Hello Live community,
I have a question about the report on Cortex, i want to know if the “Infected Endpoints” comes as default in Cortex reports or if we need to configure something to show that option?
Do the widgets "incidents by source" or "Top incidents (Top 10) " display the infected Host?
I suppose that incidents by source will be the closest thing to infected host.
As i can understand, if the agent has created an event, it s because Cortex has done its job and prevent the host from being infected, so the host is not infected. But will we see it in the Report? Or how can we see it in the report?
Thanks in advance for your reply.
I'm not sure I understand the ask. Are you looking for a report that shows you malware events (to include the host) that need your attention? Or do you want to see all hosts that had malware events that also may have had preventions?
The XQL xdr_data dataaset does not include alert data. Until that dataset is exposed, the easiest way to look for the rare cases that need your attention is to filter for XDR agent and post detections in the alert table as shown below.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!