topic Re: Modify Alerts Going to An Endpoint Group in Cortex XDR Discussions

Modify Alerts Going to An Endpoint Group

chukaokonkwo — Thu, 03 Mar 2022 21:35:11 GMT

Hello all,

I have setup an endpoint group of high profile laptops. I would like the following configured on XDR.

- Prefix all Incident names going to endpoints in that group with "VIP Endpoint [Incident Name] (e.g. VIP Endpoint Wildfire Malware Detected)

- When a "High" or "Medium" alert is triggered for an endpoint within that group forward it to a specific email.

Thanks for the tips and insights on setting this up guys. I've been searching back and forth in the admin guide to see if I can get the information. If this happens I'll be sure to post it here as well.

Re: Modify Alerts Going to An Endpoint Group

bbarmanroy — Fri, 04 Mar 2022 02:27:00 GMT

Hi @chukaokonkwo What I'd advise you is to create a Starred Alert Configuration using Featured Fields.

You can create a list of Featured Fields (link: here) using hostname, IP address, or username.
Create a Starring Configuration (link here) with the featured fields.

That'll star all incidents containing alerts of this nature. Populate the hosts and save the filter for quick retrieval for future use.
Create a Scoring Rule (link here) for Featured fields as well.
Create a Notifications Rule in the Configurations to forward all alerts that meet those criteria.