Hello everyone,
Please can someone elaborate on this, differentiating between Group entities and source grouping identifiers and what happens when this is toggled on ?
Group entities and source grouping identifiers in the same case
Page 1 / 1
Hi
, group entities is a way to group cases by mutual entities.
Source grouping identifier is a way to group alerts by external identifier such as Qradar offense ID (for example, in Qradar alerts are being grouped in the product).
When the toggle is turned on - it means that it will try to group by the source grouping identifier (qradar) and if not - it will group by mutual entities
thanks for your response. Does this mean using the source grouping identifier has to do with a settings in the connector or how does Siemplify know the grouping identifier the data source is using?
The source grouping identifier is integrated in the connector's logic (e.g. Qradar Correlation Events Connector V2)
View files in slack
Thanks for the enlightenment
. So this is an optional attribute to use only if the data source has its own grouping mechanism, right? Our source of ingestion for example is elastic, so source grouping identifier wouldnt apply in this case?
Hi
, it can be used as you wish as long as it make sense.. Qradar specifically has it's own grouping mechanism by offenses, so it make sense to group alerts on Siemplify by the offense ID from Qradar
Reply
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.