The Siemplify Alert Grouping mechanism groups together alerts if they have at least one common entity and are ingested within a configured time frame. So for example, let’s say an alert “C&C traffic” with destination host 10.1.1.13 is added at 10:00 AM to a case called “Malware Found”.
And another alert “User account changed” with the same destination host is seen at 11:00 AM. Siemplify identifies the same entity which is involved in both alerts and within the configured time frame, and groups the second alert to the “Malware Found” case.
Navigate to Settings > Advanced > Alerts Grouping to configure the settings.
Max alerts grouping into a case: The 21st alert and more that is ingested within the timeframe specified here is pushed into a new case.
Grouping type: Can be either entities or SourceGroupingIdentifier (an identifier defined elsewhere – usually at the source).
Timeframe for grouping alerts (in hours): If there are new alerts with the same entity within the configured timeframe (such as source address, URL, hostname etc.), then the new alert will be grouped into an existing case. After this timeframe has passed, alerts will be ingested into a new case.
Match Entities by: Can choose between SourcesOnly, DestinationsOnly, or BothDirections.
The following example illustrates the importance of the Match Entities by field.
If there are three alerts A, B and C where A and B have one common entity, plus one of either A or B have another common entity with C then these alerts will be grouped together. For example, let’s say 192.168.1.30 in alert A is a source address that interacts with google.com. In the mean time, another internal host 192.168.1.31 is connected to 192.168.1.30 making it a destination address. Now, if the Match entities by feature is equal to DestinationsOnly/SourcesOnly then these alerts won’t be grouped. However, if Bothdirections has been selected, then the alerts will be grouped.
Let’s take another example where the Match Entities by field is set to DestinationsOnly. Now, at 10:46 PM there is an alert called “Data Exfiltration” which is put into a case called DLP_Product. It currently only has one alert in this case.
This alert contains four entities. One of them is “10.0.0.28”, which is a destination address.
If an alert with the same destination address is ingested within configured time frame, it will be grouped with the earlier one.
The recently ingested alert has the following entities:
And is therefore grouped as part of the same alert.
Need more help with this?
Click here to open a Support ticket