This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

File upload from XSOAR war room to Sentinel watchlist

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

File upload from XSOAR war room to Sentinel watchlist

Go to solution
A_Menon
L0 Member

‎02-22-2023 10:27 PM

Hi, 

 

Newbie to Xsoar and working on an automation when a csv file is uploaded to war room, it should upload the csv to Azure Sentinel watchlist.  From what I understand, I can do this by grabbing the file entry id of the latest file uploaded and then using the entry id upload it to Sentinel watchlist.

 

  1. Is there a better way to do this ?
  2. If no to the above question, what are the commands I can use to get the file entry id of the recent file uploaded

 

Thank you !!

 

 

 

 

 

 

 

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
michaelsysec242
L3 Networker

‎02-28-2023 06:15 AM

Hello I a not familiar with the Azure Sentinel but I am sure the process is the same for most integrations. 

Firstly use the Variable ${File.EntryID} that appears in the context when the file is added. What I recommend is to create a test incident to see how this feature works. If you have multiple files then it can make things confusing so I would recommend saving this EntryID in a different location when It is added to the XSOAR incident. Or, you could try tagging it and then querying the context but this can be a bit of over-kill. Another option is to loop over all the files in context using the variable ${File.[].EntryID}, notice the empty brackets allowed all the nested json to be iterated over like a loop and then specificy the pre-determined name of  what you want. 

 

To Be honest there are many options. Please elaborate some more including the playbook segment so that I can provide you a more direct solution to your issue. 

 

Many thanks, 

MR

P.S. The Attached picture shows how the file is laid out in the context. 

 

michaelsysec242_0-1677593439553.png

 

PCSAE

View solution in original post

0 Likes Likes
2 REPLIES 2

Go to solution
michaelsysec242
L3 Networker

‎02-28-2023 06:15 AM

Hello I a not familiar with the Azure Sentinel but I am sure the process is the same for most integrations. 

Firstly use the Variable ${File.EntryID} that appears in the context when the file is added. What I recommend is to create a test incident to see how this feature works. If you have multiple files then it can make things confusing so I would recommend saving this EntryID in a different location when It is added to the XSOAR incident. Or, you could try tagging it and then querying the context but this can be a bit of over-kill. Another option is to loop over all the files in context using the variable ${File.[].EntryID}, notice the empty brackets allowed all the nested json to be iterated over like a loop and then specificy the pre-determined name of  what you want. 

 

To Be honest there are many options. Please elaborate some more including the playbook segment so that I can provide you a more direct solution to your issue. 

 

Many thanks, 

MR

P.S. The Attached picture shows how the file is laid out in the context. 

 

michaelsysec242_0-1677593439553.png

 

PCSAE
0 Likes Likes

Go to solution
A_Menon
L0 Member

‎02-28-2023 08:28 PM

this helps. The ${File.[].EntryID} sounds good and further narrowed it down on time based condition

0 Likes Likes
  • 1 accepted solution
  • 1762 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks