Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update mirroring.md #1650

Merged
merged 1 commit into from
Nov 7, 2024
Merged

Update mirroring.md #1650

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions docs/integrations/mirroring.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -234,6 +234,13 @@ def get_mapping_fields_command():

```

## Classification and Mapping with Mirroring
When incoming mirroring happens, the incident goes through both the classifier and the mapper. The classifier sets a specific value for the incident type, and the mapper updates the incident with this value, ensuring that the incident type matches what the classifier determined.
julieschwartz18 marked this conversation as resolved.
Show resolved Hide resolved
To prevent the incident type from changing during mirroring:
1. If your integration instance does not fetch incidents, do not set a default incident type, and remove the classifier.
2. Set up a second integration instance without classification that uses the same mapper.
3. Set the second integration as **Do not use by default** so playbook command executions use the first integration instance.

## Incident Fields on a Cortex XSOAR Incident
The following incident fields must be configured either in the integration or in the integration instance mapping:
* **dbotMirrorDirection**: Valid values are Both, In, or Out.
Expand Down
Loading