+14Hi All,
In Chronicle Soar,
3 different Alerts from falcon have been grouped into a single case
note: grouping condition defined is if all entities match then all only it should group
But what happened is that alerts are being grouped together even when not all entities meet the specified grouping conditions, which require all entities to match.
Question:
Why are these alerts being grouped into a case when not all entities are matching?
Best answer by ddiserens
if it groups different alerts based on one or more entity in common so logically case name should also change right
but case name will b based on the first alert
Correct, Case name is based on the first alert. You can change this with an action in the playbook if you wanted to.
As for grouping yes, default rules will look at entities and group them together matching entities within the time frame set. You are able to change the rules for grouping per the source, product, and event type and by doing so it would change the behavior.
+6Do you have the default grouping rule in place?
If so, technically the algorithm will take all entities into account. So the rule really reads do any of the entities match.
All would indicate an or operator between the entities.
+14yes, default grouping is in place.
are you trying to say if any one entity matches it is going to group ?
but 3 different alerts are being grouped here
+6Do you have the default grouping rule in place?
If so, technically the algorithm will take all entities into account. So the rule really reads do any of the entities match.
All would indicate an or operator between the entities.
So why does it also group a new alert, with no configured entities at all, and different alert name, into an existing case?
+14Do you have the default grouping rule in place?
If so, technically the algorithm will take all entities into account. So the rule really reads do any of the entities match.
All would indicate an or operator between the entities.
im not understanding why it grouped different alerts into a case when no entities are common
+6im not understanding why it grouped different alerts into a case when no entities are common
I would probably need to see the case in order to say for sure.
How it works though is that it will take the entities for each alert individually and identify if any of the alerts in any of the other alerts match. It doesn't have to be the same entity in all alerts. Does that make sense?
+14I would probably need to see the case in order to say for sure.
How it works though is that it will take the entities for each alert individually and identify if any of the alerts in any of the other alerts match. It doesn't have to be the same entity in all alerts. Does that make sense?
so is it like if any one entity matches between the alerts it will group based on the default grouping rule
+14I would probably need to see the case in order to say for sure.
How it works though is that it will take the entities for each alert individually and identify if any of the alerts in any of the other alerts match. It doesn't have to be the same entity in all alerts. Does that make sense?
if it groups different alerts based on one or more entity in common so logically case name should also change right
but case name will b based on the first alert
+6if it groups different alerts based on one or more entity in common so logically case name should also change right
but case name will b based on the first alert
Correct, Case name is based on the first alert. You can change this with an action in the playbook if you wanted to.
As for grouping yes, default rules will look at entities and group them together matching entities within the time frame set. You are able to change the rules for grouping per the source, product, and event type and by doing so it would change the behavior.
+14Correct, Case name is based on the first alert. You can change this with an action in the playbook if you wanted to.
As for grouping yes, default rules will look at entities and group them together matching entities within the time frame set. You are able to change the rules for grouping per the source, product, and event type and by doing so it would change the behavior.
thank you !!
+2Hello,
Create blocklist to exclude entities from alerts.
SOAR will group identified entities together, which may include process IDs, processes, or other elements. To prevent certain items from being recognized as entities, use the Blocklist in SOAR Settings > Environments > Blocklist.
Thanks
+12so is it like if any one entity matches between the alerts it will group based on the default grouping rule
Yes, this is because Alert Grouping also covers alerts across solutions, so if Initial Compromise and Lateral movement parts of the kill chain are found, and if they share just 1 entity (IP, process ID, etc) we group them.
If we only grouped if ALL entities matching this feature would really be alert deduplication only.
Andy
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.
