Skip to main content

Hello! I'm trying to use source_grouping_identifier to drive alert grouping in SOAR. There's a relevant post here, and the SOAR documentation is here.

The field is showing on the SOAR UI, but SOAR is creating a separate case for each alert rather than grouping them into the same case.  Has anyone had any success using source_grouping_identifier to drive alert grouping? The config seems pretty simple, so I'm not sure what I'm doing wrong. A screenshot of my grouping config is attached. Thanks much!

Hi @willzj ! If source_grouping_identifier is showing in the UI but alerts are not being grouped, a few things to check:

  1. Ensure all incoming alerts have the same exact value in the source_grouping_identifier field — even small differences will prevent grouping.

  2. Verify the field is being mapped correctly from the alert source to the alert entity in SOAR. You can confirm this in the raw alert payload.

  3. Check the rule order – your rule using Source Grouping Identifier must be above the fallback rule if there are more specific matching rules.

  4. No conflicting rules – If other rules match the alerts earlier (by type, product, etc.), grouping by source_grouping_identifier may be skipped.

If all looks correct and it's still not grouping, try creating a test alert manually with the field to isolate the issue.

Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.