XSOAR Mirroring
This Integration is part of the XSOAR Mirroring Pack.#
Supported versions
Supported Cortex XSOAR versions: 6.0.0 and later.
Allows mirroring of XSOAR incidents between different Cortex XSOAR tenants.
This integration was integrated and tested with version 6.0 of XSOAR
Configure XSOAR Mirroring on Cortex XSOAR#
- Navigate to Settings > Integrations > Servers & Services.
- Search for XSOAR Mirroring.
- Click Add instance to create and configure a new integration instance.
- Go to the tenant to which you want to mirror the content and install the XSOAR Mirroring pack. This is where you can define which content you want to ingest from the Cortex XSOAR tenant.
The mirroring instance in the first tenant contains a new incident type, called Ping. You can use the following query to ingest those incidents into the XSOAR mirroring client tenant -status:closed and type:Ping and -frompong:true
| Parameter | Description | Required |
|---|---|---|
| incidentType | Incident type | False |
| url | URL of the XSOAR tenant from which you are ingesting the Ping incidents. You should add the full server address, for example, https://cortexXSOARMainAccount:8443/acc_MyTenant#/ | True |
| apikey | The API key to access the server. The key must be provided by the server to which you are connecting. | True |
| insecure | Trust any certificate (not secure) | False |
| proxy | Use system proxy settings | False |
| isFetch | Fetch incidents | False |
| max_fetch | Maximum number of incidents per fetch | False |
| query | Fetch only incidents that match the query | False |
| first_fetch | First fetch time | False |
| categories | Entry Categories | False |
| tags | Incoming Entry tags | False |
| mirror_tag | Outgoing Entry Tag | False |
| mirror_identically | Mirror to identical incident type | False |
| disable_from_same_integration | Disable mirroring for incidents came from this integration | False |
- Click Test to ensure that you can communicate with the Cortex XSOAR tenant.
Important notes:#
- In order to mirror custom fields, you need to create an incoming mapper for the integration and explicitly specify them in it.
- In order to mirror custom fields in both directions, the custom fields in both XSOAR instances must have the same cli name.
Commands#
You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
xsoar-search-incidents#
Search remote XSOAR for incidents
Base Command#
xsoar-search-incidents
Input#
| Argument Name | Description | Required |
|---|---|---|
| query | Which incidents to retrieve | Optional |
| start_time | From when to search | Optional |
| max_results | How many incidents to bring | Optional |
| columns | Which columns to display | Optional |
Context Output#
There is no context output for this command.
Command Example#
!xsoar-search-incidents query="-status:closed -category:job"
Human Readable Output#
| CustomFields | ShardID | account | activated | attachment | autime | canvases | category | changeStatus | closeNotes | closeReason | closed | closingUserId | created | dbotCreatedBy | dbotCurrentDirtyFields | dbotDirtyFields | dbotMirrorDirection | dbotMirrorId | dbotMirrorInstance | dbotMirrorLastSync | dbotMirrorTags | details | droppedCount | dueDate | feedBased | hasRole | id | insights | investigationId | isPlayground | labels | lastJobRunTime | lastOpen | linkedCount | linkedIncidents | modified | name | notifyTime | occurred | openDuration | owner | parent | phase | playbookId | previousRoles | rawCategory | rawCloseReason | rawJSON | rawName | rawPhase | rawType | reason | reminder | roles | runStatus | severity | sla | sortValues | sourceBrand | sourceInstance | status | type | version |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 0 | Ping | 0001-01-01T00:00:00Z | 1594654220814726000 | new | 0001-01-01T00:00:00Z | 2020-07-13T18:30:20.814726+03:00 | admin | 0001-01-01T00:00:00Z | 0 | 2020-07-23T18:30:20.814726+03:00 | false | false | 35 | 0 | false | {'value': 'admin', 'type': 'Instance'},\u003cbr\u003e{'value': 'Manual', 'type': 'Brand'} | 0001-01-01T00:00:00Z | 0001-01-01T00:00:00Z | 0 | 2020-07-13T18:30:20.816159+03:00 | testing | 0001-01-01T00:00:00Z | 2020-07-13T18:30:20.814725+03:00 | 0 | admin | testing | Unclassified | 0001-01-01T00:00:00Z | 0 | 0 | _score | Manual | admin | 0 | Unclassified | 1 |
xsoar-get-incident#
Retrieve incident and entries from remote XSOAR
Base Command#
xsoar-get-incident
Input#
| Argument Name | Description | Required |
|---|---|---|
| id | The remote incident id | Required |
| from_date | Retrieve entries that were created after last_update | Optional |
| categories | Retrieve only the entries of these categories | Optional |
| tags | Only entries with these tags are retrieved from the XSOAR server. If no tags are listed, no entries are retrieved. | Optional |
| max_results | Max number of entries to retrieve | Optional |
Context Output#
Command Example#
!xsoar-get-incident id=34
Human Readable Output#
| CustomFields | ShardID | account | activated | attachment | autime | canvases | category | closeNotes | closeReason | closed | closingUserId | created | dbotCreatedBy | dbotCurrentDirtyFields | dbotDirtyFields | dbotMirrorDirection | dbotMirrorId | dbotMirrorInstance | dbotMirrorLastSync | dbotMirrorTags | details | droppedCount | dueDate | feedBased | hasRole | id | investigationId | isPlayground | labels | lastJobRunTime | lastOpen | linkedCount | linkedIncidents | modified | name | notifyTime | occurred | openDuration | owner | parent | phase | playbookId | previousRoles | rawCategory | rawCloseReason | rawJSON | rawName | rawPhase | rawType | reason | reminder | roles | runStatus | severity | sla | sortValues | sourceBrand | sourceInstance | status | type | version |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| testdict: {},\u003cbr\u003e{},\u003cbr\u003e{} | 0 | Ping | 0001-01-01T00:00:00Z | 1594125574034437000 | 0001-01-01T00:00:00Z | 2020-07-07T15:39:34.034437+03:00 | admin | 0001-01-01T00:00:00Z | this is the new details | 0 | 2020-07-10T15:39:34.034437+03:00 | false | false | 34 | 34 | false | {'value': 'admin', 'type': 'Instance'},\u003cbr\u003e{'value': 'Manual', 'type': 'Brand'} | 0001-01-01T00:00:00Z | 0001-01-01T00:00:00Z | 0 | 2020-07-07T15:42:18.436987+03:00 | testing | 0001-01-01T00:00:00Z | 2020-07-07T15:39:34.034436+03:00 | 0 | admin | testing | Ping | 0001-01-01T00:00:00Z | 0 | 0 | Manual | admin | 1 | Ping | 5 |
get-remote-data#
Get remote data from a remote incident. Please note that this method will not update the current incident, it's here for debugging purposes.
Base Command#
get-remote-data
Input#
| Argument Name | Description | Required |
|---|---|---|
| id | The remote incident id | Required |
| lastUpdate | Retrieve entries that were created after lastUpdate | Optional |
Command Example#
!get-remote-data id=34 lastUpdate="18:00 July 12th, 2020"
get-mapping-fields#
Get mapping fields from remote incident.
Base Command#
get-mapping-fields
Input#
| Argument Name | Description | Required |
|---|
Context Output#
There is no context output for this command.
Command Example#
!get-mapping-fields