topic Re: Polling XDR Integration for Alerts that are not Incident Based in Cortex XSOAR Discussions

Polling XDR Integration for Alerts that are not Incident Based

michaelsysec242 — Wed, 22 Mar 2023 12:48:32 GMT

Hello all,

I am running a Use-Case that requires me to poll the XDR Tenant for all alerts. These include Alerts that are found in an XDR Incident and Independent Alerts that are not found in an incident. For example a Low Severity alert from a BIOC Analytics Source that has not opened or should I say referenced in an incident. These Independent alerts are not retrieved with the "!xdr-get-alerts" command. Even when querying for a specific Indipendant alert based on it's ID it is not retrieved. Does anyone have a solution for this ?

There is no reason why these alerts shouldn't be available to be analysed on the XSOAR Platform.

In the case that this is not possible, are the Alerts available for querying from the XQL Integration ?

Re: Polling XDR Integration for Alerts that are not Incident Based

arnarayanan — Wed, 22 Mar 2023 16:21:11 GMT

" Even when querying for a specific Indipendant alert based on it's ID it is not retrieved. Does anyone have a solution for this ?"

Can you confirm if this is the case ? I think i saw an independent alert being fetched with case-id set to null

Re: Polling XDR Integration for Alerts that are not Incident Based

michaelsysec242 — Thu, 23 Mar 2023 11:20:15 GMT

@arnarayanan I have double checked this when performing the command on all alerts from the past 24 Hours I see that only the incident based alerts are fetched. The problem remains.

Re: Polling XDR Integration for Alerts that are not Incident Based

arnarayanan — Thu, 23 Mar 2023 11:33:09 GMT

Hi ,Sorry, what i meant to ask is when you do an XDR-get-alert with a specific independent alert-id, what do you see as output on XSOAR.
I am not an XDR expert, however i thought i saw XSOAR fetching an independent alert with case-id=null

Re: Polling XDR Integration for Alerts that are not Incident Based

michaelsysec242 — Thu, 23 Mar 2023 12:49:25 GMT

@arnarayanan

When I perform this on a specific Alert ID that isn't incident related I receive the message that no alert has been fetched.

Re: Polling XDR Integration for Alerts that are not Incident Based

michaelsysec242 — Tue, 28 Mar 2023 13:58:00 GMT

Just to update this thread, there is no suitable solution found and It may be possible that this is a recent change due to the 6.3 Update to XDR. Due to the lack of confirmation I will open a support ticket to escalate this matter.

Re: Polling XDR Integration for Alerts that are not Incident Based

JoaoPGBotelho — Fri, 24 Nov 2023 15:55:26 GMT

Hi,
I have the same problem. Does anyone found a solution for this?

Re: Polling XDR Integration for Alerts that are not Incident Based

JoaoPGBotelho — Wed, 17 Jul 2024 15:45:22 GMT

We lost a lot of alerts in XSOAR because of this limitation.

@michaelsysec242 did you found any workaround?

Re: Polling XDR Integration for Alerts that are not Incident Based

michaelsysec242 — Sun, 21 Jul 2024 10:44:14 GMT

Hello @JoaoPGBotelho ,

I still havent found a solution for this.

Maybe try with the lastest content pack to see if this is patched.