How to prevent IOCs and Incident Cases from being created when running playbooks

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

How to prevent IOCs and Incident Cases from being created when running playbooks

L2 Linker

Hi,

 

I was making 2 playbooks.

In the first playbook, after creating the same I scheduled it as a job. Each time the job runs, it creates a incident case. How do I prevent the incident case from being created when the job runs?

 

In the second playbook, I was creating playbook which pulls MISP feeds which I want to send to another solution. Since it is pulling feeds containing IOCs, it is creating indicators in the Threat Intel section. I do not want the IOCs from the feeds to be added to the Threat Intel section. I just want to pull the IOCs from the feeds and send the same to the external solution. How can I do this?

 

Thanks in advance.

 

1 accepted solution

Accepted Solutions

L5 Sessionator

Hi @pottapitot, every job run creates a new incident. This cannot be stopped. There might be other work arounds available. You could looks at using a scheduled command to run the !setPlaybook command every X minutes. This would mimic the job run but consume a single incident ID. 

 

Regarding your second question, indicator extraction is enabled by default on XSOAR. As a part of best practises we recommend disabling it. You should disable it at a platform level and allow extraction on a specific task or command level. For more information refer - https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-8/cortex-xsoar-admin/manage-indicators/auto-...

 

To disable it I would recommend adding the below server configs with the value set to 1 (Refer above link for possible values):-

 - reputation.calc.algorithm

 - reputation.calc.algorithm.fields.change

 - reputation.calc.algorithm.tasks

 - reputation.calc.algorithm.manual

 

You can then override the above by forcing extraction:-

1. At CLI - Add auto-extract= to the end of a command

2. At Task - Edit Task -> Advanced -> Indicator Extraction Mode - Refer

3. At Field\Incident - Settings -> Object Setup -> Incidents -> Type -> <Incident Type> -> Indicator Extraction Rules - Refer

 

View solution in original post

1 REPLY 1

L5 Sessionator

Hi @pottapitot, every job run creates a new incident. This cannot be stopped. There might be other work arounds available. You could looks at using a scheduled command to run the !setPlaybook command every X minutes. This would mimic the job run but consume a single incident ID. 

 

Regarding your second question, indicator extraction is enabled by default on XSOAR. As a part of best practises we recommend disabling it. You should disable it at a platform level and allow extraction on a specific task or command level. For more information refer - https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-8/cortex-xsoar-admin/manage-indicators/auto-...

 

To disable it I would recommend adding the below server configs with the value set to 1 (Refer above link for possible values):-

 - reputation.calc.algorithm

 - reputation.calc.algorithm.fields.change

 - reputation.calc.algorithm.tasks

 - reputation.calc.algorithm.manual

 

You can then override the above by forcing extraction:-

1. At CLI - Add auto-extract= to the end of a command

2. At Task - Edit Task -> Advanced -> Indicator Extraction Mode - Refer

3. At Field\Incident - Settings -> Object Setup -> Incidents -> Type -> <Incident Type> -> Indicator Extraction Rules - Refer

 

  • 1 accepted solution
  • 2165 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!