topic How to get the list of alerts/incidents for a particular list of hosts? in Cortex XDR Discussions

How to get the list of alerts/incidents for a particular list of hosts?

Kavurisowmya — Wed, 22 Jun 2022 03:31:56 GMT

Hi,

I need to know how can we get alerts for particular hosts/ a specific group ( Ex: 1000 agents ) in the Cortex XDR console -> Incident Response -> Incidents -> Alerts table. I have tried from filter option but it doesn't work. We can't add all the agent names in the hostname for the 1000 servers as it is time-consuming. So, is there any other way to get alerts only for specific agents / for a group?

Re: How to get the list of alerts/incidents for a particular list of hosts?

bbarmanroy — Wed, 22 Jun 2022 08:09:29 GMT

Hi @Kavurisowmya there are a few workarounds to address your ask:

- use starring configuration for those endpoints
- use alerts/incidents API and retrieve 100 at a time, and then xref against endpoints API/dataset

What is the use case that you're trying to solve? It is generally not recommended to filter alerts based on hosts as XDR stitches them in incidents.

Re: How to get the list of alerts/incidents for a particular list of hosts?

Kavurisowmya — Wed, 22 Jun 2022 08:39:31 GMT

Hi @bbarmanroy ,

We want to manage alerts for a particular group of assets related to the same environment. We have different endpoint groups with each <100 endpoint. So we want to group the alerts only for those endpoints.

Re: How to get the list of alerts/incidents for a particular list of hosts?

bbarmanroy — Wed, 22 Jun 2022 10:14:34 GMT

Hi @Kavurisowmya that is not a recommended approach to incident resolution in XDR. Since alerts are stitched to incidents, and an incident can contain alerts from multiple sources. The challenge is that one might miss attach path maps/chains with your suggested approach.

Re: How to get the list of alerts/incidents for a particular list of hosts?

Kavurisowmya — Mon, 27 Jun 2022 04:18:06 GMT

Hi, We have alerts that need to be reviewed for specific assets/endpoints and enable block mode only for them. Can this be done with the starring/using Xref? Is there any other way?

Re: How to get the list of alerts/incidents for a particular list of hosts?

bbucao — Mon, 27 Jun 2022 14:04:09 GMT

Hi Kavurisowmya,

Cortex XDR Prevention Profiles contain the specific settings for how XDR will enforce the specific modules (Block or Report only), these profiles are then tied to endpoints via Prevention Policy rules. In order to enable blocking on a particular group of hosts, create an "Endpoint Group" that contains all of the intended hosts, then create a Prevention Policy that's target is set to the Endpoint Group you created and ensure that the Profiles you assign to this policy contain the specific settings you want applied to this group of endpoints.

As @bbarmanroy mentioned, you can then create a starring configuration specifically for that endpoint group you created. Once you do that you will be able to filter in the Alerts table based on if the Alert is "Starred". You can also filter the Incidents table based on the Starring field as well so you will be aware if any Incidents involve a host that is in your target group.