XSOAR Mirroring
Supported versions
Supported Cortex XSOAR versions: 6.0.0 and later.
Allows mirroring of XSOAR incidents between different Cortex XSOAR tenants.
This integration was integrated and tested with version 6.0 of XSOAR
Configure XSOAR Mirroring on Cortex XSOAR
- Navigate to Settings > Integrations > Servers & Services.
- Search for XSOAR Mirroring.
- Click Add instance to create and configure a new integration instance.
- Go to the tenant to which you want to mirror the content and install the XSOAR Mirroring pack. This is where you can define which content you want to ingest from the Cortex XSOAR tenant.
The mirroring instance in the first tenant contains a new incident type, called Ping. You can use the following query to ingest those incidents into the XSOAR mirroring client tenant -status:closed and type:Ping and -frompong:true
Parameter | Description | Required |
---|---|---|
incidentType | Incident type | False |
url | URL of the XSOAR tenant from which you are ingesting the Ping incidents. You should add the full server address, for example, https://cortexXSOARMainAccount:8443/acc_MyTenant#/ | True |
apikey | The API key to access the server. The key must be provided by the server to which you are connecting. | True |
insecure | Trust any certificate (not secure) | False |
proxy | Use system proxy settings | False |
isFetch | Fetch incidents | False |
max_fetch | Maximum number of incidents per fetch | False |
query | Fetch only incidents that match the query | False |
first_fetch | First fetch time | False |
categories | Entry Categories | False |
tags | Incoming Entry tags | False |
mirror_tag | Outgoing Entry Tag | False |
mirror_identically | Mirror to identical incident type | False |
disable_from_same_integration | Disable mirroring for incidents came from this integration | False |
- Click Test to ensure that you can communicate with the Cortex XSOAR tenant.
Commands
You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
xsoar-search-incidents
Search remote XSOAR for incidents
Base Command
xsoar-search-incidents
Input
Argument Name | Description | Required |
---|---|---|
query | Which incidents to retrieve | Optional |
start_time | From when to search | Optional |
max_results | How many incidents to bring | Optional |
columns | Which columns to display | Optional |
Context Output
There is no context output for this command.
Command Example
!xsoar-search-incidents query="-status:closed -category:job"
Human Readable Output
CustomFields | ShardID | account | activated | attachment | autime | canvases | category | changeStatus | closeNotes | closeReason | closed | closingUserId | created | dbotCreatedBy | dbotCurrentDirtyFields | dbotDirtyFields | dbotMirrorDirection | dbotMirrorId | dbotMirrorInstance | dbotMirrorLastSync | dbotMirrorTags | details | droppedCount | dueDate | feedBased | hasRole | id | insights | investigationId | isPlayground | labels | lastJobRunTime | lastOpen | linkedCount | linkedIncidents | modified | name | notifyTime | occurred | openDuration | owner | parent | phase | playbookId | previousRoles | rawCategory | rawCloseReason | rawJSON | rawName | rawPhase | rawType | reason | reminder | roles | runStatus | severity | sla | sortValues | sourceBrand | sourceInstance | status | type | version |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
0 | Ping | 0001-01-01T00:00:00Z | 1594654220814726000 | new | 0001-01-01T00:00:00Z | 2020-07-13T18:30:20.814726+03:00 | admin | 0001-01-01T00:00:00Z | 0 | 2020-07-23T18:30:20.814726+03:00 | false | false | 35 | 0 | false | {'value': 'admin', 'type': 'Instance'},\u003cbr\u003e{'value': 'Manual', 'type': 'Brand'} | 0001-01-01T00:00:00Z | 0001-01-01T00:00:00Z | 0 | 2020-07-13T18:30:20.816159+03:00 | testing | 0001-01-01T00:00:00Z | 2020-07-13T18:30:20.814725+03:00 | 0 | admin | testing | Unclassified | 0001-01-01T00:00:00Z | 0 | 0 | _score | Manual | admin | 0 | Unclassified | 1 |
xsoar-get-incident
Retrieve incident and entries from remote XSOAR
Base Command
xsoar-get-incident
Input
Argument Name | Description | Required |
---|---|---|
id | The remote incident id | Required |
from_date | Retrieve entries that were created after last_update | Optional |
categories | Retrieve only the entries of these categories | Optional |
tags | Only entries with these tags are retrieved from the XSOAR server. If no tags are listed, no entries are retrieved. | Optional |
max_results | Max number of entries to retrieve | Optional |
Context Output
Command Example
!xsoar-get-incident id=34
Human Readable Output
CustomFields | ShardID | account | activated | attachment | autime | canvases | category | closeNotes | closeReason | closed | closingUserId | created | dbotCreatedBy | dbotCurrentDirtyFields | dbotDirtyFields | dbotMirrorDirection | dbotMirrorId | dbotMirrorInstance | dbotMirrorLastSync | dbotMirrorTags | details | droppedCount | dueDate | feedBased | hasRole | id | investigationId | isPlayground | labels | lastJobRunTime | lastOpen | linkedCount | linkedIncidents | modified | name | notifyTime | occurred | openDuration | owner | parent | phase | playbookId | previousRoles | rawCategory | rawCloseReason | rawJSON | rawName | rawPhase | rawType | reason | reminder | roles | runStatus | severity | sla | sortValues | sourceBrand | sourceInstance | status | type | version |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
testdict: {},\u003cbr\u003e{},\u003cbr\u003e{} | 0 | Ping | 0001-01-01T00:00:00Z | 1594125574034437000 | 0001-01-01T00:00:00Z | 2020-07-07T15:39:34.034437+03:00 | admin | 0001-01-01T00:00:00Z | this is the new details | 0 | 2020-07-10T15:39:34.034437+03:00 | false | false | 34 | 34 | false | {'value': 'admin', 'type': 'Instance'},\u003cbr\u003e{'value': 'Manual', 'type': 'Brand'} | 0001-01-01T00:00:00Z | 0001-01-01T00:00:00Z | 0 | 2020-07-07T15:42:18.436987+03:00 | testing | 0001-01-01T00:00:00Z | 2020-07-07T15:39:34.034436+03:00 | 0 | admin | testing | Ping | 0001-01-01T00:00:00Z | 0 | 0 | Manual | admin | 1 | Ping | 5 |
get-remote-data
Get remote data from a remote incident. Please note that this method will not update the current incident, it's here for debugging purposes.
Base Command
get-remote-data
Input
Argument Name | Description | Required |
---|---|---|
id | The remote incident id | Required |
lastUpdate | Retrieve entries that were created after lastUpdate | Optional |
Command Example
!get-remote-data id=34 lastUpdate="18:00 July 12th, 2020"
get-mapping-fields
Get mapping fields from remote incident.
Base Command
get-mapping-fields
Input
Argument Name | Description | Required |
---|
Context Output
There is no context output for this command.
Command Example
!get-mapping-fields