XSOAR Mirroring
XSOAR Mirroring Pack.#
This Integration is part of theSupported versions
Supported Cortex XSOAR versions: 6.0.0 and later.
Allows mirroring of XSOAR incidents between different Cortex XSOAR tenants.
This integration was integrated and tested with version 6.0 of XSOAR
#
Configure XSOAR Mirroring on Cortex XSOAR- Navigate to Settings > Integrations > Servers & Services.
- Search for XSOAR Mirroring.
- Click Add instance to create and configure a new integration instance.
- Go to the tenant to which you want to mirror the content and install the XSOAR Mirroring pack. This is where you can define which content you want to ingest from the Cortex XSOAR tenant.
The mirroring instance in the first tenant contains a new incident type, called Ping. You can use the following query to ingest those incidents into the XSOAR mirroring client tenant -status:closed and type:Ping and -frompong:true
Parameter | Description | Required |
---|---|---|
incidentType | Incident type | False |
url | URL of the XSOAR tenant from which you are ingesting the Ping incidents. You should add the full server address, for example, https://cortexXSOARMainAccount:8443/acc_MyTenant#/ | True |
apikey | The API key to access the server. The key must be provided by the server to which you are connecting. | True |
insecure | Trust any certificate (not secure) | False |
proxy | Use system proxy settings | False |
isFetch | Fetch incidents | False |
max_fetch | Maximum number of incidents per fetch | False |
query | Fetch only incidents that match the query | False |
first_fetch | First fetch time | False |
categories | Entry Categories | False |
tags | Incoming Entry tags | False |
mirror_tag | Outgoing Entry Tag | False |
mirror_identically | Mirror to identical incident type | False |
disable_from_same_integration | Disable mirroring for incidents came from this integration | False |
- Click Test to ensure that you can communicate with the Cortex XSOAR tenant.
#
Important notes:- In order to mirror custom fields, you need to create an incoming mapper for the integration and explicitly specify them in it.
- In order to mirror custom fields in both directions, the custom fields in both XSOAR instances must have the same cli name.
#
CommandsYou can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
#
xsoar-search-incidentsSearch remote XSOAR for incidents
#
Base Commandxsoar-search-incidents
#
InputArgument Name | Description | Required |
---|---|---|
query | Which incidents to retrieve | Optional |
start_time | From when to search | Optional |
max_results | How many incidents to bring | Optional |
columns | Which columns to display | Optional |
#
Context OutputThere is no context output for this command.
#
Command Example!xsoar-search-incidents query="-status:closed -category:job"
#
Human Readable OutputCustomFields | ShardID | account | activated | attachment | autime | canvases | category | changeStatus | closeNotes | closeReason | closed | closingUserId | created | dbotCreatedBy | dbotCurrentDirtyFields | dbotDirtyFields | dbotMirrorDirection | dbotMirrorId | dbotMirrorInstance | dbotMirrorLastSync | dbotMirrorTags | details | droppedCount | dueDate | feedBased | hasRole | id | insights | investigationId | isPlayground | labels | lastJobRunTime | lastOpen | linkedCount | linkedIncidents | modified | name | notifyTime | occurred | openDuration | owner | parent | phase | playbookId | previousRoles | rawCategory | rawCloseReason | rawJSON | rawName | rawPhase | rawType | reason | reminder | roles | runStatus | severity | sla | sortValues | sourceBrand | sourceInstance | status | type | version |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
0 | Ping | 0001-01-01T00:00:00Z | 1594654220814726000 | new | 0001-01-01T00:00:00Z | 2020-07-13T18:30:20.814726+03:00 | admin | 0001-01-01T00:00:00Z | 0 | 2020-07-23T18:30:20.814726+03:00 | false | false | 35 | 0 | false | {'value': 'admin', 'type': 'Instance'},\u003cbr\u003e{'value': 'Manual', 'type': 'Brand'} | 0001-01-01T00:00:00Z | 0001-01-01T00:00:00Z | 0 | 2020-07-13T18:30:20.816159+03:00 | testing | 0001-01-01T00:00:00Z | 2020-07-13T18:30:20.814725+03:00 | 0 | admin | testing | Unclassified | 0001-01-01T00:00:00Z | 0 | 0 | _score | Manual | admin | 0 | Unclassified | 1 |
#
xsoar-get-incidentRetrieve incident and entries from remote XSOAR
#
Base Commandxsoar-get-incident
#
InputArgument Name | Description | Required |
---|---|---|
id | The remote incident id | Required |
from_date | Retrieve entries that were created after last_update | Optional |
categories | Retrieve only the entries of these categories | Optional |
tags | Only entries with these tags are retrieved from the XSOAR server. If no tags are listed, no entries are retrieved. | Optional |
max_results | Max number of entries to retrieve | Optional |
#
Context Output#
Command Example!xsoar-get-incident id=34
#
Human Readable OutputCustomFields | ShardID | account | activated | attachment | autime | canvases | category | closeNotes | closeReason | closed | closingUserId | created | dbotCreatedBy | dbotCurrentDirtyFields | dbotDirtyFields | dbotMirrorDirection | dbotMirrorId | dbotMirrorInstance | dbotMirrorLastSync | dbotMirrorTags | details | droppedCount | dueDate | feedBased | hasRole | id | investigationId | isPlayground | labels | lastJobRunTime | lastOpen | linkedCount | linkedIncidents | modified | name | notifyTime | occurred | openDuration | owner | parent | phase | playbookId | previousRoles | rawCategory | rawCloseReason | rawJSON | rawName | rawPhase | rawType | reason | reminder | roles | runStatus | severity | sla | sortValues | sourceBrand | sourceInstance | status | type | version |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
testdict: {},\u003cbr\u003e{},\u003cbr\u003e{} | 0 | Ping | 0001-01-01T00:00:00Z | 1594125574034437000 | 0001-01-01T00:00:00Z | 2020-07-07T15:39:34.034437+03:00 | admin | 0001-01-01T00:00:00Z | this is the new details | 0 | 2020-07-10T15:39:34.034437+03:00 | false | false | 34 | 34 | false | {'value': 'admin', 'type': 'Instance'},\u003cbr\u003e{'value': 'Manual', 'type': 'Brand'} | 0001-01-01T00:00:00Z | 0001-01-01T00:00:00Z | 0 | 2020-07-07T15:42:18.436987+03:00 | testing | 0001-01-01T00:00:00Z | 2020-07-07T15:39:34.034436+03:00 | 0 | admin | testing | Ping | 0001-01-01T00:00:00Z | 0 | 0 | Manual | admin | 1 | Ping | 5 |
#
get-remote-dataGet remote data from a remote incident. Please note that this method will not update the current incident, it's here for debugging purposes.
#
Base Commandget-remote-data
#
InputArgument Name | Description | Required |
---|---|---|
id | The remote incident id | Required |
lastUpdate | Retrieve entries that were created after lastUpdate | Optional |
#
Command Example!get-remote-data id=34 lastUpdate="18:00 July 12th, 2020"
#
get-mapping-fieldsGet mapping fields from remote incident.
#
Base Commandget-mapping-fields
#
InputArgument Name | Description | Required |
---|
#
Context OutputThere is no context output for this command.
#
Command Example!get-mapping-fields