Configure a third-party integration instance to fetch issues into Cortex XSIAM cases for investigation.
You can poll third-party integration instances for events and turn them into Cortex XSIAM issues (fetching). Many integrations support fetching, but not all support this feature. You can view each integration in the Developer Hub.
When setting up an instance, you can configure the integration instance to fetch events. You can also set the interval for which to fetch new issues by configuring the Issue Fetch Interval field. The fetch interval default is 1 minute. This enables you to control the interval in which an integration instance reaches out to third-party platforms to fetch issues into Cortex XSIAM.
Note
In some integrations, the Issue Fetch interval is called Feed Fetch Interval.
If the integration instance does not have the Issue Fetch Interval field, you need to add this field by editing the integration settings. If the integration is from a content pack, you need to create a copy of the integration. Any future updates to this integration will not be applied to the copy integration.
If you turn off fetching for a while and then turn it on or disable the instance and enable it, the instance remembers the last run and pulls all events that occurred while it was off. If you don't want this to happen, verify that the instance is enabled and click Reset the “last run” timestamp when editing the instance. Also, note that "last run" is retained when an instance is renamed.
After configuring the instance, you may need to set up a correlation rule to ingest issues.
Correlation rules are predefined logic or patterns that Cortex XSIAM uses to identify relationships between disparate events occurring across an organization's IT environment. If the conditions specified in the rule are met, Cortex XSIAM generates an issue.
Navigate to → , find and select the integration, and click Add Instance.
In the integration's dialog box, select Fetch issues.
After this setting is enabled, Cortex XSIAM searches for events that occurred within the time frame set for the integration, which is based on the specific integration. The default is 10 minutes, but it can be changed in the integration script.
(Optional) In the Issue Fetch Interval field, set the interval of hours and minutes to fetch alerts (default 1 minute).
(Optional) If the Issue Fetch Interval field does not appear, add it to the integration.
Relevant for any issue fetching integration:
For integrations installed from a content pack, select the duplicate integration button.
If you have already duplicated the integration, click the Edit integration’s source button.
In the Basic section, select the Fetch issues checkbox.
In the Parameters section, you can see that the
IssueFetchIntervalparameter is added. Change the default value if necessary.Click Save to save the changes.
To generate issues, add correlation rules, as required.
Note
Some content packs include preconfigured correlation rules, but you should review them to see if they suit your use case and duplicate them if required. Go to → → , search for the relevant rule, right-click, and select Preview Rule. For example, the ServiceNow v2 Alerts (automatically generated) correlation rule uses the following XQL Query:
dataset = servicenow_v2_generic_alert_raw | filter _alert_data != null | alter alert_severity = json_extract_scalar(_alert_data, "$.severity") | alter alert_category = json_extract_scalar(_alert_data, "$.alert_category") | alter alert_name = json_extract_scalar(_alert_data, "$.alert_name") | alter alert_description = json_extract_scalar(_alert_data, "$.alert_description")
You may want to update the query by defining complex, multi-source detection logic or add filters, such as alert severity or assignee.