For details on cookie usage on our site, read our Privacy Policy
How to get the list of alerts/incidents for a particular list of hosts?
- LIVEcommunity
- Discussions
- Security Operations
- Cortex XDR Discussions
- How to get the list of alerts/incidents for a particular list of hosts?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
How to get the list of alerts/incidents for a particular list of hosts?
- Mark as New
- Subscribe to RSS Feed
- Permalink
06-21-2022 08:31 PM
Hi,
I need to know how can we get alerts for particular hosts/ a specific group ( Ex: 1000 agents ) in the Cortex XDR console -> Incident Response -> Incidents -> Alerts table. I have tried from filter option but it doesn't work. We can't add all the agent names in the hostname for the 1000 servers as it is time-consuming. So, is there any other way to get alerts only for specific agents / for a group?
- Mark as New
- Subscribe to RSS Feed
- Permalink
06-22-2022 01:09 AM
Hi @Kavurisowmya there are a few workarounds to address your ask:
- use starring configuration for those endpoints
- use alerts/incidents API and retrieve 100 at a time, and then xref against endpoints API/dataset
What is the use case that you're trying to solve? It is generally not recommended to filter alerts based on hosts as XDR stitches them in incidents.
- Mark as New
- Subscribe to RSS Feed
- Permalink
06-22-2022 01:39 AM
Hi @bbarmanroy ,
We want to manage alerts for a particular group of assets related to the same environment. We have different endpoint groups with each <100 endpoint. So we want to group the alerts only for those endpoints.
- Mark as New
- Subscribe to RSS Feed
- Permalink
06-22-2022 03:14 AM
Hi @Kavurisowmya that is not a recommended approach to incident resolution in XDR. Since alerts are stitched to incidents, and an incident can contain alerts from multiple sources. The challenge is that one might miss attach path maps/chains with your suggested approach.
- Mark as New
- Subscribe to RSS Feed
- Permalink
06-26-2022 09:18 PM
Hi, We have alerts that need to be reviewed for specific assets/endpoints and enable block mode only for them. Can this be done with the starring/using Xref? Is there any other way?
- Cortex XDR service getting stopped in Cortex XDR Discussions
- Need help creating a Host Firewall rule in Cortex XDR in Cortex XDR Discussions
- XSOAR Multi-Tenancy Architecture and System Requirements in Cortex XSOAR Discussions
- Not able to set Proxy for Windows 2012 servers in Cortex XDR Discussions
- Host Firewall in Cortex XDR Discussions
Show your appreciation!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
