Fetch alerts from an integration instance - Configure a third-party integration instance to fetch events into Cortex XSIAM alerts for investigation. - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation
Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2025-04-21
Category
Administrator Guide
Abstract

Configure a third-party integration instance to fetch events into Cortex XSIAM alerts for investigation.

You can poll third-party integration instances for events and turn them into Cortex XSIAM alerts (fetching). Many integrations support fetching, but not all support this feature. You can view each integration in the Developer Hub.

When setting up an instance, you can configure the integration instance to fetch events. You can also set the interval for which to fetch new alerts, by configuring the Alerts Fetch Interval field. The fetch interval default is 1 minute. This enables you to control the interval in which an integration instance reaches out to third-party platforms to fetch alerts into Cortex XSIAM.

Note

  • In some integrations, the Alerts Fetch interval is called Feed Fetch Interval.

  • If the integration instance does not have the Alerts Fetch Interval field, you need to add this field by editing the integration settings. If the integration is from a content pack, you need to create a copy of the integration. Any future updates to this integration will not be applied to the copy integration.

  • If you turn off fetching for a while and then turn it on or disable the instance and enable it, the instance remembers the last run and pulls all events that occurred while it was off. If you don't want this to happen, verify that the instance is enabled and click Reset the “last run” timestamp when editing the instance. Also, note that "last run" is retained when an instance is renamed.

  1. Go to SettingsConfigurationData CollectionAutomation and Feed Integrations, find the integration, and click + Add instance.

  2. In the integration's dialog box, select Fetch alerts.

    After this setting is enabled, Cortex XSIAM searches for alerts that occurred within the time frame set for the integration, which is based on the specific integration. The default is 10 minutes, but can be changed in the integration script.

  3. (Optional) In the Alerts Fetch Interval field, set the interval of hours and minutes to fetch alerts (default 1 minute).

  4. (Optional) If the Alerts Fetch Interval field does not appear, add it to the integration.

    Relevant for any alert fetching integration:

    1. For integrations installed from a content pack, select the duplicate integration button.

      If you already duplicated the integration, click the Edit integration’s source button.

    2. In the Basic section, select the Fetch alerts checkbox.

      In the Parameters section, you can see that the AlertFetchInterval parameter is added. Change the default value if necessary.

    3. Click Save to save the changes.