Create a Job Triggered by Delta in Feed - Administrator Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Cortex XSOAR
Creation date
Last date published
Administrator Guide

Create a job that is triggered when a feed has complete an operation and there is a change in the content.

Jobs triggered by a delta in a feed (event triggered jobs) run when a feed has completed an operation and there is a change in the content. For the job to trigger, there must be a delta between the incoming feed and the previous one. You can define a job to trigger a playbook when the specified feed or feeds finish a fetch operation that included a modification to the feed. The modification can be a new indicator, a modified indicator, or a removed indicator. For example, you may want to update your firewall every time a URL is added, modified, or removed from the Office 365 feed. You can configure a job that triggers that playbook to run whenever a modification is made to that feed.

For an example of using a job triggered by delta in feed, see Process Indicators Using a Job Triggered By Delta in Feed.


A job triggered by a delta in a feed runs only if there is a change in the feed, and does not run on a feed’s initial fetch. If this is the initial fetch, you can run the playbook manually the first time and then set up an event triggered job for subsequent fetches.

If you want to trigger a job after a feed completes a fetch operation, and the feed does not change frequently, you can select the Reset last seen option in the feed integration instance. The next time the feed fetches indicators, it will process them as new indicators in the system.

  1. Select JobsNew Job.

  2. Select Triggered by delta in feed.

  3. Add or create any relevant tags to use as a search parameter in the system.

  4. In the Trigger section, select one of the following:

    • Any feed: The playbook runs when a modification is made to any feed.

    • Specific feeds: Select the feed instances that will trigger the playbook to run when a modification is made to the specified feed instances.

  5. In the BASIC INFORMATION section:

    • Add a meaningful name for the job.

    • The playbook you want to run when the conditions for the job are met.

  6. Create new job.