- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
06-15-2022 06:36 AM
The Get Incidents API allows you to filter based on an incident_id_list, but not a list of endpoint_ids much less endpoint group. The Get Alerts API allows you to filter on an alert_id_list, but not a list of endpoint_ids much less endpoint group.
I'm trying to figure out how to get a list of alert_ids or incident_ids filtered by endpoint group or even endpoint_id so that I could use it filter either of the above API's. I can't figure out how build a query in XDR for this because I don't see any endpoint or incident information in the xdr_data schema
This seems like a standard bit of data to pull.. just incidents or alerts by endpoint but I can't seem to figure it out. What am I missing?
06-27-2022 12:46 AM
Hey James,
Have you ever thought about retrieving the incidents and alerts and then mapping them in the code to the endpoint groups? In short what I'm saying is that you can easily filter by endpoints directly from your code.
06-15-2022 12:25 PM
Hi JamesWiggins,
Unfortunately, Incidents and Alerts are not exposed as a dataset so they cannot be queried using XQL.
06-27-2022 12:31 AM - edited 06-27-2022 12:33 AM
Hi Afurze
Any idea how do the Palo Alto provided widgets filter on incidents (for example the widgets 'incidents by assignee' or 'incidents by status'?
Danny
06-27-2022 12:40 AM
These widgets are leveraging the built-in functions not currently exposed in the User Interface but via API.
06-27-2022 12:46 AM
Hey James,
Have you ever thought about retrieving the incidents and alerts and then mapping them in the code to the endpoint groups? In short what I'm saying is that you can easily filter by endpoints directly from your code.
06-27-2022 01:00 AM
07-01-2022 06:12 AM
Yes, this is exactly what I ended up doing. I had to pull down all of the incidents for the tenant, and then filter the incidents by host in script with a list of endpoint ID's I had previously retrieved from the get_endpoints API. Thanks for your help!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!