Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

Who Me Too'd this topic

how to specify Cloud Info "vpc-id" in Endpoint Group?

L0 Member

In the Cortex XDR console I am trying to setup a new Endpoint Group using the AWS 'Cloud Info' values as the filter. That info is presented as JSON with various nested values and it looks straight-forward to use, i.e., I can specify the "Cloud Info" field, then provide a key:value pair. But it only works for 'top-level' key:value pairs, e.g. "cloud_provider:AWS". If I try to specify something more granular, it's not found.


The primary example is the VPC ID, i.e., to identify the agents in each AWS network. That key:value is nested, e.g.

"cloud_provider": "AWS",
"network": {
"interfaces": {
"macs": {
"06:d4:90:12:34:56": {
"mac": "06:d4:90:12:34:56",
"vpc-id": "vpc-abc12345",

Simply entering, "vpc-id:vpc-abc12345", doesn't work. So I assume I need to specify the full-path somehow? Or, maybe it's simply not supported?


P.S. I've tried various uses of 'contains' instead of the default "=", as well as wildcards in both the 'key' and the 'value', to no avail ...


Who Me Too'd this topic