Create a Job Triggered by a Delta in Feed - Administrator Guide - 6.10 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Product
Cortex XSOAR
Version
6.10
Creation date
2022-10-13
Last date published
2024-02-21
End_of_Life
EoL
Category
Administrator Guide
Abstract

Create a job that is triggered when a feed has complete an operation and there is a change in the content.

Jobs triggered by a delta in a feed (event triggered jobs) run when a feed has completed an operation and there is a change in the content. For the job to trigger, there must be a delta between the incoming feed and the previous one. You can define a job to trigger a playbook when the specified feed or feeds finish a fetch operation that included a modification to the feed. The modification can be a new indicator, a modified indicator, or a removed indicator. For example, you may want to update your firewall every time a URL is added, modified, or removed from the Office 365 feed. You can configure a job that triggers that playbook to run whenever a modification is made to that feed.

For an example of using a job triggered by a delta in feed, see set up a job to process indicators.

Note

Jobs triggered by a delta in a feed run only if there is a change in the feed, and do not run on a feed’s initial fetch. If this is the initial fetch, you can run the playbook manually the first time and then set up an event triggered job for subsequent fetches.

If you want to trigger a job after a feed completes a fetch operation, and the feed does not change frequently, you can select the Reset last seen option in the feed integration instance. The next time the feed fetches indicators, it will process them as new indicators in the system.

  1. Select JobsNew Job.

  2. Select Triggered by delta in feed.

  3. In the Triggers section, select one of the following:

    • Any feed: The playbook runs when a modification is made to any feed.

    • Specific feeds: Select the feed instances that trigger the playbook to run when a modification is made to the specified feed instances.

  4. In the Basic information section:

    • Add a meaningful name for the job.

    • Add the playbook you want to run when the conditions for the job are met.

  5. Add or create any relevant tags to use as a search parameter in the system.

  6. Create new job.