07-07-2025 01:29 AM
Hi there,
I have a use case where i need to import the incident file from one XSOAR to another XSOAR, in different environments, using PLAYBOOKS. Is there anyone who can advise if this is possible, and if so what are the steps needed?
07-07-2025 03:54 AM
Goal: Get an incident from XSOAR A (Source) into XSOAR B (Destination) via playbooks.
Core Idea: XSOAR A's playbook fetches incident data, then uses XSOAR A's "Cortex XSOAR REST API" integration (pointing to XSOAR B) to create a new incident in XSOAR B.
Steps:
API Key Setup:
Generate an API Key in XSOAR B (Destination).
In XSOAR A (Source), create an "Cortex XSOAR REST API" integration instance.
Configure this instance with XSOAR B's URL and the API Key generated from XSOAR B. Test connectivity.
Source XSOAR Playbook (Export/Send):
Trigger: Start this playbook on the incident you want to transfer.
Get Incident Data: Use getIncident to pull all incident details (name, type, severity, custom fields, etc.). Store this in context.
Prepare JSON: Format the collected incident data into a JSON object, mapping fields correctly (e.g., custom fields are lowercase, no spaces).
Send via API: Use the core-api-post command from the "Cortex XSOAR REST API" integration instance (configured for XSOAR B).
uri: /incident
body: The JSON object of your incident data.
Destination XSOAR (Receives & Processes):
The core-api-post call from Source XSOAR will automatically create a new incident in Destination XSOAR.
Optional Playbook (Post-Creation): If needed, create a playbook in Destination XSOAR that triggers on this newly created incident type. This playbook can:
Map incoming data to specific local custom fields if names differ.
Handle attachments (if you encoded and sent them).
Trigger further local investigation steps.
Key Tools:
Cortex XSOAR REST API integration: For inter-XSOAR communication.
getIncident command: To retrieve incident data in the source.
core-api-post command: To send data and create the incident in the destination.
Brief Considerations:
Permissions: API keys need Incidents (Read, Create, Edit) permissions.
Field Mapping: Ensure consistent field names or transform them in the playbook.
Deduplication: For repeated transfers, include a unique ID from the source to prevent duplicates in the destination.
Attachments: Require special handling (download, encode, send, decode, attach).
07-08-2025 01:01 AM
Hi @Mudhireddy
Forgot to mention i have an environment that is Airgapped, probably unable to use the REST API to do so, do i export the json file and import it in? Thinking if the playbook is able to do that.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
