Investigate and resolve health alerts - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Product
Cortex XSIAM
Creation date
2024-07-16
Last date published
2025-02-18
Category
Administrator Guide
Abstract

You can investigate and take actions on health alerts from the Health Alerts page and the Alerts Table.

The following tasks explain how to investigate and resolve health alerts. To view health alerts, do one of the following: You can see health alerts on the following pages:

  • Go to Settings Health Alerts

  • Go to Incident Response Incidents and click Alerts Table. Then, change the table view to Health Domain.

A data ingestion alert identifies disruption in the data ingestion pipeline. For example, a data source is not sending logs, or there is a significant drop in log collection compared to the calculated ingestion baseline.

  1. Identify the error: Alert Type = Ingestion.

  2. Right-click and select Investigate in XQL query.

    The Query Builder opens and runs a prefilled query to display related data ingestion metrics entries.

  3. Review the query results.

    The results provide context to the alert and the events leading up to it. For more information about data ingestion metrics and setting up correlation rules with your own data ingestion logic, see Monitoring Data Ingestion Health.

  4. Investigate data collector errors. Return to the Health Alerts page, right-click the alert and select Pivot to viewsView collector details.

    Depending on the type of collector in error, the relevant data collector settings page opens, filtered by data collector.

A collection alert identifies connectivity disruption in your collection integrations, custom collectors, and Marketplace integrations.

  1. Identify the error: Alert Type = Collection.

  2. See the current status of the collector.

    Right-click and select Pivot to viewsView collector details. Depending on the type of collector in error, the relevant data collector settings page opens, filtered by data collector.

    If the data collector is still in error, you can update the collector settings as required.

  3. Investigate the collector error status.

    Run a query on the collection_auditing dataset to see all the connectivity changes of the collector over time, the escalation or recovery of the connectivity status, and the error, warning, and informational messages related to status changes.

    Example 13. 

    This example searches for status changes for the "instance1" data collector integration:

    dataset = collection_auditing 
    |filter collector_type = "STRATA_IOT" and instance = "instance1"

    For more information about troubleshooting collector errors and setting up correlation rules to trigger additional collection alerts, see Verifying Collector Connectivity.

A correlation alert identifies errors in your correlation rules.

  1. Identify the error: Alert Type = Correlation.

  2. Right-click and select Investigate Correlation Auditing.

    The Query Builder opens and runs a prefilled query to display related correlation execution records.

  3. Review the query results.

    Identify the correlation rule in error and take steps to resolve the error. For more information about how Cortex XSIAM identifies correlation rule errors, see Monitor correlation rules.