06-22-2022 05:53 PM
Hi @pottapitot, every job run creates a new incident. This cannot be stopped. There might be other work arounds available. You could looks at using a scheduled command to run the !setPlaybook command every X minutes. This would mimic the job run but consume a single incident ID.
Regarding your second question, indicator extraction is enabled by default on XSOAR. As a part of best practises we recommend disabling it. You should disable it at a platform level and allow extraction on a specific task or command level. For more information refer - https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-8/cortex-xsoar-admin/manage-indicators/auto-...
To disable it I would recommend adding the below server configs with the value set to 1 (Refer above link for possible values):-
- reputation.calc.algorithm
- reputation.calc.algorithm.fields.change
- reputation.calc.algorithm.tasks
- reputation.calc.algorithm.manual
You can then override the above by forcing extraction:-
1. At CLI - Add auto-extract= to the end of a command
2. At Task - Edit Task -> Advanced -> Indicator Extraction Mode - Refer
3. At Field\Incident - Settings -> Object Setup -> Incidents -> Type -> <Incident Type> -> Indicator Extraction Rules - Refer
