XSOAR RSS integration not fetching updated feed content

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

XSOAR RSS integration not fetching updated feed content

L0 Member

We have configured the RSS integration in the community supported RSS content pack (https://xsoar.pan.dev/marketplace/details/RSS) to ingest CISA NCAS alerts as incidents for our threat intel teams to investigate.  This is using the public feed at https://www.cisa.gov/uscert/ncas/alerts.xml


The integration appears to fetch incidents correctly the first time it runs.  However, when the feed is updated, the new incidents are not ingested.  I've enabled debug and can see in the logs that it's running, but it doesn't seem to detect the new feed entries.  If I clear the last run timestamp, it runs and creates new incidents for the entire feed. 

I'm planning on duplicating the integration and throwing some debug lines in it to get a better handle on what might be causing it.  However, I just wanted to see if anyone has encountered something similar with this integration and might be able to guide me in the right direction.


L2 Linker

I added an instance for CISA to my environment and it only pulled 10 items the first time. It looks like on the preceding pulls, it's not clearing the number of fetches from the first time, it's only updating the timestamp even though it didn't actually find anything new from the feed. 

  • 1 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!