This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

How to query XDR for all incidents that relate to a device group

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

How to query XDR for all incidents that relate to a device group

Go to solution
JamesWiggins
L1 Bithead

‎06-15-2022 06:36 AM

The Get Incidents API allows you to filter based on an incident_id_list, but not a list of endpoint_ids much less endpoint group. The Get Alerts API allows you to filter on an alert_id_list, but not a list of endpoint_ids much less endpoint group. 

 

I'm trying to figure out how to get a list of alert_ids or incident_ids filtered by endpoint group or even endpoint_id so that I could use it filter either of the above API's. I can't figure out how build a query in XDR for this because I don't see any endpoint or incident information in the xdr_data schema

 

This seems like a standard bit of data to pull.. just incidents or alerts by endpoint but I can't seem to figure it out. What am I missing?

2 people had this problem.
0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
SilviuMihailDascalu
L3 Networker

‎06-27-2022 12:46 AM

Hey James,

 

Have you ever thought about retrieving the incidents and alerts and then mapping them in the code to the endpoint groups? In short what I'm saying is that you can easily filter by endpoints directly from your code. 

Silviu-Mihail Dascalu

View solution in original post

6 REPLIES 6

Go to solution
afurze
L4 Transporter

‎06-15-2022 12:25 PM

Hi JamesWiggins,

 

Unfortunately, Incidents and Alerts are not exposed as a dataset so they cannot be queried using XQL.

0 Likes Likes

Go to solution
DannyMulheran
L2 Linker
In response to afurze

‎06-27-2022 12:31 AM - edited ‎06-27-2022 12:33 AM

Hi Afurze

 

Any idea how do the Palo Alto provided widgets filter on incidents (for example the widgets 'incidents by assignee' or 'incidents by status'?

 

Danny

0 Likes Likes

Go to solution
SilviuMihailDascalu
L3 Networker
In response to DannyMulheran

‎06-27-2022 12:40 AM

These widgets are leveraging the built-in functions not currently exposed in the User Interface but via API.

Silviu-Mihail Dascalu
0 Likes Likes

Go to solution
SilviuMihailDascalu
L3 Networker

‎06-27-2022 12:46 AM

Hey James,

 

Have you ever thought about retrieving the incidents and alerts and then mapping them in the code to the endpoint groups? In short what I'm saying is that you can easily filter by endpoints directly from your code. 

Silviu-Mihail Dascalu

Go to solution
DannyMulheran
L2 Linker
In response to SilviuMihailDascalu

‎06-27-2022 01:00 AM

Hi Silviu
Good to hear from you.  Thanks for the info which led me to try using the XDR integration command (example test !xdr-get-incidents gte_creation_time="2022-06-20T23:59:00" raw-response=true) in XSOAR. I will create my report in XSOAR instead.
Regards
Danny
0 Likes Likes

Go to solution
JamesWiggins
L1 Bithead
In response to SilviuMihailDascalu

‎07-01-2022 06:12 AM

Yes, this is exactly what I ended up doing. I had to pull down all of the incidents for the tenant, and then filter the incidents by host in script with a list of endpoint ID's I had previously retrieved from the get_endpoints API. Thanks for your help!

0 Likes Likes
  • 1 accepted solution
  • 4092 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks