XSOAR Mirroring

Allows mirroring of XSOAR incidents between different Cortex XSOAR tenants.

This integration was integrated and tested with version 6.0 of XSOAR

Configure XSOAR Mirroring on Cortex XSOAR

  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for XSOAR Mirroring.
  3. Click Add instance to create and configure a new integration instance.
  4. Go to the tenant to which you want to mirror the content and install the XSOAR Mirroring pack. This is where you can define which content you want to ingest from the Cortex XSOAR tenant.

The mirroring instance in the first tenant contains a new incident type, called Ping. You can use the following query to ingest those incidents into the XSOAR mirroring client tenant -status:closed and type:Ping and -frompong:true

ParameterDescriptionRequired
incidentTypeIncident typeFalse
urlURL of the XSOAR tenant from which you are ingesting the Ping incidents. You should add the full server address, for example, https://cortexXSOARMainAccount:8443/acc_MyTenant#/True
apikeyThe API key to access the server. The key must be provided by the server to which you are connecting.True
insecureTrust any certificate (not secure)False
proxyUse system proxy settingsFalse
isFetchFetch incidentsFalse
max_fetchMaximum number of incidents per fetchFalse
queryFetch only incidents that match the queryFalse
first_fetchFirst fetch timeFalse
categoriesEntry CategoriesFalse
tagsEntry tagsFalse
  1. Click Test to ensure that you can communicate with the Cortex XSOAR tenant.

Commands

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

xsoar-search-incidents


Search remote XSOAR for incidents

Base Command

xsoar-search-incidents

Input

Argument NameDescriptionRequired
queryWhich incidents to retrieveOptional
start_timeFrom when to searchOptional
max_resultsHow many incidents to bringOptional
columnsWhich columns to displayOptional

Context Output

There is no context output for this command.

Command Example

!xsoar-search-incidents query="-status:closed -category:job"

Human Readable Output

CustomFieldsShardIDaccountactivatedattachmentautimecanvasescategorychangeStatuscloseNotescloseReasonclosedclosingUserIdcreateddbotCreatedBydbotCurrentDirtyFieldsdbotDirtyFieldsdbotMirrorDirectiondbotMirrorIddbotMirrorInstancedbotMirrorLastSyncdbotMirrorTagsdetailsdroppedCountdueDatefeedBasedhasRoleidinsightsinvestigationIdisPlaygroundlabelslastJobRunTimelastOpenlinkedCountlinkedIncidentsmodifiednamenotifyTimeoccurredopenDurationownerparentphaseplaybookIdpreviousRolesrawCategoryrawCloseReasonrawJSONrawNamerawPhaserawTypereasonreminderrolesrunStatusseverityslasortValuessourceBrandsourceInstancestatustypeversion
0Ping0001-01-01T00:00:00Z1594654220814726000new0001-01-01T00:00:00Z2020-07-13T18:30:20.814726+03:00admin0001-01-01T00:00:00Z02020-07-23T18:30:20.814726+03:00falsefalse350false{'value': 'admin', 'type': 'Instance'},\u003cbr\u003e{'value': 'Manual', 'type': 'Brand'}0001-01-01T00:00:00Z0001-01-01T00:00:00Z02020-07-13T18:30:20.816159+03:00testing0001-01-01T00:00:00Z2020-07-13T18:30:20.814725+03:000admintestingUnclassified0001-01-01T00:00:00Z00_scoreManualadmin0Unclassified1

xsoar-get-incident


Retrieve incident and entries from remote XSOAR

Base Command

xsoar-get-incident

Input

Argument NameDescriptionRequired
idThe remote incident idRequired
from_dateRetrieve entries that were created after last_updateOptional
categoriesRetrieve only the entries of these categoriesOptional
tagsOnly entries with these tags are retrieved from the XSOAR server. If no tags are listed, no entries are retrieved.Optional
max_resultsMax number of entries to retrieveOptional

Context Output

{
"XSOAR.Incident(val.incident_id == obj.incident_id)": {
"CustomFields": {
"testdict": [
{},
{},
{}
]
},
"ShardID": 0,
"account": "Ping",
"activated": "0001-01-01T00:00:00Z",
"attachment": null,
"autime": 1594125574034437000,
"canvases": null,
"category": "",
"closeNotes": "",
"closeReason": "",
"closed": "0001-01-01T00:00:00Z",
"closingUserId": "",
"created": "2020-07-07T15:39:34.034437+03:00",
"dbotCreatedBy": "admin",
"dbotCurrentDirtyFields": null,
"dbotDirtyFields": null,
"dbotMirrorDirection": "",
"dbotMirrorId": "",
"dbotMirrorInstance": "",
"dbotMirrorLastSync": "0001-01-01T00:00:00Z",
"dbotMirrorTags": null,
"details": "this is the new details",
"droppedCount": 0,
"dueDate": "2020-07-10T15:39:34.034437+03:00",
"feedBased": false,
"hasRole": false,
"id": "34",
"investigationId": "34",
"isPlayground": false,
"labels": [
{
"type": "Instance",
"value": "admin"
},
{
"type": "Brand",
"value": "Manual"
}
],
"lastJobRunTime": "0001-01-01T00:00:00Z",
"lastOpen": "0001-01-01T00:00:00Z",
"linkedCount": 0,
"linkedIncidents": null,
"modified": "2020-07-07T15:42:18.436987+03:00",
"name": "testing",
"notifyTime": "0001-01-01T00:00:00Z",
"occurred": "2020-07-07T15:39:34.034436+03:00",
"openDuration": 0,
"owner": "admin",
"parent": "",
"phase": "",
"playbookId": "",
"previousRoles": null,
"rawCategory": "",
"rawCloseReason": "",
"rawJSON": "",
"rawName": "testing",
"rawPhase": "",
"rawType": "Ping",
"reason": "",
"reminder": "0001-01-01T00:00:00Z",
"roles": null,
"runStatus": "",
"severity": 0,
"sla": 0,
"sortValues": null,
"sourceBrand": "Manual",
"sourceInstance": "admin",
"status": 1,
"type": "Ping",
"version": 5
}
}

Command Example

!xsoar-get-incident id=34

Human Readable Output

CustomFieldsShardIDaccountactivatedattachmentautimecanvasescategorycloseNotescloseReasonclosedclosingUserIdcreateddbotCreatedBydbotCurrentDirtyFieldsdbotDirtyFieldsdbotMirrorDirectiondbotMirrorIddbotMirrorInstancedbotMirrorLastSyncdbotMirrorTagsdetailsdroppedCountdueDatefeedBasedhasRoleidinvestigationIdisPlaygroundlabelslastJobRunTimelastOpenlinkedCountlinkedIncidentsmodifiednamenotifyTimeoccurredopenDurationownerparentphaseplaybookIdpreviousRolesrawCategoryrawCloseReasonrawJSONrawNamerawPhaserawTypereasonreminderrolesrunStatusseverityslasortValuessourceBrandsourceInstancestatustypeversion
testdict: {},\u003cbr\u003e{},\u003cbr\u003e{}0Ping0001-01-01T00:00:00Z15941255740344370000001-01-01T00:00:00Z2020-07-07T15:39:34.034437+03:00admin0001-01-01T00:00:00Zthis is the new details02020-07-10T15:39:34.034437+03:00falsefalse3434false{'value': 'admin', 'type': 'Instance'},\u003cbr\u003e{'value': 'Manual', 'type': 'Brand'}0001-01-01T00:00:00Z0001-01-01T00:00:00Z02020-07-07T15:42:18.436987+03:00testing0001-01-01T00:00:00Z2020-07-07T15:39:34.034436+03:000admintestingPing0001-01-01T00:00:00Z00Manualadmin1Ping5

get-remote-data


Get remote data from a remote incident. Please note that this method will not update the current incident, it's here for debugging purposes.

Base Command

get-remote-data

Input

Argument NameDescriptionRequired
idThe remote incident idRequired
lastUpdateRetrieve entries that were created after lastUpdateOptional

Command Example

!get-remote-data id=34 lastUpdate="18:00 July 12th, 2020"

get-mapping-fields


Get mapping fields from remote incident.

Base Command

get-mapping-fields

Input

Argument NameDescriptionRequired

Context Output

There is no context output for this command.

Command Example

!get-mapping-fields