?

McAfee Integration not sending Summary of alerts to XSOAR for ingestion.

I have an integration between McAfee ESM (SIEM) that produces Alerts. 95% of alerts are received by the XSOAR including the "Summary" which is essentially the Alert Packet. Every few days some alerts are received that do not contain the summary. So essentially the time-stamp and the Alert Name appears yet there are no Summary details. The contex...

Discussions

Setting an incident field and getting the new value of it

How to avoid "...NOTE, too much data to present, content was truncated."

Resolved! Resetting Qradar integration and keep mapped alerts.