Fetch Alerts From an Integration Instance - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Product
Cortex XSIAM
Creation date
2023-10-30
Last date published
2024-03-28
Category
Administrator Guide
Abstract

Learn how to poll third party integration instances and turn them into alerts that trigger automations (fetching).

You can poll third party integration instances for events and turn them into Cortex XSIAM alerts that trigger automations (fetching). There are a number of integrations that support fetching, but not all support this feature. You can view each integration in Developer Hub.

Note

The Developer Hub contains integrations for Cortex XSIAM and Cortex XSIAM. Although not all integrations can be used with Cortex XSIAM.

When setting up an instance, you can configure the integration instance to fetch events. You can also set the interval for which to fetch new alerts, by configuring the Alert Fetch Interval field. The fetch interval default is 1 minute. This enables you to control the interval in which an integration instance reaches out to third party platforms to fetch alerts into Cortex XSIAM . If the integration instance, does not have the Alert Fetch Interval field, you can add this field by editing the integration settings.

Note

You can add the field to any integration that fetches alerts. For out-of-the-box integrations, to add the field, you need to create a copy of the integration. Editing the integration settings including adding the Incident Fetch Interval field, breaks the connection to out-of-the-box content. Any future updates to this integration will be applied to the out-of-the-box integration and not to the copy integration.

If you turn off fetching for a period of time and then turn it on or disabled the instance and enabled it, the instance remembers the "last run" timestamp, and pulls all events that occurred while it was off. If you don't want this to happen, verify that the instance is enabled and click Reset the “last run” timestamp when editing the instance. Also, note that "last run" is retained when an instance is renamed.

  1. Select the integration instance you want to fetch incidents by going to SettingsConfigurationsAutomations & Feed Integrations and click Add instance.

  2. Select the Fetches alerts checkbox.

    Once enabled, Cortex XSIAM searches for events that occurred within the time frame set for the integration, which is based on the specific integration. The default is 10 minutes prior, but can be changed in the integration script implementation.

  3. (Optional) In the Alerts Fetch Interval field, set the number of hours or days, and the number of minutes the interval for which to fetch alerts (default 1 minute).

  4. (Optional) If the Alerts Fetch Interval field does not appear, add it to the integration.

    Relevant for any alerts fetching integration.

    1. For out-of-the-box integrations, select the duplicate integration button.

      If you have already duplicated the integration, click the Edit integration’s source button.

    2. In the Basic section, select the Fetches alerts checkbox.

      In the Parameters section, you can see that the AlertFetchInterval parameter is added. Change the default value if necessary.

      integration.png
    3. Click Save.