https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/closure-of-bulk-alerts/m-p/505382#M2248 <P>We had resolved the incidents and&nbsp;<SPAN>used the option to close the associated alerts, but still in the alerts table we see the alerts <U>resolution status</U> as "<STRONG>NEW</STRONG>". </SPAN></P><P><SPAN>We currently have 2.8M alerts which are associated with already closed incidents and yet thier resolution status is still "<STRONG>NEW</STRONG>".&nbsp;</SPAN></P> Wed, 22 Jun 2022 12:33:00 GMT Aiman_Fathima 2022-06-22T12:33:00Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/closure-of-bulk-alerts/m-p/505196#M2229 <P>Hello,</P><P>Can anyone please suggest on how we can close bulk alerts on XDR. Currently we can only select 100 at a time.</P> Tue, 21 Jun 2022 16:01:25 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/closure-of-bulk-alerts/m-p/505196#M2229 Aiman_Fathima 2022-06-21T16:01:25Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/closure-of-bulk-alerts/m-p/505208#M2230 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/224150">@Aiman_Fathima</a>,</P><P>&nbsp;</P><P>Even though, you have the possibility to resolve alerts from the Alert table, you need to work on the Incidents and close those.</P><P>If you are looking at the Alert Table, right-click on an Alert and go to<STRONG> Pivots to views</STRONG> &gt; <STRONG>View related incidents.</STRONG><BR />You can also add the column Incident ID to the Alert table.</P><P>But remember that you need to work from the Incident view and not from the Alert table directly.</P> Tue, 21 Jun 2022 16:24:13 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/closure-of-bulk-alerts/m-p/505208#M2230 fmoixsante 2022-06-21T16:24:13Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/closure-of-bulk-alerts/m-p/505217#M2231 <P>Thank you for your suggestion. W<SPAN>e tried the above but still they do not get resolved sometimes so was wondering if there are any other methods</SPAN></P> Tue, 21 Jun 2022 16:34:27 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/closure-of-bulk-alerts/m-p/505217#M2231 Aiman_Fathima 2022-06-21T16:34:27Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/closure-of-bulk-alerts/m-p/505220#M2232 <P>Hi Aiman,</P><P>&nbsp;</P><P>Can you share a snapshot of the issue you're experiencing?</P><P>&nbsp;</P><P>Thanks,</P><P>Silviu</P> Tue, 21 Jun 2022 16:35:54 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/closure-of-bulk-alerts/m-p/505220#M2232 SilviuMihailDascalu 2022-06-21T16:35:54Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/closure-of-bulk-alerts/m-p/505365#M2245 <P>Sorry cannot share the screenshot. The issue is that we have closed the incidents with 'resolve alerts option' but still the alerts are open.&nbsp;</P> Wed, 22 Jun 2022 08:51:16 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/closure-of-bulk-alerts/m-p/505365#M2245 Aiman_Fathima 2022-06-22T08:51:16Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/closure-of-bulk-alerts/m-p/505371#M2246 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/224150">@Aiman_Fathima</a>&nbsp;,</P><P>&nbsp;</P><P>It seems it is still not clear who the incident and alert process work in XDR. You do not resolve alerts, you resolve incidents. When you set the status of an incident "Resolved-xxx", you get the option to "resolve" the associated alerts. In the Alert table, you have the column "<A href="https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/investigation-and-response/investigate-endpoint-alerts/cortex-xdr-alerts#:~:text=triggered%20the%20alert.-,RESOLUTION%20STATUS,-The%20status%20that" target="_self"><SPAN>Resolution Status</SPAN></A>". This column allows you to know if the alert was handled. The alerts will NOT disappeared. You can hide them by using filters, though.&nbsp;</P><P>&nbsp;</P><P>There are 2 ways to "resolve" alerts. One by resolving incidents, another by changing the resolution status directly on the alert.</P><P>&nbsp;</P><P>And&nbsp;<SPAN>remember that you need to work from the Incident view and not from the Alert table directly</SPAN></P> Wed, 22 Jun 2022 09:14:58 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/closure-of-bulk-alerts/m-p/505371#M2246 fmoixsante 2022-06-22T09:14:58Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/closure-of-bulk-alerts/m-p/505382#M2248 <P>We had resolved the incidents and&nbsp;<SPAN>used the option to close the associated alerts, but still in the alerts table we see the alerts <U>resolution status</U> as "<STRONG>NEW</STRONG>". </SPAN></P><P><SPAN>We currently have 2.8M alerts which are associated with already closed incidents and yet thier resolution status is still "<STRONG>NEW</STRONG>".&nbsp;</SPAN></P> Wed, 22 Jun 2022 12:33:00 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/closure-of-bulk-alerts/m-p/505382#M2248 Aiman_Fathima 2022-06-22T12:33:00Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/closure-of-bulk-alerts/m-p/506001#M2275 <P>Hey&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/224150">@Aiman_Fathima</a>&nbsp;,</P><P>&nbsp;</P><P>You can suppress the Alerts by using Alert Exclusions. By suppressing the alerts will auto resolved the incidents respectively.</P><P>&nbsp;</P><P>Regards,</P><P>Mansoor</P> Fri, 24 Jun 2022 10:08:08 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/closure-of-bulk-alerts/m-p/506001#M2275 Jaitapkar 2022-06-24T10:08:08Z