Skip to main content
Question

Alert Grouping Analytics

  • October 20, 2025
  • 6 replies
  • 93 views
A
Forum|alt.badge.img+1

Any way to easily identify/query the specific entity that alerts have grouped on? All I can see is a comment applied in the case wall but this is not easy to view at scale.

For example, I would like to see which are the common entity types that are causing alerts to be grouped on, to inform alert grouping rules in SOAR settings.

Additionally, I would be interested to see the values of these entities so that I can tune out common false positives in Blocklists (e.g. root account).

I understand how to make these changes, but do not have the underlying information to be informed on what changes require to be made - I would like to create a dashboard to list the common entity types and values that my tenant’s alerts are grouping on.

mdanowar

6 replies

kentphelps
Staff
Forum|alt.badge.img+11
  • kentphelps
  • Staff
  • October 21, 2025

Does the explore page help at all here?
Investigate entities and alerts

A
Forum|alt.badge.img+1
  • andysilk
  • Author
  • New Member
  • October 21, 2025

Does the explore page help at all here?
Investigate entities and alerts

Hi not really I’m afraid. This shows me a visual representation of how only one set of alerts have been grouped by entity.

I need to aggregate across all cases so that I can see which entity types and values are frequently being grouped on. This will enable me to tune/validate the alert grouping rules as well as show candidates for blocklists (e.g. root account).

Ideally this could be displayed as a dashboard so that the data is easily viewed and can be iterated upon.

A
Forum|alt.badge.img+1
  • andysilk
  • Author
  • New Member
  • October 21, 2025

To add to this thread, I looked at the SOARWallActivity field which seemed to provide a way to query the case wall. From the GUI, it looks like the alert grouping information is presented under type CASE_STATUS_CHANGE, however all I am able to pull back via the query is type CASE_COMMENT.

Is this a known issue?

AbdElHafez
Staff
Forum|alt.badge.img+12
  • AbdElHafez
  • Staff
  • October 22, 2025

 Have you tried using the dashboards to query the entities grouped by the alerts ;
 

$id = case.alerts.metadata.id
$entites_names = case.alerts.entities.identifier
match:
    $id
outcome:
    $arr_entities_names = array_distinct($entites_names)

 

 

kentphelps
A
Forum|alt.badge.img+1
  • andysilk
  • Author
  • New Member
  • October 22, 2025

Thanks, this gets me a bit closer but still only returns a list of entities per alert. What I need is a list of only the common entities (i.e. those which are causing alerts to group together), and the distribution of these entities by type and value. For example:

Entity Type               | Entity Identifier       | Count of cases where this entity is reason for grouping

HOSTNAME             | host1                         | 125
ADDRESS                 | 1.2.3.4                       | 96
DESTINATION URL | www.example.com | 14

I could then use this to inform blocklisting in SOAR settings

AymanC
Forum|alt.badge.img+13
  • AymanCBronze 5
  • Bronze 5
  • October 22, 2025

Hi ​@andysilk 

 

Does the above dashboard work for you, in Advanced Reports just save the below code as any name, and import it via Advanced Reports)
 

bG9va21sOgotIGRhc2hib2FyZDogbW9zdF9jb21tb25fZW50aXR5CiAgZGVzY3JpcHRpb246ICIiCiAgZWxlbWVudHM6CiAgLSBjb2w6IDAKICAgIGNvbHVtbl9saW1pdDogNTAKICAgIGNvbmRpdGlvbmFsX2Zvcm1hdHRpbmdfaW5jbHVkZV9udWxsczogZmFsc2UKICAgIGNvbmRpdGlvbmFsX2Zvcm1hdHRpbmdfaW5jbHVkZV90b3RhbHM6IGZhbHNlCiAgICBkZWZhdWx0c192ZXJzaW9uOiAxCiAgICBlbmFibGVfY29uZGl0aW9uYWxfZm9ybWF0dGluZzogZmFsc2UKICAgIGV4cGxvcmU6IGFsZXJ0c19hbmRfZW50aXRpZXMKICAgIGZpZWxkczoKICAgIC0gYWxlcnRzX2FuZF9lbnRpdGllcy5lbnRpdHlfaWRlbnRpZmllcgogICAgLSBhbGVydHNfYW5kX2VudGl0aWVzLmVudGl0eV90eXBlCiAgICAtIGFsZXJ0c19hbmRfZW50aXRpZXMuY2FzZV9jb3VudAogICAgaGVhZGVyX2ZvbnRfc2l6ZTogMTIKICAgIGhlYWRlcl90ZXh0X2FsaWdubWVudDogbGVmdAogICAgaGVpZ2h0OiA2CiAgICBoaWRlX3Jvd190b3RhbHM6IGZhbHNlCiAgICBoaWRlX3RvdGFsczogZmFsc2UKICAgIGxpbWl0OiA1MDAKICAgIGxpbWl0X2Rpc3BsYXllZF9yb3dzOiBmYWxzZQogICAgbW9kZWw6IGNuCiAgICBuYW1lOiBVbnRpdGxlZAogICAgcm93OiAwCiAgICByb3dzX2ZvbnRfc2l6ZTogMTIKICAgIHNob3dfcm93X251bWJlcnM6IHRydWUKICAgIHNob3dfdmlld19uYW1lczogZmFsc2UKICAgIHNpemVfdG9fZml0OiB0cnVlCiAgICBzb3J0czoKICAgIC0gYWxlcnRzX2FuZF9lbnRpdGllcy5jYXNlX2NvdW50IGRlc2MgMAogICAgdGFibGVfdGhlbWU6IHdoaXRlCiAgICB0aXRsZTogVW50aXRsZWQKICAgIHRyYW5zcG9zZTogZmFsc2UKICAgIHRydW5jYXRlX3RleHQ6IHRydWUKICAgIHR5cGU6IGxvb2tlcl9ncmlkCiAgICB3aWR0aDogMjMKICBsYXlvdXQ6IG5ld3NwYXBlcgogIHRpdGxlOiBNb3N0IENvbW1vbiBFbnRpdHkKbWV0YWRhdGE6CiAgZXhwb3J0ZWRfYXQ6ICIyMDI1LTEwLTIyVDE2OjA4OjQ2LTA3OjAwIgogIGZpbGVfZmluZ2VycHJpbnQ6ICIxMDI4NjI2Mzk0Njk1MjEzMDgyNzE3OTUyMzI3Nzc0NDQ5MDAwNzM3IgogIGxvb2tlcl92ZXJzaW9uOiAyNS4xMi4zMAogIHZlcnNpb246ICIxIgo=


Kind Regards,

Ayman

Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.