Cortex XDR Alert Filter Query String Format

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Cortex XDR Alert Filter Query String Format

L0 Member

I'm looking to create a link which takes me directly to the list of low, medium, or high alerts, purely based on what is in the query string in the URL.  For example, adding

/incidents?severity=SEV_040_HIGH&mode=all

to the end of my base XDR url works and takes me to the page will all high severity incidents.

Similarly, replacing this with

/alerts?source=ANALYTICS_BIOC

will take me to the page with all Analytics BIOC alerts.

 

However, I can't seem to add severity, or any other fields to this. For example, I wanted the link to take me to all low severity alerts, so I tried the following:

/alerts?severity=SEV_020_LOW

which does not work. 

 

Is there any documentation on the accepted field names within query strings? I can't seem to find this anywhere.

2 REPLIES 2

L2 Linker

An alternative is to use the saved filter (persistent) on the alerts page. Although, this will require one more step

1. https://YOURTENANT.xdr.us.paloaltonetworks.com/alerts

2. Top right - 3 dots > filters > pick the saved filter (example: severity=low)

Note: before you can use a save filter, you need to create one first and save it for later use.

Hi I already have various saved filters set up already. I was trying to streamline my workflow just to make things a bit easier. Also if I load the alerts page as normal and add filters, and then leave the tab open for a while when it refreshes it removes the filter which is a pain, so that's why I would like to just have consistent URLs I can use. Thanks for your help though 🙂 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!