Polling XDR Integration for Alerts that are not Incident Based

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Polling XDR Integration for Alerts that are not Incident Based

L3 Networker

Hello all,

I am running a Use-Case that requires me to poll the XDR Tenant for all alerts. These include Alerts that are found in an XDR Incident and Independent Alerts that are not found in an incident. For example a Low Severity alert from a BIOC Analytics Source that has not opened or should I say referenced in an incident. These Independent alerts are not retrieved with the "!xdr-get-alerts" command. Even when querying for a specific Indipendant alert based on it's ID it is not retrieved. Does anyone have a solution for this ?

There is no reason why these alerts shouldn't be available to be analysed on the XSOAR Platform. 

In the case that this is not possible, are the Alerts available for querying from the XQL Integration ? 

Cortex XSOAR 

Cortex XDR 

PCSAE
8 REPLIES 8

L2 Linker

" Even when querying for a specific Indipendant alert based on it's ID it is not retrieved. Does anyone have a solution for this ?"

Can you confirm if this is the case ? I think i saw an independent alert being fetched with case-id set to null

L3 Networker

@arnarayanan I have double checked this when performing the command on all alerts from the past 24 Hours I see that only the incident based alerts are fetched. The problem remains. 

PCSAE

L2 Linker

Hi ,Sorry, what i meant to ask is when you do an XDR-get-alert with a specific independent alert-id, what do you see as output on XSOAR. 
I am not an XDR expert, however i thought i saw XSOAR fetching an independent alert with case-id=null

L3 Networker

@arnarayanan 

When I perform this on a specific Alert ID that isn't incident related I receive the message that no alert has been fetched. 

PCSAE

Just to update this thread, there is no suitable solution found and It may be possible that this is a recent change due to the 6.3 Update to XDR. Due to the lack of confirmation I will open a support ticket to escalate this matter. 

PCSAE

L1 Bithead

Hi, 
I have the same problem. Does anyone found a solution for this?

L1 Bithead

We lost a lot of alerts in XSOAR because of this limitation.

@michaelsysec242 did you found any workaround?

L3 Networker

Hello @JoaoPGBotelho ,

I still havent found a solution for this. 

Maybe try with the lastest content pack to see if this is patched.

PCSAE
  • 2348 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!