Integration Sentinel One <> XSOAR

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Integration Sentinel One <> XSOAR

L1 Bithead

Hi everyone! How are you? I have a problem with the integracion of Sentinel One from XSOAR: In Sentinel I have a few rules for some Incidents. One rule closes the incident as soon as it is discovered by the platform, that is, the incident is created on the platform and the rule that closes it is automatically executed. I can summarize the problem in a photo, as you will see the incident is created and instantly taken by our XSOAR, before the automatic closing rule can be executed in Sentinel. This is very strange since from xsoar we have a job that runs every 7 minutes, is it possible that it runs right at the moment the incident is created in Sentinel One? Has something similar happened to anyone else? Thank you very much in advance and stay well.Screenshot 2024-08-22 102854.png

1 accepted solution

Accepted Solutions

L2 Linker

hmmm TBH sounds weird for me, I mean chance to overlap in exactly that time with sentinel I think is very small.

 

Try to set log level on integration instance to "debug" (see screenshot below) and after you will see same behaviour download log bundle and check file integration-instance.log it contains only logs from integrations with level "debug"

vmikhailov_0-1724345880317.png

 

View solution in original post

4 REPLIES 4

L2 Linker

Do you use XSOAR 6 or XSOAR 8? in general I would recommend to set log level on integration instance to debug and check logs of integration (application-instance.log for X6 and Integrations log menu in X8) it could give some light on whats happening. Also, am I right that you have mirroring enabled and configured both directions in XSOAR with Sentinel One?

Hii thanks for the fast answer. I have xsoar 6.12 on premise and don't have mirroring because don't use the Fetch Incident feature. Its a job that run a playbook, and in this playbook i make a request GET to our Sentinel. The process is: one job runs each 7 minutes, do GET to Incidents in Sentinel (searching New incidents), if found a new incident, create in our incident managment plataform and finish. This is why it seems strange to me. The situation in the previous photo has already happened several times. Could it be that chance is not on my side in these cases? (sorry for the poor english am from Argentina LOL)

L2 Linker

hmmm TBH sounds weird for me, I mean chance to overlap in exactly that time with sentinel I think is very small.

 

Try to set log level on integration instance to "debug" (see screenshot below) and after you will see same behaviour download log bundle and check file integration-instance.log it contains only logs from integrations with level "debug"

vmikhailov_0-1724345880317.png

 

Hiiii i set the instances with Debug, now i am waiting for the next overlap ja. Thanks for the help, i hope you have a good weekend.

  • 1 accepted solution
  • 834 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!