This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew
Cortex XSOAR Discussions
Cortex XSOAR enables SOC analysts to manage alerts across all sources, standardize processes with playbooks, take action on threat intel, and automate response for any security use case.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Cortex XSOAR Discussions
Cortex XSOAR enables SOC analysts to manage alerts across all sources, standardize processes with playbooks, take action on threat intel, and automate response for any security use case.
About Cortex XSOAR Discussions
Cortex XSOAR enables SOC analysts to manage alerts across all sources, standardize processes with playbooks, take action on threat intel, and automate response for any security use case.

Discussions

Start a conversation

XSOAR - Transform Language

Hello everyone, I would like to ask how to get the user.name value from this context data.I tried using the syntax ${incident.labels.user.name}, but it didn’t work. Here's the context structure: { incident: { ... labels: { user.name: "john doe", ... } ... } } Any suggestions?

G.Anshar by L1 Bithead
  • 1287 Views
  • 2 replies
  • 0 Likes

Changing Multiple Docker Images at once

Hey, We are offline users We updated from 6.12 -> 6.14, Then after the update, the docker images changed, and it's causing a lot of ": Script failed to run: failed to pull docker Image "demisto/python 3:3.11.10.113941" Now, to fix it I need to change one by one (detach, change, reattach) docker image, I want to know if it possible to change...

NivNet by L1 Bithead
  • 893 Views
  • 2 replies
  • 0 Likes

Download from War Room

Is there a script or command line call that can be used to download an entry from the War Room? I have a script assigned to a button that generates a report and the report download is then entered into a War Room entry when executed/generated. I am looking for a method to code the download of the report automatically and not have to go to th...

BPalmer_0-1746569185023.png
B.Palmer by L0 Member
  • 740 Views
  • 1 replies
  • 0 Likes

DR to DC failover completed; DR acts as back up server as expected but in DR "Make this the production server option is not grey out"

Hi Team, The customer has did the DR to DC failover but DR backup server has " Make this the production server" tab enabled blue. The client pointing that the option show be disabled. If it is enabled, any person can make backup server as production if the link is active, without making any changes at DC XSOAR GUI. This is critical. Any suggesti...

Configure notification email on new incident

Hello, I would like to enable email notifications for every new incident. I've configured an O365 EWS instance successfully, and set server.notification.using.send-mail to use its instance name. For now, I just want all notifications to be sent to a single email address. I noticed there's an option to configure preferences in the user prof...

M.Nayet by L0 Member
  • 492 Views
  • 0 replies
  • 0 Likes

How do I send an alert to XSOAR?

I see the classify, map and playbook logic in XSOAR and I see that a playbook can ask/pull/poll for info *from* and external tool, which might be done through an integration. But is there a way for an external tool to aynchronously *send/push* an *alert* (not incident) to XSOAR and have XSOAR receive the alert in real time? I can send new *inc...

Obtaining Whois Information for a List of IPs

I'm trying to perform whois queries on an array that contains the list of IPs. My understanding is that I can pass the array to the Inputs of the "ip (whois)" script. However, since there are over 1000 IPs, submitting them all at once results in an error. Is there a way to split the array into chunks of 50? I was considering using Transformers...

R.Henmi by L0 Member
  • 848 Views
  • 1 replies
  • 0 Likes

Automating SLA in XSOAR with Reminders and Reset on Updates

Hi team! First of all, thank you very much in advance for your help. I want to add an SLA to an incident in XSOAR so that if the SLA is breached, the incident is automatically closed. In theory, this is straightforward to implement by setting a timer, a task with a tag, and an automation to close the incident, as specified in the videos and ...

F.Otero by L1 Bithead
  • 3664 Views
  • 2 replies
  • 1 Likes

Resolved! XSOAR 8 + Export Data to On-premise for Retention Compliance

Hello all, I have an XSOAR 8.+ tenant and need to store my incidents from up to two years ago. I understand that by default XSOAR retention policy retains incidents based on license etc. Is there a way to export the data that is half a year old to a cold storage on-premise archive and what are the expected egress costs of such an action? Many ...

Customize System Emails

I see there is documentation on customizing system emails: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Administrator-Guide/Customize-System-Emails I'm seeing placeholders such as {{ .username}} and {{ .invName}}. Where is the documentation on available placeholders that can be used?

  • 1300 Posts
  • 45 Subscriptions
Top Liked Authors
View All
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks