About oDarweesh2

Dears,   Hope you are doing well.   We need to close the Incidents on xsoar from preprocess script, How can we close it using a script in preprocess rule? I dont need other options like: link and close or drop or close. Because there are some mandatory actions need to be done. the good thing that all what is written in the script is done, except for closing the incident. so does anyone know how to close the ticket?         ... View more

Dears, we are trying to integrate with browserling which is not supported by default on XSOAR marketplace. and to this integration we need to do the following: 1- First, we need to load browserling.js library. 2- Then we create a new Browserling object with the session token. 3- Then, we configure the browser. 4- And finally, we embed the iframe containing the browser in XSOAR. So does XSOAR support iframes?? and does XSOAR support creating interactive sessions with other tools like Browserling?? if yes, Kindly clarify how we can do this?? ... View more

when I extract indicators from body of an email (the body of the email is in html format). I don't get the URLs, only the domains inside the URLs are extracted but the URLs itself not extracted.   what I understand in extracting domains, that it works to extract emails and URLs then extract domains from it.   Kindly find the attachment to show you the issue.   any support is highly appreciated. ... View more

Guys,   I Have Phishing Playbook consists of two big parts:  a- L1 Phishing playbook. b- L2 Phishing playbook.   The flow starts from L1 doing the needed automation and tasks like (Extracting IOCs, Headers, Doing Enrichment, making Splunk searches, .... etc.) Then it will stop at the stopping point which ask the Analyst to categorize which type this alert should it be.   Then if L1 Categorized the alert as phishing, L2 will start with its tasks. L2 is sub playbook inside L1 only.   The issues am taking about: is assigning owner from L1 to alert.   I did before assign L1 automatically by using the automation script (assign owner to incident randomly) but it was getting any one from L1 to be the owner. and I tried it with other options like (assign current and online but none of them is accurate).   because I want to assign the Incident to the user who did the categorization in the stopping point.   I used (assign to me button) inside the script. but it gives me error, as it need to be run manually and there is another option which can make the L1 to assign the task to other one. so, any idea how can I pass this issue?   I was thinking if there is any idea to:   1- stop the categorization task, till L1 assign the incident to himself. but I don't know how to do it?? 2-make any task and based on it take the owner and assign him to the owner field, also I don't know how to do it?? Any recommendations will help me a lot. Thanks         ... View more

Dears,    I am blocking urls on a security control then save the value of URL in incident field name (blocked urls) using setIncident command,  But every time I block new url the incident field is not appending the new url to the old url. It replace the old value with the new value.    Kindly need your suggestion for how to append the value in incident field.    Note: The incident field is array type.  ... View more

Why does every time I install a new Integration like (Splunk) I get a warning ( unavailable docker image 'demisto/python3XXXXXX' ) Used by Integration (name of the integration)? although I have opened the access and if I go to the console i can pull this docker image and it will install without this warning. It should be done automatically right?   Kindly find the screenshot attahced with the warnings Please note you are posting a public message where community members and experts can provide assistance. Sharing private information such as serial numbers or company information is not recommended. ... View more

Dears, Kindly need to add a list of IPs and Domains to exclusion list from json format.   Kindly advise how to do that and what is the needed format? ... View more

Dears,   I made a custom Integration that get the verdict of (URLs) like (Malicious - Benign). Now I have a question How to add the name and result of this integration like the prebuilt Integrations which are in the screenshots (virus total - urlscan - etc..)..     kindly find the screenshot for claridication     ... View more

Dears, we now are installing a new server to be our live backup server, we have multiple questions regarding this Kindly need your answer : 1- Do we need a License for The Live backup Server???? 2-Are the configuration and Data are moving in real time from Active Server to standby Server? 3-In case our main server is down and we converted the standby to be the production>> and after some time we want to revert backup after solving the issue on the first server, will the data be transferred to the primary one?? ... View more

Dears,   I installed cisco firepower integration. from Market Place.   I use update network group objects  command but actually it removes all the IP addresses inside this group and add the only list that I newly updated.   Kindly need your support.     Also for Integration with ASA firewall , it failed in the testing phase as it gives me error for 400 code.   ... View more