About chrking

@TonyZhu  This first response only has a couple of indicators in it, but eyeballing them against the TAXII client code it seems like they should parse OK. At first I was wondering if XSOAR wasn't pulling subsequent pages of the poll response, but from the logs above it looks like it is.   I think you'll need Engineering and (probably) a custom debug version of the taxii client to troubleshoot this, sorry. ... View more

@TonyZhu    Looking at the samples you've provided, these appear to be STIX packages rather than Poll Responses, which is what we'd be expecting for the response to a TAXII poll request. In a Poll Response, we'd expect the content to be inside a <Content_Block> tag which doesn't appear to be happening here and I suspect that's why nothing is getting parsed.   You should be able to parse Stix Packages with !CreateIndicatorsFromSTIX or similar, but there's no integration to automatically fetch STIX packages from a specific URL. If you want to go this route (as opposed to seeing if you can convince your taxii server to produce actual taxii responses) then a regularly scheduled job calling !HttpV2 and !CreateIndicatorsFromSTIX would be one possible option. ... View more

Which flow are you trying to use?   The device code flow should handle finding the app for you as far as I can tell. ... View more

Did you use a self-deployed azure app? The authentication code generated in this process is only valid for a matter of minutes so if you don't set that and then run the auth test command within that time period authentication will fail. ... View more

Have you checked your whole ldap path is correct, ie the ou= and dc= parts as well and not just the username? ... View more

@TonyZhu the created/modified dates here are related to the credential I think, this likely just means you're using a username/password configured in the integration itself rather than a linked credential and isn't inherently concerning.   These parts pulled out from the logs look like requests rather than responses, but it's interesting that XSOAR is pulling 4 full pages of results but only returning 2 results.   This definitely looks like some kind of incompatibility between the way your taxii server is returning the results and the way XSOAR is parsing them. I'd love to set up my own version of the taxii client with additional debugging details so I can see exactly what is being pulled, but I'm kind of guessing this is non-public threat intel?   Would you be able to SSH to your XSOAR server, execute one of the curl commands from that file with the <XX_REPLACED> part restored to valid basic auth (see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Authorization#basic_authentication ) and post a sample of the results showing a redacted version of an un-fetched indicator? I'm looking for the XML structure of the indicator rather than any content, so feel free to replace any actual content with "REDACTED".   Filing a support case would be the other option, that way you could share the results without it being public. ... View more

OK, so this is actually really good info. The fact that the time isn't changing means that it's not updating it's last run timestamp for some reason. This shouldn't happen under normal operations. I'd suggest turning debug mode on, then looking at the output in your integration-instance.log. It's possible there are issues parsing the results that are causing the fetch to terminate early and not update the last run timestamp. ... View more

What does the fetch history (the anticlockwise arrow icon) on the instance say was fetched? What query are you using on the threat intel page? If you change the query to something like "sourceInstance:<instance name>" do you get different results? ... View more

Stuff under "incident" in the context is actually an incident field and not part of the context. Instead of using demisto.getContext what do you get if you use demisto.incidents() instead?   For the conditional, I am guessing you're going to want something like: filter by Not Defined + Count transformer, then in the condition check if the result is >= 0 ... View more

It's not possible to selectively archive like this. Archived data can be restored later if needed so that's probably the approach I'd take for data that needs a longer retention. Exporting (only) the incidents with longer retention requirements is also an option.   Please also note that, at least for XSOAR 6 with Bolt, deleting an incident will not free space in the database associated with that incident. Additionally, files attached to incidents can be deleted separately with standard file system commands: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.8/Cortex-XSOAR-Administrator-Guide/Archive-Artifacts-and-Attachments ... View more

Have you checked the data returned from xdr-get-alerts ? ... View more

This could also potentially be an issue with an MFA requirement on your mail server side. You may need to disable the MFA requirement for this specific user. ... View more

Which specific XSOAR command are you using to update JIRA? What are you seeing on the JIRA side? ... View more

Linux doesn't really have the same concept of "drives" has Windows does. Linux has a single file structure starting at / and all disks are attached at "mount points", which are directories somewhere under /.   You can view all currently mounted disks with this command: sudo mount -l   The XSOAR application stores data in /var/lib/demisto and /usr/lib/demisto by default. Looking at all the mount points listed in the mount -l output you should be able to tell which physical disk (or similar - partition, logical volume, network mount, etc) will contain them.   Alternately, if you have the findmnt command installed you can just check directly: findmnt -n -o SOURCE --target /var/lib/demisto ... View more

This is, unfortunately, working as expected.   The problem is that msgraph-mail requires the integration cache for it's authentication to work correctly because it stores long lived tokens in there. Conversely, the "Test" button doesn't allow access to the integration cache because the idea is that it could be run to test settings without actually saving an integration and creating an integration cache for it. Hence, if you want to test connectivity for this integration you'll need to use the msgraph-mail-test command rather than the built-in test function. ... View more