Skip to main content

I'm trying to better understand how grouping by identifiers works for entities and origins.

https://cloud.google.com/chronicle/docs/soar/investigate/working-with-alerts/alert-grouping-mechanism-admin

From the documentation, I understand that by enabling this feature, alerts in SIEM will be grouped from a sourceGroupIdentifier. The question here is, how is this identifier defined from SIEM alerts?

Is this identifier created based on the SOAR ontology rules? If I want to create a grouping based on some field present in the result of my detections, is that possible?

Hi,

The sourceGroupIdentifier is a specific field originating from the external system that sends alerts into SecOps. It is designed to carry over the native grouping or incident ID from that source .
There are two primary ways to achieve grouping based on a field in your detection:

1.Entity Grouping
- When configuring alert grouping rules (under SOAR Settings > Advanced > Alerts Grouping), you can choose to Group By: Entities.
- You define which entities (e.g., Source IP, Destination IP, Username) should be considered for grouping.

If incoming alerts share one or more of these specified entities within a configured timeframe, they will be grouped into the same case.

Example:

2.If the standard entities don’t meet your specific grouping needs (e.g., if the field appears only in your detection results), you can use custom fields  and map it to support more tailored grouping logic.

Hope this helps!

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.