06-22-2022 09:51 AM
Hi,
I was making 2 playbooks.
In the first playbook, after creating the same I scheduled it as a job. Each time the job runs, it creates a incident case. How do I prevent the incident case from being created when the job runs?
In the second playbook, I was creating playbook which pulls MISP feeds which I want to send to another solution. Since it is pulling feeds containing IOCs, it is creating indicators in the Threat Intel section. I do not want the IOCs from the feeds to be added to the Threat Intel section. I just want to pull the IOCs from the feeds and send the same to the external solution. How can I do this?
Thanks in advance.
06-22-2022 05:53 PM
Hi @pottapitot, every job run creates a new incident. This cannot be stopped. There might be other work arounds available. You could looks at using a scheduled command to run the !setPlaybook command every X minutes. This would mimic the job run but consume a single incident ID.
Regarding your second question, indicator extraction is enabled by default on XSOAR. As a part of best practises we recommend disabling it. You should disable it at a platform level and allow extraction on a specific task or command level. For more information refer - https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-8/cortex-xsoar-admin/manage-indicators/auto-...
To disable it I would recommend adding the below server configs with the value set to 1 (Refer above link for possible values):-
- reputation.calc.algorithm
- reputation.calc.algorithm.fields.change
- reputation.calc.algorithm.tasks
- reputation.calc.algorithm.manual
You can then override the above by forcing extraction:-
1. At CLI - Add auto-extract= to the end of a command
2. At Task - Edit Task -> Advanced -> Indicator Extraction Mode - Refer
3. At Field\Incident - Settings -> Object Setup -> Incidents -> Type -> <Incident Type> -> Indicator Extraction Rules - Refer
06-22-2022 05:53 PM
Hi @pottapitot, every job run creates a new incident. This cannot be stopped. There might be other work arounds available. You could looks at using a scheduled command to run the !setPlaybook command every X minutes. This would mimic the job run but consume a single incident ID.
Regarding your second question, indicator extraction is enabled by default on XSOAR. As a part of best practises we recommend disabling it. You should disable it at a platform level and allow extraction on a specific task or command level. For more information refer - https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-8/cortex-xsoar-admin/manage-indicators/auto-...
To disable it I would recommend adding the below server configs with the value set to 1 (Refer above link for possible values):-
- reputation.calc.algorithm
- reputation.calc.algorithm.fields.change
- reputation.calc.algorithm.tasks
- reputation.calc.algorithm.manual
You can then override the above by forcing extraction:-
1. At CLI - Add auto-extract= to the end of a command
2. At Task - Edit Task -> Advanced -> Indicator Extraction Mode - Refer
3. At Field\Incident - Settings -> Object Setup -> Incidents -> Type -> <Incident Type> -> Indicator Extraction Rules - Refer
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
