Cortex XSOAR Discussions

Splunk custom index not getting incident in xsoar

I am using splunk 60 day free trial non-enterprise edition and created a new custom index in splunk and manually added a sample event csv format file in the new index and all date is 2 days ago sample data

splunk integration with xsoar does not genera

...

Screen Shot 2022-03-11 at 1.33.40 PM.png

Screen Shot 2022-03-11 at 1.34.28 PM.png

XSOAR test/free license - Paloalto ignoring a request from customer

I have tried to request test/free license of XSOAR using web form - (https://start.paloaltonetworks.com/sign-up-for-community-edition.html). Completely ignored. Then I asked for support - they pointed out to local rep. Local rep can do nothing, they

...

error Couldn't calc cores number [error 'open /proc/stat: too many open files']

Recently had some performance problems reported from my xsoar users.

Found a tenant crashing. Upon investigating I found the following error in the logs:

App03 host:

error Couldn't calc cores number [error 'open /proc/stat: too many open files']error C

...

Default Admin Account sees more tenants where is SSO Administrator does not

Any thoughts on this -
I use my SSO account which is an is in the Administrator role.

I see 23 tenants. No filter on.

My default admin account which is also in the administrator role shows 36.

The tenants my SSO account seems to be missing seem are on

...

Demo Data / Incidents

For purposes of demo'ing / mocking data for testing; how do you handle that....

Curious is there any import function to mock up incident data within XSOAR?

Resolved! Incident Table Under Incidents; is there a way to change the default view for everyone

I want to change the default column view for all my analyst using the "Incidents" page / "Incidents" table.

Is there a way to change that view, or is the table view user specific only and there is no way to set for everyone?

Resolved! Changing the owner of an Incident X from another Incident Y

Hi everyone, I'm struggling to make my use case work.

I need to use a playbook X, to change the owner of a specific incident using IncidentID.

Do you ever had this need?

I think I can do it using RestAPI, but i'm failing.

Thanks

Resolved! XSOAR Qradar Integration Set Range Limit

Hi,

I succeeded XSOAR integration with Qradar. But I keep getting timeout warnings. I solved this problem by entering parameter "--env=REQUEST_TIME OUT=1500". But I caught that the real problem is in the query. To give an example of this, I enter the

...

Using IsRFC1918Address check on context in condition task

Hi,

I'm trying to use the condition to check if incident.destinationip is an public IP. But when selecting from context incident.destinationip and then IsRFC1918Address you need to fill in something in the right side. I checked the automation script

...

Resolved! Docker running as non-root, but hardening script fails?

Relatively new admin to XSOAR; previous admin has left.

Just completed upgrade to latest 6.5 version.

Could anyone help me understand the following:

I have a service account that seems to run xsoar demisto server containers; used ps-ef|grep demisto and

...

[error 'open /proc/stat: too many open files']

Recently had some performance problems reported from my xsoar users.

Found a tenant crashing. Upon investigating I found the following error in the logs:

App03 host:

error Couldn't calc cores number [error 'open /proc/stat: too many open files']error C

...

Resolved! X out of X accounts returned an error during a multi-account request

Seeing the following every multiple times a minute in my server.log

Note i replaced the host with <host>

error Some requests to accounts failed for incidents export [error '2 of 18 requests to accounts failed! failing accounts are [acc_Dem01,acc_Demi

...

FortiSEIM Integration - Auth Issues

Dear All ,

FortiSiem integration is failing due to the Auth issues , Your help would be appreciated

Resolved! Field Trigger Script / Broswer Caching Issue?

I have a field trigger script on dbot status changing; essentially updating a custom field to nothing if the an incident is re-opened.

if field=="dbotStatus" and old=="Closed" and new=="Active" and incidentType=="Azure Sentinel":
demisto.executeComman

...

XSOAR - How to pull file from context in playbook

Hello,

I am trying to pull a file from the context. I tried pulling the 'EntryId' for the file, but the playbook returned an error saying there was not a file at that file path. Is it possible to pull a file from the context, and if so, how can it be

...

Discussions

Splunk custom index not getting incident in xsoar

XSOAR test/free license - Paloalto ignoring a request from customer

error Couldn't calc cores number [error 'open /proc/stat: too many open files']

Default Admin Account sees more tenants where is SSO Administrator does not

Demo Data / Incidents

Resolved! Incident Table Under Incidents; is there a way to change the default view for everyone

Resolved! Changing the owner of an Incident X from another Incident Y

Resolved! XSOAR Qradar Integration Set Range Limit

Using IsRFC1918Address check on context in condition task

Resolved! Docker running as non-root, but hardening script fails?

[error 'open /proc/stat: too many open files']

Resolved! X out of X accounts returned an error during a multi-account request

FortiSEIM Integration - Auth Issues

Resolved! Field Trigger Script / Broswer Caching Issue?

XSOAR - How to pull file from context in playbook

XSOAR Dev to Prod - Builtin content repository

Still waiting on XSOAR Community Edition + Cortex XDR lab access

Result empty after using json2html script

Do we have XQL query builder feature in XSOAR

Where is the XSAOR 8 CLI Reference?

Re: Creating a custom command for XSOAR marketplace integration

Re: XSOAR Dev to Prod - Builtin content repository

Re: War Room Table to Layout view

Re: delay in a playbook

Unlock your full community experience!

Resolved! Incident Table Under Incidents; is there a way to change the default view for everyone

Resolved! Changing the owner of an Incident X from another Incident Y

Resolved! XSOAR Qradar Integration Set Range Limit

Resolved! Docker running as non-root, but hardening script fails?

Resolved! X out of X accounts returned an error during a multi-account request

Resolved! Field Trigger Script / Broswer Caching Issue?