Fetch Incidents From an Integration Instance - Administrator Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Product
Cortex XSOAR
Version
8
Creation date
2024-02-14
Last date published
2024-06-25
Category
Administrator Guide
Solution
Cloud
Abstract

Configure a third party integration instance to fetch incidents into Cortex XSOAR incidents for investigation.

You can poll third party integration instances for events and turn them into Cortex XSOAR incidents that trigger scripts (fetching). There are a number of integrations that support fetching, but not all support this feature. You can view each integration in the Cortex XSOAR Developer Hub.

You can set the objects to be fetched and its mapping in Settings & InfoSettingsObject SetupIncidentsClassification & Mapping.

When setting up an instance, you can configure the integration instance to fetch events. You can also set the interval for which to fetch new incidents, by configuring the Incidents Fetch Interval field. The fetch interval default is 1 minute. This enables you to control the interval in which an integration instance reaches out to third party platforms to fetch incidents into Cortex XSOAR.

Note

  • In some integrations the Incidents Fetch interval is called Feed Fetch Interval.

  • If the integration instance does not have the Incidents Fetch Interval field, you need to add this field by editing the integration settings. If the integration is from a content pack, you need to create a copy of the integration. Any future updates to this integration will not be applied to the copy integration.

  • If you turn off fetching for a period of time and then turn it on or disabled the instance and enabled it, the instance remembers the last run, and pulls all events that occurred while it was off.

  1. Select the integration instance you want to fetch incidents by going to Settings & InfoSettingsIntegrationsInstances finding the integration and clicking + Add instance. Configure the integration instance settings.

  2. Select Fetches incidents.

    Once enabled, Cortex XSOAR searches for events that occurred within the time frame set for the integration, which is based on the specific integration. The default is 10 minutes prior, but can be changed in the integration script implementation.

  3. (Optional) In the Incidents Fetch Interval field, set the interval of hours and minutes to fetch incidents (default 1 minute).

  4. (Optional) If the Incidents Fetch Interval field does not appear, add it to the integration.

    Relevant for any incident fetching integration.

    1. For integrations installed from a content pack, select the duplicate integration button.

      If you already duplicated the integration, click the Edit integration’s source button.

    2. In the Basic section, select the Fetches incidents checkbox.

      In the Parameters section, you can see that the IncidentFetchInterval parameter is added. Change the default value if necessary.

    3. Save the changes.