This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
Accept
Reject

Closure of Bulk Alerts

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Closure of Bulk Alerts

Aiman_Fathima
L2 Linker

‎06-21-2022 09:01 AM

Hello,

Can anyone please suggest on how we can close bulk alerts on XDR. Currently we can only select 100 at a time.

0 Likes Likes
7 REPLIES 7

fmoixsante
L3 Networker

‎06-21-2022 09:24 AM

Hi @Aiman_Fathima,

 

Even though, you have the possibility to resolve alerts from the Alert table, you need to work on the Incidents and close those.

If you are looking at the Alert Table, right-click on an Alert and go to Pivots to views > View related incidents.
You can also add the column Incident ID to the Alert table.

But remember that you need to work from the Incident view and not from the Alert table directly.

0 Likes Likes

Aiman_Fathima
L2 Linker

‎06-21-2022 09:34 AM

Thank you for your suggestion. We tried the above but still they do not get resolved sometimes so was wondering if there are any other methods

0 Likes Likes

SilviuMihailDascalu
L3 Networker

‎06-21-2022 09:35 AM

Hi Aiman,

 

Can you share a snapshot of the issue you're experiencing?

 

Thanks,

Silviu

Silviu-Mihail Dascalu
0 Likes Likes

Aiman_Fathima
L2 Linker

‎06-22-2022 01:51 AM

Sorry cannot share the screenshot. The issue is that we have closed the incidents with 'resolve alerts option' but still the alerts are open. 

0 Likes Likes

fmoixsante
L3 Networker
In response to Aiman_Fathima

‎06-22-2022 02:14 AM

Hi @Aiman_Fathima ,

 

It seems it is still not clear who the incident and alert process work in XDR. You do not resolve alerts, you resolve incidents. When you set the status of an incident "Resolved-xxx", you get the option to "resolve" the associated alerts. In the Alert table, you have the column "Resolution Status". This column allows you to know if the alert was handled. The alerts will NOT disappeared. You can hide them by using filters, though. 

 

There are 2 ways to "resolve" alerts. One by resolving incidents, another by changing the resolution status directly on the alert.

 

And remember that you need to work from the Incident view and not from the Alert table directly

0 Likes Likes

Aiman_Fathima
L2 Linker
In response to fmoixsante

‎06-22-2022 05:33 AM

We had resolved the incidents and used the option to close the associated alerts, but still in the alerts table we see the alerts resolution status as "NEW".

We currently have 2.8M alerts which are associated with already closed incidents and yet thier resolution status is still "NEW". 

0 Likes Likes

Jaitapkar
L1 Bithead

‎06-24-2022 03:08 AM

Hey @Aiman_Fathima ,

 

You can suppress the Alerts by using Alert Exclusions. By suppressing the alerts will auto resolved the incidents respectively.

 

Regards,

Mansoor

0 Likes Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2023 - Palo Alto Networks