02-13-2023 11:13 AM - edited 02-13-2023 11:20 AM
In the Cortex XDR console I am trying to setup a new Endpoint Group using the AWS 'Cloud Info' values as the filter. That info is presented as JSON with various nested values and it looks straight-forward to use, i.e., I can specify the "Cloud Info" field, then provide a key:value pair. But it only works for 'top-level' key:value pairs, e.g. "cloud_provider:AWS". If I try to specify something more granular, it's not found.
The primary example is the VPC ID, i.e., to identify the agents in each AWS network. That key:value is nested, e.g.
"cloud_provider": "AWS",
"network": {
"interfaces": {
"macs": {
"06:d4:90:12:34:56": {
"mac": "06:d4:90:12:34:56",
"vpc-id": "vpc-abc12345",
Simply entering, "vpc-id:vpc-abc12345", doesn't work. So I assume I need to specify the full-path somehow? Or, maybe it's simply not supported?
P.S. I've tried various uses of 'contains' instead of the default "=", as well as wildcards in both the 'key' and the 'value', to no avail ...
