Skip to main content

XSOAR Mirroring

This Integration is part of the XSOAR Mirroring Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.0.0 and later.

Allows mirroring of XSOAR incidents between different Cortex XSOAR tenants.

This integration was integrated and tested with version 6.0 of XSOAR

Configure XSOAR Mirroring on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for XSOAR Mirroring.
  3. Click Add instance to create and configure a new integration instance.
  4. Go to the tenant to which you want to mirror the content and install the XSOAR Mirroring pack. This is where you can define which content you want to ingest from the Cortex XSOAR tenant.

The mirroring instance in the first tenant contains a new incident type, called Ping. You can use the following query to ingest those incidents into the XSOAR mirroring client tenant -status:closed and type:Ping and -frompong:true

ParameterDescriptionRequired
incidentTypeIncident typeFalse
urlURL of the XSOAR tenant from which you are ingesting the Ping incidents. You should add the full server address, for example, https://cortexXSOARMainAccount:8443/acc_MyTenant#/True
apikeyThe API key to access the server. The key must be provided by the server to which you are connecting.True
insecureTrust any certificate (not secure)False
proxyUse system proxy settingsFalse
isFetchFetch incidentsFalse
max_fetchMaximum number of incidents per fetchFalse
queryFetch only incidents that match the queryFalse
first_fetchFirst fetch timeFalse
categoriesEntry CategoriesFalse
tagsIncoming Entry tagsFalse
mirror_tagOutgoing Entry TagFalse
mirror_identicallyMirror to identical incident typeFalse
disable_from_same_integrationDisable mirroring for incidents came from this integrationFalse
  1. Click Test to ensure that you can communicate with the Cortex XSOAR tenant.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

xsoar-search-incidents#


Search remote XSOAR for incidents

Base Command#

xsoar-search-incidents

Input#

Argument NameDescriptionRequired
queryWhich incidents to retrieveOptional
start_timeFrom when to searchOptional
max_resultsHow many incidents to bringOptional
columnsWhich columns to displayOptional

Context Output#

There is no context output for this command.

Command Example#

!xsoar-search-incidents query="-status:closed -category:job"

Human Readable Output#

CustomFieldsShardIDaccountactivatedattachmentautimecanvasescategorychangeStatuscloseNotescloseReasonclosedclosingUserIdcreateddbotCreatedBydbotCurrentDirtyFieldsdbotDirtyFieldsdbotMirrorDirectiondbotMirrorIddbotMirrorInstancedbotMirrorLastSyncdbotMirrorTagsdetailsdroppedCountdueDatefeedBasedhasRoleidinsightsinvestigationIdisPlaygroundlabelslastJobRunTimelastOpenlinkedCountlinkedIncidentsmodifiednamenotifyTimeoccurredopenDurationownerparentphaseplaybookIdpreviousRolesrawCategoryrawCloseReasonrawJSONrawNamerawPhaserawTypereasonreminderrolesrunStatusseverityslasortValuessourceBrandsourceInstancestatustypeversion
0Ping0001-01-01T00:00:00Z1594654220814726000new0001-01-01T00:00:00Z2020-07-13T18:30:20.814726+03:00admin0001-01-01T00:00:00Z02020-07-23T18:30:20.814726+03:00falsefalse350false{'value': 'admin', 'type': 'Instance'},\u003cbr\u003e{'value': 'Manual', 'type': 'Brand'}0001-01-01T00:00:00Z0001-01-01T00:00:00Z02020-07-13T18:30:20.816159+03:00testing0001-01-01T00:00:00Z2020-07-13T18:30:20.814725+03:000admintestingUnclassified0001-01-01T00:00:00Z00_scoreManualadmin0Unclassified1

xsoar-get-incident#


Retrieve incident and entries from remote XSOAR

Base Command#

xsoar-get-incident

Input#

Argument NameDescriptionRequired
idThe remote incident idRequired
from_dateRetrieve entries that were created after last_updateOptional
categoriesRetrieve only the entries of these categoriesOptional
tagsOnly entries with these tags are retrieved from the XSOAR server. If no tags are listed, no entries are retrieved.Optional
max_resultsMax number of entries to retrieveOptional

Context Output#

{
"XSOAR.Incident(val.incident_id == obj.incident_id)": {
"CustomFields": {
"testdict": [
{},
{},
{}
]
},
"ShardID": 0,
"account": "Ping",
"activated": "0001-01-01T00:00:00Z",
"attachment": null,
"autime": 1594125574034437000,
"canvases": null,
"category": "",
"closeNotes": "",
"closeReason": "",
"closed": "0001-01-01T00:00:00Z",
"closingUserId": "",
"created": "2020-07-07T15:39:34.034437+03:00",
"dbotCreatedBy": "admin",
"dbotCurrentDirtyFields": null,
"dbotDirtyFields": null,
"dbotMirrorDirection": "",
"dbotMirrorId": "",
"dbotMirrorInstance": "",
"dbotMirrorLastSync": "0001-01-01T00:00:00Z",
"dbotMirrorTags": null,
"details": "this is the new details",
"droppedCount": 0,
"dueDate": "2020-07-10T15:39:34.034437+03:00",
"feedBased": false,
"hasRole": false,
"id": "34",
"investigationId": "34",
"isPlayground": false,
"labels": [
{
"type": "Instance",
"value": "admin"
},
{
"type": "Brand",
"value": "Manual"
}
],
"lastJobRunTime": "0001-01-01T00:00:00Z",
"lastOpen": "0001-01-01T00:00:00Z",
"linkedCount": 0,
"linkedIncidents": null,
"modified": "2020-07-07T15:42:18.436987+03:00",
"name": "testing",
"notifyTime": "0001-01-01T00:00:00Z",
"occurred": "2020-07-07T15:39:34.034436+03:00",
"openDuration": 0,
"owner": "admin",
"parent": "",
"phase": "",
"playbookId": "",
"previousRoles": null,
"rawCategory": "",
"rawCloseReason": "",
"rawJSON": "",
"rawName": "testing",
"rawPhase": "",
"rawType": "Ping",
"reason": "",
"reminder": "0001-01-01T00:00:00Z",
"roles": null,
"runStatus": "",
"severity": 0,
"sla": 0,
"sortValues": null,
"sourceBrand": "Manual",
"sourceInstance": "admin",
"status": 1,
"type": "Ping",
"version": 5
}
}

Command Example#

!xsoar-get-incident id=34

Human Readable Output#

CustomFieldsShardIDaccountactivatedattachmentautimecanvasescategorycloseNotescloseReasonclosedclosingUserIdcreateddbotCreatedBydbotCurrentDirtyFieldsdbotDirtyFieldsdbotMirrorDirectiondbotMirrorIddbotMirrorInstancedbotMirrorLastSyncdbotMirrorTagsdetailsdroppedCountdueDatefeedBasedhasRoleidinvestigationIdisPlaygroundlabelslastJobRunTimelastOpenlinkedCountlinkedIncidentsmodifiednamenotifyTimeoccurredopenDurationownerparentphaseplaybookIdpreviousRolesrawCategoryrawCloseReasonrawJSONrawNamerawPhaserawTypereasonreminderrolesrunStatusseverityslasortValuessourceBrandsourceInstancestatustypeversion
testdict: {},\u003cbr\u003e{},\u003cbr\u003e{}0Ping0001-01-01T00:00:00Z15941255740344370000001-01-01T00:00:00Z2020-07-07T15:39:34.034437+03:00admin0001-01-01T00:00:00Zthis is the new details02020-07-10T15:39:34.034437+03:00falsefalse3434false{'value': 'admin', 'type': 'Instance'},\u003cbr\u003e{'value': 'Manual', 'type': 'Brand'}0001-01-01T00:00:00Z0001-01-01T00:00:00Z02020-07-07T15:42:18.436987+03:00testing0001-01-01T00:00:00Z2020-07-07T15:39:34.034436+03:000admintestingPing0001-01-01T00:00:00Z00Manualadmin1Ping5

get-remote-data#


Get remote data from a remote incident. Please note that this method will not update the current incident, it's here for debugging purposes.

Base Command#

get-remote-data

Input#

Argument NameDescriptionRequired
idThe remote incident idRequired
lastUpdateRetrieve entries that were created after lastUpdateOptional

Command Example#

!get-remote-data id=34 lastUpdate="18:00 July 12th, 2020"

get-mapping-fields#


Get mapping fields from remote incident.

Base Command#

get-mapping-fields

Input#

Argument NameDescriptionRequired

Context Output#

There is no context output for this command.

Command Example#

!get-mapping-fields