About health alerts - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-10-13
Category
Administrator Guide
Abstract

Cortex XSIAM provides health alerts to help you monitor the health and integrity of supported Cortex XSIAM resources. Health alerts comprise ingestion, collection, correlation, and event forwarding errors.

Cortex XSIAM provides health alerts to help you monitor the health and integrity of supported Cortex XSIAM resources. Health alerts provide insights into health drifts, such as failure events or status changes. The alerts help you stay on top of your health related errors and ensure optimal performance in Cortex XSIAM. In addition, you can set up notifications and run playbooks on health alerts.

Health alerts are associated with the Health Domain. When setting up notification forwarding or other configurations for health alerts, use the filter Alert Domain = Health.

To view health alerts, go to SettingsHealth Alerts, or on the Alerts page select the Health Domain table view. Click an alert to see more details in the alert card, or right-click to take actions and investigate an alert. For more information, see Investigate and resolve health alerts.

Note

The Health Alerts page displays alerts that were triggered after July 2024. To see health alerts that were triggered before this date, click Legacy Health Alerts.

Note

Cortex XSIAM enforces the dedup logic to health alerts. This logic reduces the likelihood of identical health alerts from flooding the alerts dataset.

Health alerts are associated with the Health domain. To query health alert data, use the following XQL:

dataset = alerts | filter alert_domain = "DOMAIN_HEALTH"

The following table describes the health alert fields.

Field

Description

Alert ID

A unique identifier that Cortex XSIAM assigns to each alert.

Alert Name

Name of the alert.

Alert Type

Type of health alert.

Alert Source

Source of the alert.

Broker VM ID

ID of the Broker VM.

Broker VM Name

Host name of the Broker VM.

Broker VM IP

IP address of the Broker VM.

Collector Name

Name of the collector instance.

Collector Type

Type of the collector.

Description

Text summary of the event including the alert source, alert name, and severity.

Device ID

Firewall device ID.

Excluded

Whether the alert is excluded.

External ID

Alert ID as recorded in the detector from which this alert was sent.

Final Reporting Device IP

IP of the device from which the log was extracted.

Final Reporting Device Name

Hostname of the device from which the log was extracted.

Ingestion Failure Duration

Amount of time that logs were not received or a drop in log ingestion was detected in minutes.

Playbook

Playbook that was run.

Playbook run status

Status of the playbook.

Product

Product name of the observing data source.

Resolution Status

Status that was assigned to this alert when it was triggered (or modified). Right-click an alert to change the status. If you set the status to Resolved, select a resolution reason.

Reporting Device Name

Host name of the device where the log originated.

Reporting Device IP

IP Address of the device where the log originated.

Severity

Severity level that was assigned to this alert when it was triggered (or modified).

Starred

Whether the alert is starred by starring configuration.

Timestamp

Date and time when the alert was triggered.

Vendor

Vendor of the observing data source.

XDR Collector ID

ID of the XDR Collector.

XDR Collector IP

IP address of the XDR Collector.

XDR Collector Name

Host name of the XDR Collector.