topic Re: How to query XDR for all incidents that relate to a device group in Cortex XDR Discussions

How to query XDR for all incidents that relate to a device group

JamesWiggins — Wed, 15 Jun 2022 13:36:04 GMT

The Get Incidents API allows you to filter based on an incident_id_list, but not a list of endpoint_ids much less endpoint group. The Get Alerts API allows you to filter on an alert_id_list, but not a list of endpoint_ids much less endpoint group.

I'm trying to figure out how to get a list of alert_ids or incident_ids filtered by endpoint group or even endpoint_id so that I could use it filter either of the above API's. I can't figure out how build a query in XDR for this because I don't see any endpoint or incident information in the xdr_data schema

This seems like a standard bit of data to pull.. just incidents or alerts by endpoint but I can't seem to figure it out. What am I missing?

Re: How to query XDR for all incidents that relate to a device group

afurze — Wed, 15 Jun 2022 19:25:50 GMT

Hi JamesWiggins,

Unfortunately, Incidents and Alerts are not exposed as a dataset so they cannot be queried using XQL.

Re: How to query XDR for all incidents that relate to a device group

DannyMulheran — Mon, 27 Jun 2022 07:33:15 GMT

Hi Afurze

Any idea how do the Palo Alto provided widgets filter on incidents (for example the widgets 'incidents by assignee' or 'incidents by status'?

Danny

Re: How to query XDR for all incidents that relate to a device group

SilviuMihailDascalu — Mon, 27 Jun 2022 07:40:29 GMT

These widgets are leveraging the built-in functions not currently exposed in the User Interface but via API.

Re: How to query XDR for all incidents that relate to a device group

SilviuMihailDascalu — Mon, 27 Jun 2022 07:46:55 GMT

Hey James,

Have you ever thought about retrieving the incidents and alerts and then mapping them in the code to the endpoint groups? In short what I'm saying is that you can easily filter by endpoints directly from your code.

Re: How to query XDR for all incidents that relate to a device group

DannyMulheran — Mon, 27 Jun 2022 08:00:31 GMT

Hi Silviu

Good to hear from you. Thanks for the info which led me to try using the XDR integration command (example test !xdr-get-incidents gte_creation_time="2022-06-20T23:59:00" raw-response=true) in XSOAR. I will create my report in XSOAR instead.

Regards

Danny

Re: How to query XDR for all incidents that relate to a device group

JamesWiggins — Fri, 01 Jul 2022 13:12:53 GMT

Yes, this is exactly what I ended up doing. I had to pull down all of the incidents for the tenant, and then filter the incidents by host in script with a list of endpoint ID's I had previously retrieved from the get_endpoints API. Thanks for your help!