Cortex XSOAR Discussions

8.9 On-prem Install Documentation Confusion

Hello, I'm trying to install our extra-small single server on-prem 8.9 XSOAR and ran into some confusion with the documentation. I didn't see a way to report the issue elsewhere so I thought it might be helpful here.https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.9/Cortex-XSOAR-On-prem-Documentation/Install-Cortex-XSOAR-on-a-VM-deploye...

sub-playbook looping behavior

Do sub-playbooks self loop on arrays or just lists? I can get a sub-playbook to loop “for each input” of a list, but not an array of the same data. Thx

XSOAR - Transform Language

Hello everyone, I would like to ask how to get the user.name value from this context data.I tried using the syntax ${incident.labels.user.name}, but it didn’t work. Here's the context structure: { incident: { ... labels: { user.name: "john doe", ... } ... } } Any suggestions?

Changing Multiple Docker Images at once

Hey, We are offline users We updated from 6.12 -> 6.14, Then after the update, the docker images changed, and it's causing a lot of ": Script failed to run: failed to pull docker Image "demisto/python 3:3.11.10.113941" Now, to fix it I need to change one by one (detach, change, reattach) docker image, I want to know if it possible to change...

Download from War Room

Is there a script or command line call that can be used to download an entry from the War Room? I have a script assigned to a button that generates a report and the report download is then entered into a War Room entry when executed/generated. I am looking for a method to code the download of the report automatically and not have to go to th...

What integration I should use to run KQL query against MS Sentinel

I have MS Sentinel subscription that generate alert. I used "Microsoft Sentinel" to fetch the alert, now I want to run some KQL base on the alert information, what integration I should use? is that "Azure Log Analytics"

How to "empty" a field value in XSOAR, or remove the value?

Tried to remove a value of a field to "empty" For example "setIncident fieldname=None and !setIncident fieldname="" But that doesn't work, does anyone how how to remove the value?

DR to DC failover completed; DR acts as back up server as expected but in DR "Make this the production server option is not grey out"

Hi Team, The customer has did the DR to DC failover but DR backup server has " Make this the production server" tab enabled blue. The client pointing that the option show be disabled. If it is enabled, any person can make backup server as production if the link is active, without making any changes at DC XSOAR GUI. This is critical. Any suggesti...

populating playbook custom node/script output in Dashboard and Reports

Hello Team, I want to populate a custom script output in playbook to Dashboards and Reports. This playbook is triggered on incident and took same data from incident modify it and also uses some third-party custom app data to enrich. I want to process this data in dashboard. kindly let me know how to get this.

Configure notification email on new incident

Hello, I would like to enable email notifications for every new incident. I've configured an O365 EWS instance successfully, and set server.notification.using.send-mail to use its instance name. For now, I just want all notifications to be sent to a single email address. I noticed there's an option to configure preferences in the user prof...

How do I send an alert to XSOAR?

I see the classify, map and playbook logic in XSOAR and I see that a playbook can ask/pull/poll for info *from* and external tool, which might be done through an integration. But is there a way for an external tool to aynchronously *send/push* an *alert* (not incident) to XSOAR and have XSOAR receive the alert in real time? I can send new *inc...

Obtaining Whois Information for a List of IPs

I'm trying to perform whois queries on an array that contains the list of IPs. My understanding is that I can pass the array to the Inputs of the "ip (whois)" script. However, since there are over 1000 IPs, submitting them all at once results in an error. Is there a way to split the array into chunks of 50? I was considering using Transformers...

XSOAR 8 SearchIncidentsv2 script

When I use the XSOAR 8 SearchIncidentsv2 script with reason argument it return no results for example reason:False Positive returns nothing. Why is that? Is there some specific formatting to use?

Empty report

when generating report from cortex xsoar in PDF its empty report nothing is on it.

Automating SLA in XSOAR with Reminders and Reset on Updates

Hi team! First of all, thank you very much in advance for your help. I want to add an SLA to an incident in XSOAR so that if the SLA is breached, the incident is automatically closed. In theory, this is straightforward to implement by setting a timer, a task with a tag, and an automation to close the incident, as specified in the videos and ...

Discussions