Create a job triggered by a delta in a feed - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-10-07
Category
Administrator Guide
Abstract

Create a job that is triggered when a feed has complete an operation and there is a change in the content.

Jobs triggered by a delta in a feed (event triggered jobs) run when a feed completes an operation and there is a change in the content. For the job to trigger, there must be a delta between the incoming feed and the previous one. You can define a job to trigger a playbook when the specified feed or feeds finish a fetch operation that includes a modification to the feed. The modification can be a new indicator, a modified indicator, or a removed indicator. For example, you may want to update your firewall every time a URL is added, modified, or removed from the Office 365 feed. You can configure a job that triggers the firewall update playbook to run whenever a modification is made to the feed.

For an example of using a job triggered by a delta in a feed, see the Create jobs to process indicators example.

Note

A job triggered by a delta in a feed runs only if there is a change in the feed, and does not run on a feed’s initial fetch. For the initial fetch, you can run the playbook manually and then set up an event triggered job for subsequent fetches.

If you want to trigger a job after a feed completes a fetch operation and the feed does not change frequently, you can select the Reset last seen option in the feed integration instance. The next time the feed fetches indicators, it will process them as new indicators in the system.

  1. Select JobsNew Job.

  2. Select Triggered by delta in feed.

  3. Add or create any relevant tags to use as a search parameter in the system.

  4. In the Trigger section, select one of the following:

    • Any feed: The playbook runs when a modification is made to any feed.

    • Specific feeds: Select the feed instances that will trigger the playbook to run when a modification is made to them.

  5. In the BASIC INFORMATION section:

    • Add a meaningful name for the job.

    • Select the playbook you want to run when the conditions for the job are met.

  6. Create new job.