How to query XDR for all incidents that relate to a device group

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

How to query XDR for all incidents that relate to a device group

L1 Bithead

The Get Incidents API allows you to filter based on an incident_id_list, but not a list of endpoint_ids much less endpoint group. The Get Alerts API allows you to filter on an alert_id_list, but not a list of endpoint_ids much less endpoint group. 

 

I'm trying to figure out how to get a list of alert_ids or incident_ids filtered by endpoint group or even endpoint_id so that I could use it filter either of the above API's. I can't figure out how build a query in XDR for this because I don't see any endpoint or incident information in the xdr_data schema

 

This seems like a standard bit of data to pull.. just incidents or alerts by endpoint but I can't seem to figure it out. What am I missing?

1 accepted solution

Accepted Solutions

L3 Networker

Hey James,

 

Have you ever thought about retrieving the incidents and alerts and then mapping them in the code to the endpoint groups? In short what I'm saying is that you can easily filter by endpoints directly from your code. 

Silviu-Mihail Dascalu

View solution in original post

6 REPLIES 6

L4 Transporter

Hi JamesWiggins,

 

Unfortunately, Incidents and Alerts are not exposed as a dataset so they cannot be queried using XQL.

Hi Afurze

 

Any idea how do the Palo Alto provided widgets filter on incidents (for example the widgets 'incidents by assignee' or 'incidents by status'?

 

Danny

These widgets are leveraging the built-in functions not currently exposed in the User Interface but via API.

Silviu-Mihail Dascalu

L3 Networker

Hey James,

 

Have you ever thought about retrieving the incidents and alerts and then mapping them in the code to the endpoint groups? In short what I'm saying is that you can easily filter by endpoints directly from your code. 

Silviu-Mihail Dascalu

Hi Silviu
Good to hear from you.  Thanks for the info which led me to try using the XDR integration command (example test !xdr-get-incidents gte_creation_time="2022-06-20T23:59:00" raw-response=true) in XSOAR. I will create my report in XSOAR instead.
Regards
Danny

Yes, this is exactly what I ended up doing. I had to pull down all of the incidents for the tenant, and then filter the incidents by host in script with a list of endpoint ID's I had previously retrieved from the get_endpoints API. Thanks for your help!

  • 1 accepted solution
  • 4147 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!