The fetch time range will be at least the size specified here. Do not use this option unless advised otherwise.Īdvanced: Fetch backwards window for the events occurrence time (minutes) To retrieve all events, enter "0" (not recommended).Īdvanced: Extensive logging (for debugging purposes). The limit of how many events to retrieve per each one of the enrichment types (Drilldown, Asset, and Identity). When the selected timeout was reached, notable events that were not enriched will be saved without the enrichment.
For more info about enrichment types see the integration additional info. If none are selected, the integration will fetch notables as usual (without enrichment). When selected, closing the Cortex XSOAR incident will close the Notable Event in Splunk.Įnrichment types to enrich each fetched notable. When selected, Splunk Notable Events with a status that is marked as "End Status" will close the Cortex XSOAR incident.Ĭlose Mirrored Splunk Notable Events (Outgoing Mirroring) When selected, closing the Splunk notable event with a "Closed" status will close the Cortex XSOAR incident.Īdditional Splunk status labels to close on mirror (Incoming Mirroring)Ī comma-separated list of Splunk status labels to mirror as closed Cortex XSOAR incident (Example: Resolved,False-Positive).Įnable Splunk statuses marked as "End Status" to close on mirror (Incoming Mirroring) See for more information.Ĭhoose the direction to mirror the incident: Incoming (from Splunk to Cortex XSOAR), Outgoing (from Cortex XSOAR to Splunk), or Incoming and Outgoing (from/to Cortex XSOAR and Splunk).Ĭlose Mirrored Cortex XSOAR Incidents (Incoming Mirroring) If selected, when creating a mapper using the `Select Schema` feature (supported from Cortex XSOAR V6.0), the Splunk CIM field will be pulled. However, you may choose any custom field. The default value is "source", which is a good option for notable events. The name of the field that contains the type of the event or alert. Used only for mapping with the Select Schema option. The amount of time to go back when performing the first fetch, or when creating a mapping using the Select Schema option.Įxtract Fields - CSV fields that will be parsed out of _raw notable events
(Set only if the Splunk server is different than the Cortex XSOAR server.) Relevant only for fetching and mirroring notable events.įirst fetch timestamp (, e.g., 12 hours, 7 days, 3 months, 1 year)
For example, if GMT is gmt +3, set timezone to +180. Timezone of the Splunk server, in minutes. Replace with Underscore in Incident Fields Note, that to fetch ES notable events, make sure to include the \`notable\` macro in your query.įetch Limit (Max.- 200, Recommended less than 50) You can edit this query to fetch other types of events. The default query fetches ES notable events. The Splunk search query by which to fetch events. Navigate to Settings > Integrations > Servers & Services.Ĭlick Add instance to create and configure a new integration instance.
0 kommentar(er)
