Custom Data Storage

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Custom Data Storage

L1 Bithead

Hello,

 

Is there a way to store custom Data elsewhere than in incidents ? I suceeded in "Lists" but it appears than maximum list size is 209715 characters ==> https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.9/Cortex-XSOAR-Administrator-Guide/Lists

Does XSoar has a functionnality like Data Tables, or whatever wich could allow us to store any kind of custom data, outside of incidents ?

 

Many thanks in advance for your reply and Best Regards,
Thomas Nicolas

1 accepted solution

Accepted Solutions

Hi,

 

For global context, lists is the option in XSOAR. However for the examples you outlined, many of those can be done in widgets by using incident fields already and that’s a much more efficient way of doing it without having to create redundant data.

For example, if you want to generate widget based on incidents created by certain endpoints, version of EDRs etc, if you have those mapped to an incident field, you can simply do a query to fetch those incidents like type:”Endpoint alerts” and in the operations tab of widget builder, group by and choose the fields you want to group those by (endpoint hostname, edr version etc). 

View solution in original post

4 REPLIES 4

L2 Linker

I am not sure I understand the reasoning behind the ask. Incident data if stored in incident fields are searchable by default. You can always generate reporting and other metrics based off those if the goal is reporting.

 

If you are looking to host indicator data, you have EDL as an option (look at generic export indicators service integration). 

 

Just  for storing generic white list stuff, lists is the option.

 

You can also store some long generic data or lookup table for stuff like inventory management, you can use other sources like Servicenow for example and query to fetch a specific record. It is hard to make a recommendation without knowing what you mean by "custom data" and what is it that you are trying to achieve.

Hello,

 

Many thanks for your reply, Data I am trying to store into Xsoar, is reporting Data. I retrieve specific JSON for which I would like to share via Widget menu... It can be number of Endpoint available, Specific EDR Version...and so many more examples... 

Let's say I want to store very specific custom data, I am just wondering if I would be able to store it elsewhere than incidents data, or "Lists".. Actually I am wondering if I could use Global Context Data to store any data, cause I do not want to use incident for that reporting data...

 

Regards,
Thomas Nicolas

Hi,

 

For global context, lists is the option in XSOAR. However for the examples you outlined, many of those can be done in widgets by using incident fields already and that’s a much more efficient way of doing it without having to create redundant data.

For example, if you want to generate widget based on incidents created by certain endpoints, version of EDRs etc, if you have those mapped to an incident field, you can simply do a query to fetch those incidents like type:”Endpoint alerts” and in the operations tab of widget builder, group by and choose the fields you want to group those by (endpoint hostname, edr version etc). 

L1 Bithead

Many Thanks for your reply and Kind Regards

  • 1 accepted solution
  • 1242 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!