- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
12-01-2022 01:51 AM
Hello,
I have a little issue and I don´t know how to solve it.
Hopefully someone knows a hidden or 'unofficial' feature of XDR regarding this.
Briefly explained the structual background:
I am logging from diffrent Forti Firewalls into the XDR, this works perfectly fine.
Via the Parsing rules, the Logs are parsed into the External Alerts Mapping, where I want to create customized Incidents from the Logs.
My use case is, to log the activity of an admin user.
The first Login and logout of the user after the external alerts mapping was configured and worked perfectly fine, but now every further login or logout is added into the first incident/alert.
I tried to resolve the alerts or incident, tried to map specific log ID´s in the fields (of external alerts mapping) that XDR differ the alerts, everything without success.
Hopefully somebody know as I already mentioned a feature how to stop merging alerts in the same incident/alert.
I will add a picture, maybe it is helpful. (The two alerts without host and username I tested, if new alerts are added if I remove this two fields in the external alerts mapping.)
Kind regards,
Marinus Czech
12-03-2022 11:01 AM
Hi @MarinusCzech ,
XDR console will automatically aggregate repeating alert, but I forgot for what period of time so I would say one hour. Console will consider an alert as repeating if it has exact same fields. Unfortunately there isn't any to disable this behavior (at least I am not aware of any).
Incident is "container" for related alerts. Resolving the incident by itself doesn't effect the alerts. You need to resolve the alert to make it "inactive" so any new logs to create new alert. You have two ways:
- Manually resolving the Alert: Incident Response -> Incidents -> Alert Table -> Right click -> Change Status -> Resolve
- By resolving incident: When resolving the incident there is a option to resolve the related alerts
12-05-2022 01:46 AM
Hello, thank you for your answer!
I think the period of time is 24 hours, I see that if I hover over added alerts.
Sad, that this functions isn´t available in XDR.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!