# Incident Management - Multi Alerts ## Overview Get a list of alerts with multiple events. * The response is concatenated using AND condition (OR is not supported). * The maximum result set size is 100. * Offset is the zero-based number of alerts from the start of the result set. Cortex XDR displays in the API response whether a PAN NGFW type alert contains a PCAP triggering packet. Use the Retrieve PCAP Packet API to retrieve a list of alert IDs and their associated PCAP data. Required license: Cortex XDR Prevent, Cortex XDR Pro per Endpoint, or Cortex XDR Pro per GB. ## Configuration ### Parameters **Name** - domain **Value** - `CortexXdrDomain` ### Secrets * `CortexXDRAuthorization` will reference the Cortex XDR Authorization token. * `CortexXDRAuthId` will reference the [Cortex XDR Authorization ID](https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR-Platform-APIs/Get-your-Cortex-XDR-API-key-ID?contentId=GwbuuBI0cJvEhgDAelFiMw).

To add a Secret, open the **Secret** fields and click **New secret**: * Give the secret a **Name**. * Turn off the **Expiration date** option. * Click **Add new value** and paste the secret corresponding to the value. * Click **Save**.

{% hint style="info" %} Learn more about secrets in Onum in [this article](https://docs.onum.com/administration/global-settings/organization-settings/secrets-management). {% endhint %} You can now select the secret you just created in the corresponding fields. After entering the required parameters and secrets, you can choose to manually enter the Cortex incident Management fields, or simply paste the given YAML: {% tabs %} {% tab title="Config as YAML" %} Toggle this **ON** to enable a free text field where you can paste your **Cortex XDR multi alerts** YAML. ```yaml withTemporalWindow: true temporalWindow: duration: 5m offset: 5m tz: UTC format: Epoch withAuthentication: false withEnumerationPhase: false collectionPhase: paginationType: "fromTo" limit: 100 request: responseType: json method: "POST" url: "https://${parameters.CortexXdrDomain}/public_api/v2/alerts/get_alerts_multi_events" headers: - name: Accept value: "application/json" - name: Content-Type value: "application/json" - name: Authorization value: "${secrets.CortexXdrAuthorization}" - name: x-xdr-auth-id value: ${secrets.CortexXdrAuthId} bodyType: raw bodyRaw: | { "request_data": { "search_from": ${pagination.from}, "search_to": ${pagination.to}, "filters": [ { "field": "creation_time", "operator": "lte", "value": ${temporalWindow.to} } ] } } output: select: ".reply.alerts" map: "." outputMode: "element" ``` {% endtab %} {% tab title="Manually configure" %} **Temporal Window** Toggle **ON** to add a temporal window for events. This repeatedly shifts the time window over which data is collected.

**Authentication Phase** Off #### **Enumeration Phase** Off #### **Collection Phase** * **Pagination Type****\***** -** `fromTo` * **Zero index****\***** -** false * **Limit****\***** -** 100 * **Request** * **Response Type****\***** -** JSON * **Method****\***** -** `POST` * **URL****\***** -** `https://${parameters.CortexXdrDomain}/public_api/v1/alerts/get_alerts` * **Headers** * **Name** - Accept * **Value** - `application/json` * **Name** - Content-Type * **Value** - `application/json` * **Name** - Authorization * **Value** - `${secrets.CortexXdrAuthorization}` * **Name** - x-xdr-auth-id * **Value** - `${secrets.CortexXdrAuthId}` * **Body type****\***** -** raw * **Body content****\*** - `{`\ `"request_data": {`\ `"search_from": ${pagination.from},`\ `"search_to": ${pagination.to},`\ `"filters": [`\ `{`\ `"field": "creation_time",`\ `"operator": "lte",`\ `"value": ${temporalWindow.to}`\ `}`\ `]`\ `}`\ `}` * **Output** * **Select -** `.reply.alerts` * **Map -** `.` * **Output Mode** - `element`

{% endtab %} {% endtabs %} This HTTP Pull Listener now uses the data export API to extract events. Click **Create labels** to move on to the next step and define the required [Labels](https://docs.onum.com/the-workspace/listeners/labels) if needed.