When selected, Splunk Notable Events with a status that is marked as "End Status" will close the Cortex XSOAR incident.Ĭlose Mirrored Splunk Notable Events (Outgoing Mirroring) When selected, closing the Splunk notable event with a "Closed" status will close the Cortex XSOAR incident.Īdditional Splunk status labels to close on mirror (Incoming Mirroring)Ī comma-separated list of Splunk status labels to mirror as closed Cortex XSOAR incident (Example: Resolved,False-Positive).Įnable Splunk statuses marked as "End Status" to close on mirror (Incoming Mirroring) See for more information.Ĭhoose the direction to mirror the incident: Incoming (from Splunk to Cortex XSOAR), Outgoing (from Cortex XSOAR to Splunk), or Incoming and Outgoing (from/to Cortex XSOAR and Splunk).Ĭlose Mirrored Cortex XSOAR Incidents (Incoming Mirroring) If selected, when creating a mapper using the `Select Schema` feature (supported from Cortex XSOAR V6.0), the Splunk CIM field will be pulled. However, you may choose any custom field. The default value is "source", which is a good option for notable events. The name of the field that contains the type of the event or alert. Used only for mapping with the Select Schema option. The amount of time to go back when performing the first fetch, or when creating a mapping using the Select Schema option.Įxtract Fields - CSV fields that will be parsed out of _raw notable events It must be specified when mirroring is enabled.įirst fetch timestamp (, e.g., 12 hours, 7 days, 3 months, 1 year) This is relevant only for fetching and mirroring notable events. For example, if GMT is gmt +3, set timezone to +180. Timezone of the Splunk server, in minutes. Replace with Underscore in Incident Fields Note, that to fetch ES notable events, make sure to include the \`notable\` macro in your query.įetch Limit (Max.- 200, Recommended less than 50) You can edit this query to fetch other types of events. The default query fetches ES notable events. The Splunk search query by which to fetch events. Navigate to Settings > Integrations > Servers & Services.Ĭlick Add instance to create and configure a new integration instance. Get results of a search that was executed in Splunk.This integration was integrated and tested with Splunk v7.2.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |