How to get the list of alerts/incidents for a particular list of hosts?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

How to get the list of alerts/incidents for a particular list of hosts?

L1 Bithead

Hi,

I need to know how can we get alerts for particular hosts/ a specific group ( Ex: 1000 agents ) in the Cortex XDR console -> Incident Response -> Incidents -> Alerts table. I have tried from filter option but it doesn't work. We can't add all the agent names in the hostname for the 1000 servers as it is time-consuming. So, is there any other way to get alerts only for specific agents / for a group?

5 REPLIES 5

L5 Sessionator

Hi @Kavurisowmya there are a few workarounds to address your ask:

- use starring configuration for those endpoints
- use alerts/incidents API and retrieve 100 at a time, and then xref against endpoints API/dataset

 

What is the use case that you're trying to solve? It is generally not recommended to filter alerts based on hosts as XDR stitches them in incidents.

L1 Bithead

Hi @bbarmanroy ,

We want to manage alerts for a particular group of assets related to the same environment. We have different endpoint groups with each <100 endpoint. So we want to group the alerts only for those endpoints.

Hi @Kavurisowmya that is not a recommended approach to incident resolution in XDR. Since alerts are stitched to incidents, and an incident can contain alerts from multiple sources. The challenge is that one might miss attach path maps/chains with your suggested approach. 

Hi, We have alerts that need to be reviewed for specific assets/endpoints and enable block mode only for them. Can this be done with the starring/using Xref? Is there any other way?

Hi Kavurisowmya,

Cortex XDR Prevention Profiles contain the specific settings for how XDR will enforce the specific modules (Block or Report only), these profiles are then tied to endpoints via Prevention Policy rules. In order to enable blocking on a particular group of hosts, create an "Endpoint Group" that contains all of the intended hosts, then create a Prevention Policy that's target is set to the Endpoint Group you created and ensure that the Profiles you assign to this policy contain the specific settings you want applied to this group of endpoints.

 

As @bbarmanroy mentioned, you can then create a starring configuration specifically for that endpoint group you created. Once you do that you will be able to filter in the Alerts table based on if the Alert is "Starred". You can also filter the Incidents table based on the Starring field as well so you will be aware if any Incidents involve a host that is in your target group.

 

 

 

  • 2314 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!