Skip to main content

Differentiating between Group entities and source grouping identifiers

  • January 19, 2022
  • 5 replies
  • 30 views
J
Forum|alt.badge.img+7

Hello everyone,

Please can someone elaborate on this, differentiating between Group entities and source grouping identifiers and what happens when this is toggled on ?

Group entities and source grouping identifiers in the same case

5 replies

T
Forum|alt.badge.img+1

Hi @Joseph , group entities is a way to group cases by mutual entities.
Source grouping identifier is a way to group alerts by external identifier such as Qradar offense ID (for example, in Qradar alerts are being grouped in the product).
When the toggle is turned on - it means that it will try to group by the source grouping identifier (qradar) and if not - it will group by mutual entities

J
Forum|alt.badge.img+7
  • Joseph3
  • Author
  • New Member
  • January 24, 2022

@Tom Shilansky thanks for your response. Does this mean using the source grouping identifier has to do with a settings in the connector or how does Siemplify know the grouping identifier the data source is using?

T
Forum|alt.badge.img+1

The source grouping identifier is integrated in the connector's logic (e.g. Qradar Correlation Events Connector V2)

View files in slack

J
Forum|alt.badge.img+7
  • Joseph3
  • Author
  • New Member
  • January 24, 2022

Thanks for the enlightenment @Tom Shilansky . So this is an optional attribute to use only if the data source has its own grouping mechanism, right? Our source of ingestion for example is elastic, so source grouping identifier wouldnt apply in this case?

T
Forum|alt.badge.img+1

Hi @Joseph , it can be used as you wish as long as it make sense.. Qradar specifically has it's own grouping mechanism by offenses, so it make sense to group alerts on Siemplify by the offense ID from Qradar

Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.