- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
We have configured the RSS integration in the community supported RSS content pack (https://xsoar.pan.dev/marketplace/details/RSS) to ingest CISA NCAS alerts as incidents for our threat intel teams to investigate. This is using the public feed at https://www.cisa.gov/uscert/ncas/alerts.xml .
The integration appears to fetch incidents correctly the first time it runs. However, when the feed is updated, the new incidents are not ingested. I've enabled debug and can see in the logs that it's running, but it doesn't seem to detect the new feed entries. If I clear the last run timestamp, it runs and creates new incidents for the entire feed.
I'm planning on duplicating the integration and throwing some debug lines in it to get a better handle on what might be causing it. However, I just wanted to see if anyone has encountered something similar with this integration and might be able to guide me in the right direction.
I added an instance for CISA to my environment and it only pulled 10 items the first time. It looks like on the preceding pulls, it's not clearing the number of fetches from the first time, it's only updating the timestamp even though it didn't actually find anything new from the feed.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!