topic Re: Cortex XDR Alerts in Cortex XDR Discussions

Cortex XDR Alerts

Retired Member — Tue, 21 Apr 2020 15:04:54 GMT

Hi,

I can't seem to find what I'm looking for in the Cortex XDR console. I am trying to find a way to view all alerts generated whether it is from XDR or Analytics. The only way I can see this list is if I create an exclusion Investigation --> Exclusions --> Add Exclusion. Is there a more direct way to view these Alerts?

Thanks

Re: Cortex XDR Alerts

dfalcon — Tue, 21 Apr 2020 16:23:25 GMT

HI there-

Go to Investigation > Incidents - then click on Alerts Table over to the right of the screen.

Re: Cortex XDR Alerts

Retired Member — Tue, 21 Apr 2020 17:38:02 GMT

Thank you @dfalcon!

Feels like it is hidden away. They should be making this a submenu directly off of the Investigation menu.

Re: Cortex XDR Alerts

dfalcon — Tue, 21 Apr 2020 17:45:00 GMT

I will share that feedback with the Product Team.

Re: Cortex XDR Alerts

NPTEChrisSmith — Mon, 19 Sep 2022 20:44:52 GMT

I too was having the same problem... wanting to look at the Alerts and how those turn into Incidents. I think it would be great to have a dashboard widget that would present a bar graph that shows the volume of Low, Medium, High and Critical alerts. Thanks.

Re: Cortex XDR Alerts

mavraham — Tue, 20 Sep 2022 12:41:36 GMT

Hi!

While incident/alert information is not currently accessible via XQL, we do offer a few OOTB widgets which could be similar to what you're looking to create.

If you'd go into your XDR tenant -> Dashboards & Reports -> Widget Library and type 'severity' in the search bar you should be able to find the 'Open Incidents By Severity' widget (screenshot attached below).

Let me know if you have any further questions.

Re: Cortex XDR Alerts

NPTEChrisSmith — Tue, 20 Sep 2022 16:08:02 GMT

OK - I'm not sure what " alert information is not currently accessible via XQL" means, since the Alert table is available and our's currently shows 3600 results.
Is it possible to allow us to add the ALERT TABLE as a favorite button? That way I can get into it with a single button, verses having to go into via the Incident screen?
Thank you,
Chris Smith

Re: Cortex XDR Alerts

Optimizer — Tue, 15 Nov 2022 18:24:50 GMT

Had this issue today. I said the same thing when I found Alerts Table: "why isn't this an option indented under Incidents"
You can keep it where it is but add the direct link as well

Re: Cortex XDR Alerts

aleksandar.astardzhiev — Fri, 09 Dec 2022 16:19:50 GMT

Hey @NPTEChrisSmith and @Optimizer ,

I believe Alert Table is not in the navigation bar, because Palo wants you to steer your focus on more important Incidents.

Cortex XDR console will generate Incident for each alert with severity Medium, High and Critical. It will generate incident some Low severity alert, but not all of them.

Incidents are simple containers, which will consolidate/aggregate all alert that are somehow related.

So it should be more easy to focus on the Incidents and not overwhelm by avalanche of alerts

Now that being said there are two easy way to navigate to Alert table without jumping around:

- The easiest way would be to open URL https://<your-xdr-address>/alerts You can bookmark this URL and just click on your bookmark after you authenticate (if open the link after authentication, you will be redirected to the dashboard)

- You can use the quick launcher and its "go to" search. Type "/alert" - / to enter go to search and "alert" for the string you want to search. You will see the results below, navigate with arrows and enter to select