Solved: Re: Alert Grouping

vanitharaj1208 · 11-24-2024 07:15 AM

Hi All,

In Chronicle Soar,

3 different Alerts from falcon have been grouped into a single case

note: grouping condition defined is if all entities match then all only it should group

But what happened is that alerts are being grouped together even when not all entities meet the specified grouping conditions, which require all entities to match.

Question:

Why are these alerts being grouped into a case when not all entities are matching?

ddiserens

Correct, Case name is based on the first alert. You can change this with an action in the playbook if you wanted to.

As for grouping yes, default rules will look at entities and group them together matching entities within the time frame set. You are able to change the rules for grouping per the source, product, and event type and by doing so it would change the behavior.

View solution in original post

ddiserens

Do you have the default grouping rule in place?

If so, technically the algorithm will take all entities into account. So the rule really reads do any of the entities match.

All would indicate an or operator between the entities.

ORBR

So why does it also group a new alert, with no configured entities at all, and different alert name, into an existing case?

vanitharaj1208

im not understanding why it grouped different alerts into a case when no entities are common

ddiserens

I would probably need to see the case in order to say for sure.

How it works though is that it will take the entities for each alert individually and identify if any of the alerts in any of the other alerts match. It doesn't have to be the same entity in all alerts. Does that make sense?

vanitharaj1208

so is it like if any one entity matches between the alerts it will group based on the default grouping rule

SoarAndy

Yes, this is because Alert Grouping also covers alerts across solutions, so if Initial Compromise and Lateral movement parts of the kill chain are found, and if they share just 1 entity (IP, process ID, etc) we group them.

If we only grouped if ALL entities matching this feature would really be alert deduplication only.

Andy

vanitharaj1208

if it groups different alerts based on one or more entity in common so logically case name should also change right

but case name will b based on the first alert

ddiserens

Correct, Case name is based on the first alert. You can change this with an action in the playbook if you wanted to.

As for grouping yes, default rules will look at entities and group them together matching entities within the time frame set. You are able to change the rules for grouping per the source, product, and event type and by doing so it would change the behavior.

vanitharaj1208

thank you !!

vanitharaj1208

yes, default grouping is in place.

are you trying to say if any one entity matches it is going to group ?

but 3 different alerts are being grouped here

RanjithHegdeK

Hello,

Create blocklist to exclude entities from alerts.

SOAR will group identified entities together, which may include process IDs, processes, or other elements. To prevent certain items from being recognized as entities, use the Blocklist in SOAR Settings > Environments > Blocklist.

https://cloud.google.com/chronicle/docs/soar/admin-tasks/configuration/create-block-list-to-exclude-...

Thanks

Webinar May 29th: Log Ingestion: Bindplane + Google SecOps

Alert Grouping