- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
08-22-2024 06:42 AM
Hi everyone! How are you? I have a problem with the integracion of Sentinel One from XSOAR: In Sentinel I have a few rules for some Incidents. One rule closes the incident as soon as it is discovered by the platform, that is, the incident is created on the platform and the rule that closes it is automatically executed. I can summarize the problem in a photo, as you will see the incident is created and instantly taken by our XSOAR, before the automatic closing rule can be executed in Sentinel. This is very strange since from xsoar we have a job that runs every 7 minutes, is it possible that it runs right at the moment the incident is created in Sentinel One? Has something similar happened to anyone else? Thank you very much in advance and stay well.
08-22-2024 10:00 AM
hmmm TBH sounds weird for me, I mean chance to overlap in exactly that time with sentinel I think is very small.
Try to set log level on integration instance to "debug" (see screenshot below) and after you will see same behaviour download log bundle and check file integration-instance.log it contains only logs from integrations with level "debug"
08-22-2024 08:34 AM
Do you use XSOAR 6 or XSOAR 8? in general I would recommend to set log level on integration instance to debug and check logs of integration (application-instance.log for X6 and Integrations log menu in X8) it could give some light on whats happening. Also, am I right that you have mirroring enabled and configured both directions in XSOAR with Sentinel One?
08-22-2024 09:48 AM
Hii thanks for the fast answer. I have xsoar 6.12 on premise and don't have mirroring because don't use the Fetch Incident feature. Its a job that run a playbook, and in this playbook i make a request GET to our Sentinel. The process is: one job runs each 7 minutes, do GET to Incidents in Sentinel (searching New incidents), if found a new incident, create in our incident managment plataform and finish. This is why it seems strange to me. The situation in the previous photo has already happened several times. Could it be that chance is not on my side in these cases? (sorry for the poor english am from Argentina LOL)
08-22-2024 10:00 AM
hmmm TBH sounds weird for me, I mean chance to overlap in exactly that time with sentinel I think is very small.
Try to set log level on integration instance to "debug" (see screenshot below) and after you will see same behaviour download log bundle and check file integration-instance.log it contains only logs from integrations with level "debug"
08-23-2024 06:36 AM
Hiiii i set the instances with Debug, now i am waiting for the next overlap ja. Thanks for the help, i hope you have a good weekend.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!