+6Hello team,
Some of our alerts are grouped into one case because of a similar IP Address (0.0.0.0).
When trying to exclude this specific IP on the Blocklist page (Don`t group \\ Don`t create entity), it keeps showing the IP and group by it.
What might be the reason for that?
Best answer by SoarAndy
All 5 events are part of 1 alert.
There are other alerts that were grouped because of this IP (which is not exists)
Thanks for checking.
I can't see anything obvious from the pictures, so I'm sorry at this point I think someone needs to have a look through the config live, and for this the Support teams are best suited. Sorry I can't point you more in the right direction. Andy
+5Where does the alert come from (SIEM, EDR/FW/etc. SOAR Connecter)? There could be grouping done closer to the source that is causing this.
do you have both "don't group" and "don't create entity" created for this IP? the don't create entity might be the cause of issues for the don't group if that is the case.
you can also create specific alert grouping settings so that it groups on an entity you do want it to group by (host, user, rule, product, etc.)
+6Where does the alert come from (SIEM, EDR/FW/etc. SOAR Connecter)? There could be grouping done closer to the source that is causing this.
do you have both "don't group" and "don't create entity" created for this IP? the don't create entity might be the cause of issues for the don't group if that is the case.
you can also create specific alert grouping settings so that it groups on an entity you do want it to group by (host, user, rule, product, etc.)
This is an SIEM connector.
I can only choose one action for each entity value, so it`s either "don`t group" or "don`t create entity", none of them seems to work with this 0.0.0.0 IP.
I do want to use the "ADDRESS" entity type for these alerts, but not for 0.0.0.0
+5This is an SIEM connector.
I can only choose one action for each entity value, so it`s either "don`t group" or "don`t create entity", none of them seems to work with this 0.0.0.0 IP.
I do want to use the "ADDRESS" entity type for these alerts, but not for 0.0.0.0
Does the SIEM rule have anything in the match section for grouping?
is the IP being mapped to the Address entity type in alerts?
+6Does the SIEM rule have anything in the match section for grouping?
is the IP being mapped to the Address entity type in alerts?
Actually no, no IP 0.0.0.0 in these alerts at all
+12Can you share screen shots please:
The entity in the Alert
The Alerts in the Case
The config of your 0.0.0.0 do not groupby
Thanks
+6Can you share screen shots please:
The entity in the Alert
The Alerts in the Case
The config of your 0.0.0.0 do not groupby
Thanks
Hi @SoarAndy , sure.
I checked the ontology for each event, no IP is mapped, and no IP 0.0.0.0 was found in the raw data.
This is rule:
Please help with this, we get a lot of grouping issues.
+12Hi @SoarAndy , sure.
I checked the ontology for each event, no IP is mapped, and no IP 0.0.0.0 was found in the raw data.
This is rule:
Please help with this, we get a lot of grouping issues.
Just to confirm, in your first image the 5 events are all part of 1 alert from that remote technology... I mean that no Alert Grouping happened in SOAR, is that right?
+6Just to confirm, in your first image the 5 events are all part of 1 alert from that remote technology... I mean that no Alert Grouping happened in SOAR, is that right?
All 5 events are part of 1 alert.
There are other alerts that were grouped because of this IP (which is not exists)
+12All 5 events are part of 1 alert.
There are other alerts that were grouped because of this IP (which is not exists)
Thanks for checking.
I can't see anything obvious from the pictures, so I'm sorry at this point I think someone needs to have a look through the config live, and for this the Support teams are best suited. Sorry I can't point you more in the right direction. Andy
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.
