I my understanding correct that if e.g. a malware alert contains the affected system in a field mapped to "DestinationHostName", and an alert for a system reaching out to a malicious IP indicator contains the affected system as "Source HostName", then Siemplify would not group them together because they may be identical (hostname) values, but in different entity types?
Alerts group
+6
Hey,
AFAIK, you are, generally speaking, correct. Two alerts will merge (get grouped) automatically into a case if they have a 'pivot' entity (at least one entity in both alerts) and if the time constraint is met.
Also, an entity in siemplify is uniquely identified by its:
That being said, "SourceHostName" and "DestinationHostName" are not entity types. Both are, actually, of type "Hostname". The source and destination part allows you to control the type (and direction) of relations and overall control the ontology (by allowing multiple hosts in a single event)
In addition, you can use the knowledge of an entity being source or destination in 'Scope' in playbooks and manual actions. For example, you might want to send a notification to all 'DestinationUser's in a phishing usecase.
However, we do have grouping settings that might change the default behavior and could prevent those alerts from merging. Not an expert there, but if you did change those settings we can dive deeper there.
In conclusion, generally speaking you are correct. In your specific scenario though, those two entities are actually the same one (same identifier and type (and assuming environment))
Hope it helps :)
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.