https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/create-a-tag-in-fireall/m-p/581497#M6398 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/262549">@RajeshPremSingh</a>&nbsp;,</P> <P>&nbsp;</P> <P>It depends upon the scenario which model make of firewalls are you onboarding the data from? Every firewall that you onboard the data from has a firewall serial number, or device Id or device serial number which is part of the logs collected via broker vm and this can be used for investigation purposes in your causality of alert contexts. You should be able to trace it out from your firewall alerts or from XQLs as part of the raw logs and events.</P> <P>Circling back to your queries:</P> <P>1. No, Serial numbers/ firewall device name/ firewall device Id should help</P> <P>2. No, because broker vm is&nbsp; not a context to that alert generation, rather it is a source, you can however, get collector IP address from XQL and events as part of the threat investigation efforts.</P> <P>&nbsp;</P> <P>Hope this helps!</P> <P>&nbsp;</P> <P>Please mark the response as "Accept as Solution" if it answers your query</P> <P>&nbsp;</P> Mon, 25 Mar 2024 08:11:48 GMT neelrohit 2024-03-25T08:11:48Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/create-a-tag-in-fireall/m-p/581455#M6396 <P>"Hi,</P> <P>We have multiple VM brokers, each connected to the same model of firewall. However, in a recent incident, it was difficult to identify the source of the incident from which the firewall it originated. We're exploring two potential solutions:</P> <P>1. Is there a method to create tags on the firewall to distinguish the source?<BR />2. Alternatively, is there a way to obtain the source broker VM name in the incident alert?</P> <P>Any insights or guidance on these options would be greatly appreciated. Thank you!"</P> Sat, 23 Mar 2024 13:13:32 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/create-a-tag-in-fireall/m-p/581455#M6396 RajeshPremSingh 2024-03-23T13:13:32Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/create-a-tag-in-fireall/m-p/581497#M6398 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/262549">@RajeshPremSingh</a>&nbsp;,</P> <P>&nbsp;</P> <P>It depends upon the scenario which model make of firewalls are you onboarding the data from? Every firewall that you onboard the data from has a firewall serial number, or device Id or device serial number which is part of the logs collected via broker vm and this can be used for investigation purposes in your causality of alert contexts. You should be able to trace it out from your firewall alerts or from XQLs as part of the raw logs and events.</P> <P>Circling back to your queries:</P> <P>1. No, Serial numbers/ firewall device name/ firewall device Id should help</P> <P>2. No, because broker vm is&nbsp; not a context to that alert generation, rather it is a source, you can however, get collector IP address from XQL and events as part of the threat investigation efforts.</P> <P>&nbsp;</P> <P>Hope this helps!</P> <P>&nbsp;</P> <P>Please mark the response as "Accept as Solution" if it answers your query</P> <P>&nbsp;</P> Mon, 25 Mar 2024 08:11:48 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/create-a-tag-in-fireall/m-p/581497#M6398 neelrohit 2024-03-25T08:11:48Z