https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/join-alerts-and-incidents-table-to-get-all-alerts-attached-to-an/m-p/569467#M5709 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/275370">@ogtay.nabili</a>&nbsp;,</P> <P>&nbsp;</P> <P>Thanks for reaching out on LiveCommunity!</P> <P>Alerts and Incidents are already joined under Incidents tab. You can filter out True Positive incidents by using "status" field in incident filter. To see relative alerts for a particular incident go to "Alerts &amp; Insights" within an incident. Now to see alerts with Detection/Prevention status you can filter with "Action" field in alerts filter.</P> <P>Alternate to above, you can write XQL query using datasets "alerts" and "incidents". In order to combine the output of both datasets, you can use "join" stage with fields like "incident_id" to get combined result. Below is the reference guide for "join" stage.</P> <P><A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-XQL-Language-Reference/Join" target="_blank">https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-XQL-Language-Reference/Join</A></P> <P>&nbsp;</P> <P>Please c<SPAN>lick&nbsp;</SPAN><STRONG>Accept as Solution</STRONG><SPAN>&nbsp;to acknowledge that the answer to your question has been provided.</SPAN></P> Tue, 12 Dec 2023 14:13:50 GMT nsinghvirk 2023-12-12T14:13:50Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/join-alerts-and-incidents-table-to-get-all-alerts-attached-to-an/m-p/568883#M5679 <P>Hi everyone.</P> <P>&nbsp;</P> <P>I want to join alerts and incidents table to list all True Positive incidents along with their alerts (I need Prevention/Detection status of alerts of each incident). Is there a way to achieve this?</P> <P>&nbsp;</P> <P>Thanks in advance!</P> Thu, 07 Dec 2023 14:04:52 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/join-alerts-and-incidents-table-to-get-all-alerts-attached-to-an/m-p/568883#M5679 ogtay.nabili 2023-12-07T14:04:52Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/join-alerts-and-incidents-table-to-get-all-alerts-attached-to-an/m-p/569467#M5709 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/275370">@ogtay.nabili</a>&nbsp;,</P> <P>&nbsp;</P> <P>Thanks for reaching out on LiveCommunity!</P> <P>Alerts and Incidents are already joined under Incidents tab. You can filter out True Positive incidents by using "status" field in incident filter. To see relative alerts for a particular incident go to "Alerts &amp; Insights" within an incident. Now to see alerts with Detection/Prevention status you can filter with "Action" field in alerts filter.</P> <P>Alternate to above, you can write XQL query using datasets "alerts" and "incidents". In order to combine the output of both datasets, you can use "join" stage with fields like "incident_id" to get combined result. Below is the reference guide for "join" stage.</P> <P><A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-XQL-Language-Reference/Join" target="_blank">https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-XQL-Language-Reference/Join</A></P> <P>&nbsp;</P> <P>Please c<SPAN>lick&nbsp;</SPAN><STRONG>Accept as Solution</STRONG><SPAN>&nbsp;to acknowledge that the answer to your question has been provided.</SPAN></P> Tue, 12 Dec 2023 14:13:50 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/join-alerts-and-incidents-table-to-get-all-alerts-attached-to-an/m-p/569467#M5709 nsinghvirk 2023-12-12T14:13:50Z