Skip to main content

Hi guys,

I'm trying to understand more about alert grouping in Google SecOps. I have a specific scenario: in an environment with the default configuration, cases are opened and alerts are aggregated from different detection rules (custom or curated).

https://cloud.google.com/chronicle/docs/soar/investigate/working-with-alerts/alert-grouping-mechanism-admin

I only need to group alerts with the same entities from the same detection rule. So far, I have achieved this by creating a rule based on an alert, but is it possible to configure an alert grouping rule that better suits my scenario?

Hi,
Yes, it is possible to configure an alert grouping rule to better suit your scenario, where you only want to group alerts with the same entities from the same detection rule.
Configure this in SOAR Settings > Advanced > Alerts Grouping.
In the "Rules" section of the Alert Grouping settings, create a new grouping rule.
Category: Alert Type
Value: [Specific Alert Type – your SIEM rule]
Group by: Entities
Grouping Entities: All Entities (or specify the relevant entities)

Please see the following sample:

 



Thank you @Eoved, I've tried this in my environment and it worked.

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.