This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Multiple Instances fetching VS. One instance and then claasify and post a new incident

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Multiple Instances fetching VS. One instance and then claasify and post a new incident

foteromartinez
L1 Bithead

‎11-13-2023 08:05 AM

Hi,

 

We've got an scenario where we are fetching mails from a mail server. When an email is received in the mail server, it applies some ruling and send it to a folder, then with XSOAR we've got N instances, one per folder and this is how we are classifying incidents and Use Cases.

 

While there we few folders, it seemed to be the right choice. But recently we've been growing on folders and thus on instances so we've been discussing which would be the approach.

 

Should we keep creating instances, one per folder? Oi isntead create one mail fetcher and the make the classification in XSOAR?

 

BR,

Fernando Otero

 

Cortex XSOAR #aws #fetching

Cortex XSOAR
Thumbnail of Cortex XSOAR
Palo Alto Networks
Cortex XSOAR
Security Operations
View on Product Page
0 Likes Likes
4 REPLIES 4

MBeauchamp2
L4 Transporter

‎11-16-2023 07:46 AM

Most of the email fetching integrations, for example this one for EWS (https://xsoar.pan.dev/docs/reference/integrations/ewso365) require the folder that you want to fetch from.

 

So in your case, you're doing it the right way where you have multiple instances, each pointing at their own folder. 

 

If you were using gmail (https://xsoar.pan.dev/docs/reference/integrations/gmail#configure-gmail-in-cortex-xsoar), then it uses a query instead of folders, so classification may apply there.   

0 Likes Likes

foteromartinez
L1 Bithead
In response to MBeauchamp2

‎11-17-2023 01:09 AM

Hi! 

 

First of all thanks a lot for your response! Is it the right choice even if we have more than 20 folders? Isn't it a bit high in computer usage?

 

BR!

0 Likes Likes

MBeauchamp2
L4 Transporter

‎11-17-2023 07:28 AM

Well it's the same amount of emails being fetched regardless right?   As I said depending on your integration, it might be the only way to do it.  

 

Also consider the opportunity to streamline your folders on the other side if possible. 

0 Likes Likes

gyldz
L4 Transporter

‎11-20-2023 02:14 AM

Hi @foteromartinez ,

I also want to add that depending on the integration and logic you apply while moving emails to different folders, you can also move the items to different folders using XSOAR. For example, EWS integration has the below command where you can use in a playbook. In this way, you would have less number of integration to maintain.

ews-move-item: Move an item to different folder in the mailbox.
ews-move-item-between-mailboxes: Moves an item from one mailbox to different mailbox.
 
0 Likes Likes
  • 1202 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks