Fetch incidents from an integration instance - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-05-22
Category
Administrator Guide
Abstract

Configure a third-party integration instance to fetch incidents into Cortex XSIAM incidents for investigation.

You can poll third-party integration instances for events and turn them into Cortex XSIAM incidents (fetching). Many integrations support fetching, but not all support this feature. You can view each integration in the Developer Hub.

When setting up an instance, you can configure the integration instance to fetch events. You can also set the interval for which to fetch new incidents, by configuring the Alerts Fetch Interval field. The fetch interval default is 1 minute. This enables you to control the interval in which an integration instance reaches out to third-party platforms to fetch incidents into Cortex XSIAM.

Note

  • In some integrations, the Alerts Fetch interval is called Feed Fetch Interval.

  • If the integration instance does not have the Alerts Fetch Interval field, you need to add this field by editing the integration settings. If the integration is from a content pack, you need to create a copy of the integration. Any future updates to this integration will not be applied to the copy integration.

  • If you turn off fetching for a while and then turn it on or disable the instance and enable it, the instance remembers the last run and pulls all events that occurred while it was off. If you don't want this to happen, verify that the instance is enabled and click Reset the “last run” timestamp when editing the instance. Also, note that "last run" is retained when an instance is renamed.

  1. Select the integration instance you want to fetch incidents by going to Settings & InfoSettingsIntegrationsInstances finding the integration and clicking + Add instance.

  2. Select Fetches alerts.

    Once enabled, Cortex XSIAM searches for events that occurred within the time frame set for the integration, which is based on the specific integration. The default is 10 minutes prior but can be changed in the integration script.

  3. (Optional) In the Alerts Fetch Interval field, set the interval of hours and minutes to fetch incidents (default 1 minute).

  4. (Optional) If the Alerts Fetch Interval field does not appear, add it to the integration.

    Relevant for any incident fetching integration.

    1. For integrations installed from a content pack, select the duplicate integration button.

      If you already duplicated the integration, click the Edit integration’s source button.

    2. In the Basic section, select the Fetches alerts checkbox.

      In the Parameters section, you can see that the AlertFetchInterval parameter is added. Change the default value if necessary.

    3. Save the changes.