Run a command on incidents residing on multiple tenants in a Cortex XSOAR multi-tenant deployment
In some cases, you might need to run a command across multiple tenants. For example, you might want to enrich certain IOCs across all tenant accounts.
From the main account, you can batch run a command on incidents from different tenant accounts. Running a command at the main account runs it locally on each tenant account.
If the command doesn’t exist on a particular tenant or if the user running the command from the main account doesn’t have the correct permissions, the command execution will fail and the output will be written to the incident’s war room. You will not see the error in the main account.
In some cases, tenants may have different versions of the same command. The local version of the command runs on the tenant.
On the
→ , select one or more incidents.Click Run Command.
Enter
!
and the command and press enter.