1) Grouping can be done for how long (Duration)
2) Can it support the grouping rule by rule basis (Every rule has its own criteria)
3) On every frequency does it create a new case? or the alerts will be throttled for amount of time specified..
Alert Grouping
+23Here is the documentation page on alert grouping
Grouping can be set for 30min out until 24 hours per the docs, you can define the number of alerts that are grouped into a single case and if you exceed that overflow cases will be added. The grouping can be a number of different options, for instance, we have set up grouping on the internal IP or hostname in some cases or an internal user, with the assumption that these are the assets and users targeted. I found that this portion of the grouping is the one that takes a bit of testing to ensure you are getting your grouping set how you would want it.
+14- Silver 4
I found this example in doc , is the number of alerts for overflow case is set to 30?
"For example, 50 phishing alerts are ingested within 8 minutes. The 51st alert is then shunted off into an overflow case.
Over the next three hours another 119 phishing alerts are ingested. This means that four overflow cases are created. Each case containing 30 alerts. Once the three hours are up, we go back to default status."
+23There are two separate settings, an initial value for alert grouping, which is capped at 30, and then if it is an overflow case, a separate value, up to 100, defined to these overflow cases. Both can have their own time ranges assigned to it.
I think we may need to review that example a bit and see if we can't be a bit more clear.
+14- Silver 4
There are two separate settings, an initial value for alert grouping, which is capped at 30, and then if it is an overflow case, a separate value, up to 100, defined to these overflow cases. Both can have their own time ranges assigned to it.
I think we may need to review that example a bit and see if we can't be a bit more clear.
HI @jstoner
How to set a padding period for the connector?
+14- Silver 4
There are two separate settings, an initial value for alert grouping, which is capped at 30, and then if it is an overflow case, a separate value, up to 100, defined to these overflow cases. Both can have their own time ranges assigned to it.
I think we may need to review that example a bit and see if we can't be a bit more clear.
I tested overflow , i could see number of alerts triggered and number of alerts ingested were not matching.
Login to the community
Login with SSO
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.