diff --git a/Packs/SekoiaXDR/Integrations/SekoiaXDR/README.md b/Packs/SekoiaXDR/Integrations/SekoiaXDR/README.md index dc184d5e41ac..ef55b95ecc2f 100644 --- a/Packs/SekoiaXDR/Integrations/SekoiaXDR/README.md +++ b/Packs/SekoiaXDR/Integrations/SekoiaXDR/README.md @@ -850,25 +850,36 @@ Newly fetched incidents will be mirrored in the chosen direction. However, this ## Troubleshooting -To troubleshoot possible issues with the integration: -- **Debug mode:** In the integration instance select the option Debug and download the logs under Settings>About>Troubleshooting>Download logs. -- **Mirror values:** To troubleshoot mirroring issues apart from debug mode is possible to check under context that the dbot fields are set. -- This fields under context are: dbotMirrorInstance, dbotMirrorDirection and dbotMirrorId. If they are not set please review the mappers. -- The field dbotMirrorLastSync under context will be updated when the mirroring updates something on the incident, this can be also observed under War Room. +To troubleshoot possible issues with the SEKOIA XDR integration, consider the following steps: -## Best practices +- **Debug Mode**: + - In your integration instance, enable the Debug option. + - Navigate to `Settings > About > Troubleshooting > Download logs` to download the logs. Analyzing these logs can provide valuable insights into any issues. -- When mirroring is enable please allow at least 1 minute to see the changes reflected, the mirroring process is executed every 1 minute. -- When reopening option is marked the XSOAR incident will be reopened under 2 conditions: - - The alert is reopened from Sekoia which will reopen the incident in XSOAR. - - The XSOAR incident is reopened: when this is done from XSOAR after reopen the incident please quickly change the status of the Sekoia alert or the mirroring will close it automatically due to the mirroring. +- **Mirror Values**: + - To diagnose mirroring issues beyond what debug mode offers, you can inspect specific fields in the context data. Check if the following dbot fields are set: + - **dbotMirrorInstance**: Indicates the instance managing the mirroring. + - **dbotMirrorDirection**: Shows the direction of mirroring. + - **dbotMirrorId**: The unique identifier for the mirroring process. + - If these fields are not set, review the mappers to ensure that they are configured correctly. - -## Contact Information +- **dbotMirrorLastSync Field**: + - The `dbotMirrorLastSync` field in the context data will update when the mirroring process updates an incident. + - You can observe these updates in the **War Room** as well, which will provide a log of the mirroring activity. -Support and maintenance for this integration are provided by the author. Please use the following contact details: -- Email: team-integration@sekoia.io -- URL: [https://www.sekoia.io/en/contact/](https://www.sekoia.io/en/contact/) +By following these troubleshooting steps, you can effectively diagnose and resolve issues within the SEKOIA XDR integration. + +## Best Practices + +To make the most out of your SEKOIA XDR integration, consider the following best practices: + +- **Mirroring Changes**: When mirroring is enabled, please allow at least 1 minute for changes to be reflected. The mirroring process runs every 1 minute, ensuring that data between SEKOIA and Cortex is kept in sync. + +- **Handling Reopened Incidents**: If you have enabled the reopening option, the Cortex incident will be reopened under two specific conditions: + - **Reopened Alert in SEKOIA**: If an alert is reopened in SEKOIA, the corresponding incident in Cortex will also be reopened. This ensures that the incident tracking is consistent across both platforms. + - **Reopened Incident in Cortex**: If you reopen an incident directly in Cortex, you need to be cautious. After reopening the incident in Cortex, you should promptly change the status of the SEKOIA alert. Failing to do so might lead to the incident being automatically closed by the mirroring process. + +By adhering to these best practices, you can ensure a smoother and more effective synchronization between SEKOIA and your incident management platform. ## Additional documentation