06-21-2022 08:31 PM
Hi,
I need to know how can we get alerts for particular hosts/ a specific group ( Ex: 1000 agents ) in the Cortex XDR console -> Incident Response -> Incidents -> Alerts table. I have tried from filter option but it doesn't work. We can't add all the agent names in the hostname for the 1000 servers as it is time-consuming. So, is there any other way to get alerts only for specific agents / for a group?
06-22-2022 01:09 AM
Hi @Kavurisowmya there are a few workarounds to address your ask:
- use starring configuration for those endpoints
- use alerts/incidents API and retrieve 100 at a time, and then xref against endpoints API/dataset
What is the use case that you're trying to solve? It is generally not recommended to filter alerts based on hosts as XDR stitches them in incidents.
06-22-2022 01:39 AM
Hi @bbarmanroy ,
We want to manage alerts for a particular group of assets related to the same environment. We have different endpoint groups with each <100 endpoint. So we want to group the alerts only for those endpoints.
06-22-2022 03:14 AM
Hi @Kavurisowmya that is not a recommended approach to incident resolution in XDR. Since alerts are stitched to incidents, and an incident can contain alerts from multiple sources. The challenge is that one might miss attach path maps/chains with your suggested approach.
06-26-2022 09:18 PM
Hi, We have alerts that need to be reviewed for specific assets/endpoints and enable block mode only for them. Can this be done with the starring/using Xref? Is there any other way?
06-27-2022 07:04 AM
Hi Kavurisowmya,
Cortex XDR Prevention Profiles contain the specific settings for how XDR will enforce the specific modules (Block or Report only), these profiles are then tied to endpoints via Prevention Policy rules. In order to enable blocking on a particular group of hosts, create an "Endpoint Group" that contains all of the intended hosts, then create a Prevention Policy that's target is set to the Endpoint Group you created and ensure that the Profiles you assign to this policy contain the specific settings you want applied to this group of endpoints.
As @bbarmanroy mentioned, you can then create a starring configuration specifically for that endpoint group you created. Once you do that you will be able to filter in the Alerts table based on if the Alert is "Starred". You can also filter the Incidents table based on the Starring field as well so you will be aware if any Incidents involve a host that is in your target group.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
