Alert Grouping Analytics

Any way to easily identify/query the specific entity that alerts have grouped on? All I can see is a comment applied in the case wall but this is not easy to view at scale.

For example, I would like to see which are the common entity types that are causing alerts to be grouped on, to inform alert grouping rules in SOAR settings.

Additionally, I would be interested to see the values of these entities so that I can tune out common false positives in Blocklists (e.g. root account).

I understand how to make these changes, but do not have the underlying information to be informed on what changes require to be made - I would like to create a dashboard to list the common entity types and values that my tenant’s alerts are grouping on.

Page 1 / 1

Does the explore page help at all here?
Investigate entities and alerts

Hi not really I’m afraid. This shows me a visual representation of how only one set of alerts have been grouped by entity.

I need to aggregate across all cases so that I can see which entity types and values are frequently being grouped on. This will enable me to tune/validate the alert grouping rules as well as show candidates for blocklists (e.g. root account).

Ideally this could be displayed as a dashboard so that the data is easily viewed and can be iterated upon.

To add to this thread, I looked at the SOARWallActivity field which seemed to provide a way to query the case wall. From the GUI, it looks like the alert grouping information is presented under type CASE_STATUS_CHANGE, however all I am able to pull back via the query is type CASE_COMMENT.

Is this a known issue?

Have you tried using the dashboards to query the entities grouped by the alerts ;

$id = case.alerts.metadata.id
$entites_names = case.alerts.entities.identifier
match:
    $id
outcome:
    $arr_entities_names = array_distinct($entites_names)

Thanks, this gets me a bit closer but still only returns a list of entities per alert. What I need is a list of only the common entities (i.e. those which are causing alerts to group together), and the distribution of these entities by type and value. For example:

Entity Type | Entity Identifier | Count of cases where this entity is reason for grouping

Hi @andysilk

Does the above dashboard work for you, in Advanced Reports just save the below code as any name, and import it via Advanced Reports)

bG9va21sOgotIGRhc2hib2FyZDogbW9zdF9jb21tb25fZW50aXR5CiAgZGVzY3JpcHRpb246ICIiCiAgZWxlbWVudHM6CiAgLSBjb2w6IDAKICAgIGNvbHVtbl9saW1pdDogNTAKICAgIGNvbmRpdGlvbmFsX2Zvcm1hdHRpbmdfaW5jbHVkZV9udWxsczogZmFsc2UKICAgIGNvbmRpdGlvbmFsX2Zvcm1hdHRpbmdfaW5jbHVkZV90b3RhbHM6IGZhbHNlCiAgICBkZWZhdWx0c192ZXJzaW9uOiAxCiAgICBlbmFibGVfY29uZGl0aW9uYWxfZm9ybWF0dGluZzogZmFsc2UKICAgIGV4cGxvcmU6IGFsZXJ0c19hbmRfZW50aXRpZXMKICAgIGZpZWxkczoKICAgIC0gYWxlcnRzX2FuZF9lbnRpdGllcy5lbnRpdHlfaWRlbnRpZmllcgogICAgLSBhbGVydHNfYW5kX2VudGl0aWVzLmVudGl0eV90eXBlCiAgICAtIGFsZXJ0c19hbmRfZW50aXRpZXMuY2FzZV9jb3VudAogICAgaGVhZGVyX2ZvbnRfc2l6ZTogMTIKICAgIGhlYWRlcl90ZXh0X2FsaWdubWVudDogbGVmdAogICAgaGVpZ2h0OiA2CiAgICBoaWRlX3Jvd190b3RhbHM6IGZhbHNlCiAgICBoaWRlX3RvdGFsczogZmFsc2UKICAgIGxpbWl0OiA1MDAKICAgIGxpbWl0X2Rpc3BsYXllZF9yb3dzOiBmYWxzZQogICAgbW9kZWw6IGNuCiAgICBuYW1lOiBVbnRpdGxlZAogICAgcm93OiAwCiAgICByb3dzX2ZvbnRfc2l6ZTogMTIKICAgIHNob3dfcm93X251bWJlcnM6IHRydWUKICAgIHNob3dfdmlld19uYW1lczogZmFsc2UKICAgIHNpemVfdG9fZml0OiB0cnVlCiAgICBzb3J0czoKICAgIC0gYWxlcnRzX2FuZF9lbnRpdGllcy5jYXNlX2NvdW50IGRlc2MgMAogICAgdGFibGVfdGhlbWU6IHdoaXRlCiAgICB0aXRsZTogVW50aXRsZWQKICAgIHRyYW5zcG9zZTogZmFsc2UKICAgIHRydW5jYXRlX3RleHQ6IHRydWUKICAgIHR5cGU6IGxvb2tlcl9ncmlkCiAgICB3aWR0aDogMjMKICBsYXlvdXQ6IG5ld3NwYXBlcgogIHRpdGxlOiBNb3N0IENvbW1vbiBFbnRpdHkKbWV0YWRhdGE6CiAgZXhwb3J0ZWRfYXQ6ICIyMDI1LTEwLTIyVDE2OjA4OjQ2LTA3OjAwIgogIGZpbGVfZmluZ2VycHJpbnQ6ICIxMDI4NjI2Mzk0Njk1MjEzMDgyNzE3OTUyMzI3Nzc0NDQ5MDAwNzM3IgogIGxvb2tlcl92ZXJzaW9uOiAyNS4xMi4zMAogIHZlcnNpb246ICIxIgo=

Kind Regards,

Ayman

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded