Closure of Bulk Alerts

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Closure of Bulk Alerts

L2 Linker

Hello,

Can anyone please suggest on how we can close bulk alerts on XDR. Currently we can only select 100 at a time.

7 REPLIES 7

L4 Transporter

Hi @Aiman_Fathima,

 

Even though, you have the possibility to resolve alerts from the Alert table, you need to work on the Incidents and close those.

If you are looking at the Alert Table, right-click on an Alert and go to Pivots to views > View related incidents.
You can also add the column Incident ID to the Alert table.

But remember that you need to work from the Incident view and not from the Alert table directly.

L2 Linker

Thank you for your suggestion. We tried the above but still they do not get resolved sometimes so was wondering if there are any other methods

L3 Networker

Hi Aiman,

 

Can you share a snapshot of the issue you're experiencing?

 

Thanks,

Silviu

Silviu-Mihail Dascalu

L2 Linker

Sorry cannot share the screenshot. The issue is that we have closed the incidents with 'resolve alerts option' but still the alerts are open. 

Hi @Aiman_Fathima ,

 

It seems it is still not clear who the incident and alert process work in XDR. You do not resolve alerts, you resolve incidents. When you set the status of an incident "Resolved-xxx", you get the option to "resolve" the associated alerts. In the Alert table, you have the column "Resolution Status". This column allows you to know if the alert was handled. The alerts will NOT disappeared. You can hide them by using filters, though. 

 

There are 2 ways to "resolve" alerts. One by resolving incidents, another by changing the resolution status directly on the alert.

 

And remember that you need to work from the Incident view and not from the Alert table directly

We had resolved the incidents and used the option to close the associated alerts, but still in the alerts table we see the alerts resolution status as "NEW".

We currently have 2.8M alerts which are associated with already closed incidents and yet thier resolution status is still "NEW". 

L1 Bithead

Hey @Aiman_Fathima ,

 

You can suppress the Alerts by using Alert Exclusions. By suppressing the alerts will auto resolved the incidents respectively.

 

Regards,

Mansoor

  • 2446 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!