
Search Query Examples
# Search for active incidents with Information severity
status:Active and severity:Informational
# Search for active incidents or Informational incidents
status:Active or severity:Informational
# Search for all incidents that are not closed and are not in the job category.
-status:closed -category:job
# Search playbooks whose name starts by Block
name:Block*
# Search for automations whose code contains "import json"
script:*import json*
# Search for incidents that were created on or after July 1, 2024
created:>="2024-07-01T00:00:00 +0200"
# Search for indicator values that contain "www" and end with ".com" using regex
value:"/w{3}..*.com/"
# Search for incident id 523
/search incident.id:523
# Search indicators that ends with ".com"
/search indicator.value:*.com
!GetErrorsFromEntry entry_id=${lastCompletedTaskEntries}
!getInvPlaybookMetaData incidentId=<incident ID> minSize=<size of the data you want to return in KB. Default is 10>
Get sample data for testing/debugging
# Export root data
!js script="return ${.}"
# Export context data
!py script="return_results(demisto.context())"
!PrintContext outputformat=json
# Export incident data
!py script="return_results(demisto.incident())"
!Print value=${.incident}
Commands
/docker_images
/docker_image_update all=<bool> | image=<image_name>
/docker_image_create name="<name>" base="<docker_image_base>" dependencies="<dependency1>, <dependency2>" packages="<package1>, <package2>"
/docker_image_create name=”demisto/py3-bs4” base=”demisto/python3-deb:3.8.2.6981” dependencies=beautifulsoup4
Fix Permission Denied Error
sudo mkdir -p /home/demisto
sudo chown demisto:demisto /home/demisto
curl 'https://<host>:443/incidents/search' -H 'content-type: application/json' -H 'accept: application/json' -H 'Authorization: <your api key>' --data-binary '{"filter":{"query":"-status:closed -category:job","period":{"by":"day","fromValue":30}}}' --compressed -k
!core-api-get uri="/health/containers”
{"alertName": "Phishing Attack", "type": "phishing", "email": "test@outlook.com"}
/var/log/demisto/integration-instance.log
!command debug-mode=true
In this course, we will thoroughly explore several essential topics, starting with a comprehensive introduction to SOAR (Security Orchestration, Automation, and Response) and XSOAR 6, a leading platform in this field by Palo Alto Networks. It is important to note that XSOAR 6 is the older version of the platform, which has since evolved in more recent updates. We will delve into the various use cases of XSOAR 6, demonstrating its pivotal role in enhancing and streamlining security operations within organizations.
As we advance, you will gain in-depth knowledge of XSOAR’s components, such as incident types, integrations, and instances, and how they interconnect to create a cohesive security framework. You will learn to leverage these components to optimize and refine your security operations.
A significant portion of the course will focus on developing automations and playbooks, essential tools for automating incident response tasks. In addition to this, you will explore how to design and implement automated workflows that streamline repetitive processes, enhance productivity, and reduce human error.
In this course, instructions on how to install the XSOAR server instance and its administrator are not provided; it is more focused on development.
By the end of this course, you will be equipped to create sophisticated automated workflows and integrations within XSOAR 6, dramatically improving your organization's response to security incidents and ensuring stronger overall security management.