Content translations are temporarily unavailable due to site maintenance. We apologize for any inconvenience. Visit our blog to learn more.
01-07-2025 09:14 AM
I am trying to correlate exfiltration & port scanning incidents to identify patterns pertaining to a specific IP address to build exceptions or exclusion's for false-positives. They are not our assets, but an IP we communicate with frequently. The filter dropdown doesn't show anything useful for this.
I can't wrap my head around why they wouldn't allow you to filter alerts by IP. (paloaltonetworks.com/incidents)
I can't even sort assets by IP either. (paloaltonetworks.com/endpoints/agents)
I have to export to CSV just to sort the data.
^Both filtering and sorting by IP should be basic functionality for this type of product.
01-07-2025 10:01 AM
Hi @WhiskerBiscuit, thanks for reaching us using the Live Community.
Thant kind of sorting you are looking for?
In the Alerts view you can sort the alerts by Local IP (source) or Remote IP (destination). If you don't have those fields in the list, you can enable them from the three dots menu in the top-right corner.
The Endpoints table can't be sorted because some endpoints can have more than one IP, and that field type (IP Address) is an array type.
In both cases you can run custom XQL Queries to help you get the required information in the shape you need.
If this post answers your question, please mark it as the solution.
01-07-2025 01:45 PM
Hello,
Thanks for the quick reply!
Sorry if I misspoke. I was only looking at the context of the incident menu, since we get alerted for only "incidents" and not "alerts", it can be confusing to speak to.
I find the sorting and filters much more intuitive from the "alerts page".
The "incident page" doesn't give the same filter OR sort options. I can only filter by IP within the context of that 1 incident, which doesn't provide me any insights.
I found a partial workaround to filterIP by HOST field (with "contains") instead of IP field and not entering the last octet to filter by a /24 IP range.
NOTE: This workaround is not universal, because it only works on assets WITHOUT XDR agent. If the endpoints DOES have XDR then the HOST field changes to the computer name (non-FQDN), instead of IP.
For assets WITH XDR you need to filter by that object in the "endpoints menu" and select "show related incidents". You cannot search by related alerts for some reason.
It would be much more straight forward if I could simply filter IP using the "IP field" using CIDR notation or IP ranges. Trying to use this app to make correlations feels very clunky and confusing with the different behavior depending on endpoint variables AND which menu you are coming from.
As far as sorting by IP address, if we can do it in Alerts, then why can't we do it in Endpoints? Wouldn't both IP fields be in an array?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
