- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Migrating historical data into Cortex XSOAR involves a multi-phase process designed to ensure a smooth transition while maintaining functionality across both the old and new systems. The migration process can be customized based on specific requirements and constraints.
Below is a structured outline of the approach:
In both the above cases, you can add the Incident Mirror phase to continue mirroring incidents in the old system. This is usually done to ensure uninterrupted compliance and management reporting.
In scenario 2, since analysts are only moved to the XSOAR once the content is tested. This ensures the least disruption and can be further mitigated by moving them in batches if permitted by cost and time factors.
To transition historical data into XSOAR field mapping needs to be performed between data from the existing solution to fields inside XSOAR. There are multiple field types available inside XSOAR. In some cases data manipulation might be required before field data is saved into XSOAR fields. The below table should help identify requirements based on each data type.
Source Datatype |
XSOAR Datatype |
Method |
Short String\Long String |
Short Text Long Text |
Direct Mapping |
Table Reference with ID |
Depends on the final data type |
Transformer to lookup value in secondary DB\table\API |
Very Long Text Body |
Long Text Markdown |
Direct Mapping |
Comment\Note |
XSOAR War room Entry |
Some automation around adding user and timestamp details. |
File |
File Object |
Automation needs to return the file object. |
The “Table Reference with Id” might need further explanation. Some tools like ServiceNow store a sys_id instead of the value. The sys_id needs to be looked up in a different table to get the actual field value. An example of this is the “Assignment Group” field. When creating scripts to perform this operation, making them a transformer is better since they can be called in mappers too.
Once the field requirement from both solutions have been identified, you should be able to create a table similar to the below.
Once you’ve created the required fields in XSOAR. The fields need to be assigned to incident layouts. The below articles will help.
Create Incident Type -> https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Administrator-Guide/Create-an...
Incident Layouts -> https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Administrator-Guide/Customize...
You will also need to decide how you will map incidents from the existing system to XSOAR. There are 2 general approaches:
There are 2 methods to perform data migration. Via an integration or via an exported report. Use the report method when no API or integration exists for the existing solution.
** We recommend keeping the file size small. If the file is large, ensure that as little data as possible is pushed into the context.
By following these steps and adapting the scenarios to the specific needs and constraints of your organization, you can effectively manage the migration of historical data into Cortex XSOAR while minimizing disruptions and ensuring data integrity.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Subject | Likes |
---|---|
5 Likes | |
3 Likes | |
2 Likes | |
1 Like | |
1 Like |