Cortex XDR External Alert Mapping rules

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Cortex XDR External Alert Mapping rules

L2 Linker

Hi community,

is there anybody who knows how External Alert mapping rules work in a case there is more than one of them?

Do you create an alert for every rule that was hit or is there some kind of precedence?

There is no mention in documentation.

Thank you,

Jan

2 REPLIES 2

L4 Transporter

Hello,

XDR console will automatically aggregate repeating alert, the period of time is 24 hours. Console will consider an alert as repeating if it has exact same fields. 

Ashutosh Patil

Hello Aspatil,

you're right, but what is not clear to me is when are alerts created when you have multiple rules.

- Are they evaluated from top to botom like in the firewall, or are all of them evaluated at the same time?

- If they are evaluated at the same time (and based on filtering both of them are hit), are multiple alerts created?

 

Thank you 

  • 394 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!