File upload from XSOAR war room to Sentinel watchlist

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

File upload from XSOAR war room to Sentinel watchlist

L0 Member

Hi, 

 

Newbie to Xsoar and working on an automation when a csv file is uploaded to war room, it should upload the csv to Azure Sentinel watchlist.  From what I understand, I can do this by grabbing the file entry id of the latest file uploaded and then using the entry id upload it to Sentinel watchlist.

 

  1. Is there a better way to do this ?
  2. If no to the above question, what are the commands I can use to get the file entry id of the recent file uploaded

 

Thank you !!

 

 

 

 

 

 

 

1 accepted solution

Accepted Solutions

L3 Networker

Hello I a not familiar with the Azure Sentinel but I am sure the process is the same for most integrations. 

Firstly use the Variable ${File.EntryID} that appears in the context when the file is added. What I recommend is to create a test incident to see how this feature works. If you have multiple files then it can make things confusing so I would recommend saving this EntryID in a different location when It is added to the XSOAR incident. Or, you could try tagging it and then querying the context but this can be a bit of over-kill. Another option is to loop over all the files in context using the variable ${File.[].EntryID}, notice the empty brackets allowed all the nested json to be iterated over like a loop and then specificy the pre-determined name of  what you want. 

 

To Be honest there are many options. Please elaborate some more including the playbook segment so that I can provide you a more direct solution to your issue. 

 

Many thanks, 

MR

P.S. The Attached picture shows how the file is laid out in the context. 

 

michaelsysec242_0-1677593439553.png

 

PCSAE

View solution in original post

2 REPLIES 2

L3 Networker

Hello I a not familiar with the Azure Sentinel but I am sure the process is the same for most integrations. 

Firstly use the Variable ${File.EntryID} that appears in the context when the file is added. What I recommend is to create a test incident to see how this feature works. If you have multiple files then it can make things confusing so I would recommend saving this EntryID in a different location when It is added to the XSOAR incident. Or, you could try tagging it and then querying the context but this can be a bit of over-kill. Another option is to loop over all the files in context using the variable ${File.[].EntryID}, notice the empty brackets allowed all the nested json to be iterated over like a loop and then specificy the pre-determined name of  what you want. 

 

To Be honest there are many options. Please elaborate some more including the playbook segment so that I can provide you a more direct solution to your issue. 

 

Many thanks, 

MR

P.S. The Attached picture shows how the file is laid out in the context. 

 

michaelsysec242_0-1677593439553.png

 

PCSAE

L0 Member

this helps. The ${File.[].EntryID} sounds good and further narrowed it down on time based condition

  • 1 accepted solution
  • 1762 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!