Question Regarding Mirroring Integration In Cortex XSOAR

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Question Regarding Mirroring Integration In Cortex XSOAR

L1 Bithead

I've a couple of questions regarding mirroring in Cortex XSOAR which are listed below.

1. Is it possible to change the status of the XSOAR incident from Pending to Active in the get-remote-data command? I have checked couple of mirroring integration (e.g. ServiceNow v2, XSOAR Mirroring) and they are only closing the XSOAR incident once the remote incident is closed. But I did not find any logic to change the state of XSOAR incident from Pending to Active. So, is it not possible in XSOAR?


2. After the incident creation, when I see the value of dbotMirrorLastSync , it is something in past like 0001-01-01T00:00:00Z. But when the first time get-remote-data command is called the value I'm getting is not this one (Mostly looks like the incident creation time), and due to that I'm not able to add the previous entries. Is this expected behavior. Or I should get the 0001-01-01T00:00:00Z for the first time in get-remote-data command as a value for lastUpdate?


3. The another issue I am facing is, when I add a note in the XSOAR incident, the update-remote-system command is not getting triggered, and if it gets triggered then I do not see the entry which I have added in the UpdateRemoteSyatemArgs . Is it so, that I am doing something wrong?


4. The last one is, I want to know about the mirroring tags. I have referred the official XSOAR documentation about mirroring, but did not find anything which can explain the importance of mirror tags. If you could explain that in brief, that would be very helpful.

1 REPLY 1

L4 Transporter

Hi @Harsh-Panchal,

 

1. XSOAR's incident state field is used to signify different engagement states of the investigation. The field is not used inside the mapper and so is not affected by changes to the remote ticket. You can engage a dummy playbook in the incident type with the "Run playbook automatically" set true to ensure the state is changed from Pending to Active when the incident is created.  

Screen Shot 2023-01-24 at 12.30.28 pm.png

 

2. The 0001-01-01T00:00:00Z value means that the sync is not yet run or in some cases its run but failed. Not sure what you mean by "due to that I'm not able to add the previous entries".

 

3. Note that this feature is not supported for all mirroring integrations. For ServiceNow, you need to ensure that the note or entry is tagged correctly. You can configure which tags to pick-up inside the integration like below. 

Screen Shot 2023-01-24 at 12.41.46 pm.png

 

4. Not sure I understand. Does this refer to point 3?

  • 1221 Views
  • 1 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!