01-12-2026 01:29 AM
Can we fetch grouped issues by the help of XQL query. Like if same issues is running again and again in short period of time than that comes with +1 or +2 on console. So can we able to find that +1 or +2 issues which is grouped in a single issues through the help of XQL Query.
01-12-2026 06:18 AM
Hello @Jai_Prakas ,
Greetings for the day!
Yes, you can fetch grouped issues (alerts) that appear with the "+n" tag (e.g., +1, +2) on the console by using an XQL query.
The "+n" tag is part of the Cortex XDR/XSIAM Alert Aggregation logic. When duplicate alerts (same alert name, same host) occur within a 24-hour period, the platform aggregates them into a single alert and appends the "+n" suffix to the alert name to indicate the number of additional occurrences. This behavior typically applies to alerts from firewalls, WildFire, and Local Analysis events.
If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".
Happy New Year!!
Thanks & Regards,
S. Subashkar Sekar
01-12-2026 09:47 PM
Will you help me the Query as when i 'm looking by dataset=alerts, not able to get proper visibility for it in XQL query.
Kindly help me with the query which i have to run for that.
Thanks and regards
Jai prakash
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
