Hello Team, Can someone help me to find-out solution for below problem?
This single case has total number of alerts 3, 1 of alerts
is Truly malicious
however other 2 are False. But the alerts club in same case. Now the challenge is If we will execute playbook it will take action against all the attach alerts.
Is there any solution we can make these alerts separately club and our playbook action on a case don't create any issue? Also can tell me why this is happening?
Thanks in advance
True and false alerts in the same case
+1
+9
You can move the malicious alert to a new case. Then run the in against the new case.
Check you didn't create any unnecessary entities that may have led to the alerts being automatically connected.
+1
@recon_acook
thanks for the response, I checked the option to move the alert to a new case or create a new case, also to attach with new playbooks and execute accordingly however, I wanted to know what other criteria we can cover to differ the alerts following the entities and make the alerts separate if un-common entities are there.
just for the example - we have entities like our user, endpoint name and endpoint IP, few common windows file (Winlogon.exe, explorer.exe.........) executing a legitimate application those are business related and generating alerts as we are new to the SIEMPLIFY platform. Still there are few uncommon entities those are not business related and malicious clubbed to the same case because these uncommon entities also got executed with same common windows file (Winlogon.exe, explorer.exe.........).
I hope I am able to make the scenario clear.
+9
Ah, got it! You can do this through Blocklists (Settings→Environments→Blocklist). Select "Do not group alerts" and set one up for each entity that is causing issues.
View files in slack
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.