Cortex XSOAR Discussions
Cortex XSOAR enables SOC analysts to manage alerts across all sources, standardize processes with playbooks, take action on threat intel, and automate response for any security use case.
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Cortex XSOAR Discussions
Cortex XSOAR enables SOC analysts to manage alerts across all sources, standardize processes with playbooks, take action on threat intel, and automate response for any security use case.
About Cortex XSOAR Discussions
Cortex XSOAR enables SOC analysts to manage alerts across all sources, standardize processes with playbooks, take action on threat intel, and automate response for any security use case.

Discussions

QRadar Integration Magnitude Query not returning expected results

Got a QRadar integration. It's suppose to pull back offenses with magnitude > 4 However, our metrics are much higher than what the client expects.When reviewing this case got pulled into XSOAR:However, when exporting QRadar, the incident has the following: In the second column you can see magnitude has a value of 2; so in theory I don't think...

jboyd98_0-1648657803907.png
jboyd98_1-1648657953036.png
jboyd98 by L2 Linker
  • 3463 Views
  • 3 replies
  • 0 Likes

Alerts are not fetched within time from QRadar

Hello Everyone, Yesterday, I have observed delayed in offenses which comes from QRadar into XSOAR. I am confused with this type of behavior from XSOAR. Offense which is triggered in QRadar : 29-03-2022 23:00PMSame offense/Alerts is created in XSOAR : 30-03-2022 03:00AM Please check and suggest anything with respect to configuration and all. Cort...

Priyash7 by L0 Member
  • 2349 Views
  • 1 replies
  • 0 Likes

Resolved! Incidents Mass / Multiple "Close" button, field trigger script

Workflow:From the Incidents page / table, select multiple incidents.Click the "Close" button that allows closing multiple incidents at one time.My close form comes up. I have a field trigger script on one of the fields.It doesn't look like that field trigger script is running for any of the incidents selected. For the field trigger script, does...

JoshBoyd by L2 Linker
  • 9256 Views
  • 7 replies
  • 0 Likes

Resolved! ScriptA not calling ScriptB as expected

I have some automation that I'm working on and I am not seeing the expected results. I broke the script down into the following simple version. ScriptA which is:demisto.executeCommand("ScriptB", {})ScriptB which is:return_results("ScriptB Called")when I run ScriptA, is there a reason ScriptB would not write to the war room?

jboyd98 by L2 Linker
  • 3492 Views
  • 3 replies
  • 0 Likes

Splunk custom index not getting incident in xsoar

I am using splunk 60 day free trial non-enterprise edition and created a new custom index in splunk and manually added a sample event csv format file in the new index and all date is 2 days ago sample datasplunk integration with xsoar does not generate any incident, is there a configuration and timestamp problem?

Screen Shot 2022-03-11 at 1.33.40 PM.png
Screen Shot 2022-03-11 at 1.34.28 PM.png
Screen Shot 2022-03-11 at 1.37.39 PM.png

XSOAR test/free license - Paloalto ignoring a request from customer

I have tried to request test/free license of XSOAR using web form - (https://start.paloaltonetworks.com/sign-up-for-community-edition.html). Completely ignored. Then I asked for support - they pointed out to local rep. Local rep can do nothing, they claimed that it seems that PA do not issue that license for European countries. We have been lon...

error Couldn't calc cores number [error 'open /proc/stat: too many open files']

Recently had some performance problems reported from my xsoar users.Found a tenant crashing. Upon investigating I found the following error in the logs:App03 host:error Couldn't calc cores number [error 'open /proc/stat: too many open files']error Couldn't calc cores number [error 'open /proc/stat: too many open files'] I set this on APP03 las...

jboyd98_0-1646331590341.png
jboyd98_1-1646331827555.png
jboyd98_2-1646331889270.png
jboyd98 by L2 Linker
  • 2171 Views
  • 1 replies
  • 0 Likes

Default Admin Account sees more tenants where is SSO Administrator does not

Any thoughts on this -I use my SSO account which is an is in the Administrator role.I see 23 tenants. No filter on.My default admin account which is also in the administrator role shows 36. The tenants my SSO account seems to be missing seem are ones that are stopped (older accounts). Incognito window doesn't make a difference, tried hard relo...

jboyd98_1-1646679096093.png
jboyd98_0-1646679032918.png
jboyd98 by L2 Linker
  • 2088 Views
  • 1 replies
  • 0 Likes

Demo Data / Incidents

For purposes of demo'ing / mocking data for testing; how do you handle that.... Curious is there any import function to mock up incident data within XSOAR?

jboyd98 by L2 Linker
  • 2963 Views
  • 2 replies
  • 0 Likes

Resolved! XSOAR Qradar Integration Set Range Limit

Hi,I succeeded XSOAR integration with Qradar. But I keep getting timeout warnings. I solved this problem by entering parameter "--env=REQUEST_TIME OUT=1500". But I caught that the real problem is in the query. To give an example of this, I enter the first integration query as "status='OPEN' and id > 13061". Then XSOAR automatically changes th...

Using IsRFC1918Address check on context in condition task

Hi, I'm trying to use the condition to check if incident.destinationip is an public IP. But when selecting from context incident.destinationip and then IsRFC1918Address you need to fill in something in the right side. I checked the automation script and that should return True or False. But When testing the condition it always returns not matchi...

KevinThys_1-1646323874844.png

Resolved! Docker running as non-root, but hardening script fails?

Relatively new admin to XSOAR; previous admin has left.Just completed upgrade to latest 6.5 version.Could anyone help me understand the following:I have a service account that seems to run xsoar demisto server containers; used ps-ef|grep demisto and return a number of containers; "demisto" is the user below.demisto 32710 3808 0 10:56 ? ...

jboyd98_0-1646331218200.png
jboyd98 by L2 Linker
  • 3520 Views
  • 2 replies
  • 0 Likes
  • 1305 Posts
  • 45 Subscriptions