Change alert grouping in SOAR to group only alerts with the same source detection

Question

Hi guys,I'm trying to understand more about alert grouping in Google SecOps. I have a specific scenario: in an environment with the default configuration, cases are opened and alerts are aggregated from different detection rules (custom or curated).https://cloud.google.com/chronicle/docs/soar/investigate/working-with-alerts/alert-grouping-mechanism-adminI only need to group alerts with the same entities from the same detection rule. So far, I have achieved this by creating a rule based on an alert, but is it possible to configure an alert grouping rule that better suits my scenario?

Eoved · Accepted Answer

Hi,Yes, it is possible to configure an alert grouping rule to better suit your scenario, where you only want to group alerts with the same entities from the same detection rule.Configure this in SOAR Settings > Advanced > Alerts Grouping.In the "Rules" section of the Alert Grouping settings, create a new grouping rule.Category: Alert TypeValue: [Specific Alert Type – your SIEM rule]Group by: EntitiesGrouping Entities: All Entities (or specify the relevant entities)Please see the following sample:

chicoqueiroga · Answer

Thank you @Eoved, I've tried this in my environment and it worked.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded