topic Betreff: External Alerts Mapping, Alerts are always assembled to one Incident in Cortex XDR Discussions

External Alerts Mapping, Alerts are always assembled to one Incident

MarinusCzech — Thu, 01 Dec 2022 09:51:08 GMT

Hello,

I have a little issue and I don´t know how to solve it.

Hopefully someone knows a hidden or 'unofficial' feature of XDR regarding this.

Briefly explained the structual background:
I am logging from diffrent Forti Firewalls into the XDR, this works perfectly fine.

Via the Parsing rules, the Logs are parsed into the External Alerts Mapping, where I want to create customized Incidents from the Logs.

My use case is, to log the activity of an admin user.
The first Login and logout of the user after the external alerts mapping was configured and worked perfectly fine, but now every further login or logout is added into the first incident/alert.

I tried to resolve the alerts or incident, tried to map specific log ID´s in the fields (of external alerts mapping) that XDR differ the alerts, everything without success.

Hopefully somebody know as I already mentioned a feature how to stop merging alerts in the same incident/alert.

I will add a picture, maybe it is helpful. (The two alerts without host and username I tested, if new alerts are added if I remove this two fields in the external alerts mapping.)

Kind regards,
Marinus Czech

Please note you are posting a public message where community members and experts can provide assistance. Sharing private information such as serial numbers or company information is not recommended.

Re: External Alerts Mapping, Alerts are always assembled to one Incident

aleksandar.astardzhiev — Sat, 03 Dec 2022 19:01:42 GMT

Hi @MarinusCzech ,

XDR console will automatically aggregate repeating alert, but I forgot for what period of time so I would say one hour. Console will consider an alert as repeating if it has exact same fields. Unfortunately there isn't any to disable this behavior (at least I am not aware of any).

Incident is "container" for related alerts. Resolving the incident by itself doesn't effect the alerts. You need to resolve the alert to make it "inactive" so any new logs to create new alert. You have two ways:
- Manually resolving the Alert: Incident Response -> Incidents -> Alert Table -> Right click -> Change Status -> Resolve

- By resolving incident: When resolving the incident there is a option to resolve the related alerts

Betreff: External Alerts Mapping, Alerts are always assembled to one Incident

MarinusCzech — Mon, 05 Dec 2022 09:46:31 GMT

Hello, thank you for your answer!

I think the period of time is 24 hours, I see that if I hover over added alerts.
Sad, that this functions isn´t available in XDR.