Run a command on incidents residing on multiple tenants in a Cortex XSOAR multi-tenant deployment
In some cases, you might need to run a command across multiple tenants. For example, you might want to enrich certain IOCs across all child tenants.
From the main tenant, you can batch run a command on incidents from different child tenants. Running a command at the main tenant runs it locally on each child tenant.
If the command doesn’t exist on a particular tenant or if the user running the command from the main tenant doesn’t have the correct permissions, the command execution fails and the output is written to the incident’s war room. You will not see the error in the main tenant.
In some cases, child tenants may have different versions of the same command. The local version of the command runs on the child tenant.
On the Incidents page in the main tenant, select one or more incidents.
Click Run Command.
Enter
!and the command and press enter.