External Alerts Mapping, Alerts are always assembled to one Incident

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

External Alerts Mapping, Alerts are always assembled to one Incident

L1 Bithead

Hello,

 

I have a little issue and I don´t know how to solve it.

Hopefully someone knows a hidden or 'unofficial' feature of XDR regarding this.

 

Briefly explained the structual background:
I am logging from diffrent Forti Firewalls into the XDR, this works perfectly fine. 

Via the Parsing rules, the Logs are parsed into the External Alerts Mapping, where I want to create customized Incidents from the Logs.

My use case is, to log the activity of an admin user. 
The first Login and logout of the user after the external alerts mapping was configured and worked perfectly fine, but now every further login or logout is added into the first incident/alert.

I tried to resolve the alerts or incident, tried to map specific log ID´s in the fields (of external alerts mapping) that XDR differ the alerts, everything without success.

 

Hopefully somebody know as I already mentioned a feature how to stop merging alerts in the same incident/alert. 

I will add a picture, maybe it is helpful. (The two alerts without host and username I tested, if new alerts are added if I remove this two fields in the external alerts mapping.)

 

Kind regards,
Marinus Czech



Please note you are posting a public message where community members and experts can provide assistance. Sharing private information such as serial numbers or company information is not recommended.
2 REPLIES 2

Cyber Elite
Cyber Elite

Hi @MarinusCzech ,

XDR console will automatically aggregate repeating alert, but I forgot for what period of time so I would say one hour. Console will consider an alert as repeating if it has exact same fields. Unfortunately there isn't any to disable this behavior (at least I am not aware of any).

 

Incident is "container" for related alerts. Resolving the incident by itself doesn't effect the alerts. You need to resolve the alert to make it "inactive" so any new logs to create new alert. You have two ways:
- Manually resolving the Alert: Incident Response -> Incidents -> Alert Table -> Right click -> Change Status -> Resolve

- By resolving incident: When resolving the incident there is a option to resolve the related alerts

Astardzhiev_0-1670093920261.png

 

L1 Bithead

Hello, thank you for your answer!

I think the period of time is 24 hours, I see that if I hover over added alerts.
Sad, that this functions isn´t available in XDR. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!