Solved: Re: Issues with the "Blocklist" - Exclusion does n...

ORBR · 11-23-2024 12:19 AM

Hello team,

Some of our alerts are grouped into one case because of a similar IP Address (0.0.0.0).

When trying to exclude this specific IP on the Blocklist page (Don`t group \ Don`t create entity), it keeps showing the IP and group by it.

What might be the reason for that?

SoarAndy

Thanks for checking.
I can't see anything obvious from the pictures, so I'm sorry at this point I think someone needs to have a look through the config live, and for this the Support teams are best suited. Sorry I can't point you more in the right direction. Andy

View solution in original post

ajohnson

Where does the alert come from (SIEM, EDR/FW/etc. SOAR Connecter)? There could be grouping done closer to the source that is causing this.

do you have both "don't group" and "don't create entity" created for this IP? the don't create entity might be the cause of issues for the don't group if that is the case.

you can also create specific alert grouping settings so that it groups on an entity you do want it to group by (host, user, rule, product, etc.)

ORBR

This is an SIEM connector.

I can only choose one action for each entity value, so it`s either "don`t group" or "don`t create entity", none of them seems to work with this 0.0.0.0 IP.

I do want to use the "ADDRESS" entity type for these alerts, but not for 0.0.0.0

ajohnson

Does the SIEM rule have anything in the match section for grouping?

is the IP being mapped to the Address entity type in alerts?

ORBR

Actually no, no IP 0.0.0.0 in these alerts at all

SoarAndy

Can you share screen shots please:
The entity in the Alert
The Alerts in the Case
The config of your 0.0.0.0 do not groupby

Thanks

ORBR

Hi @SoarAndy , sure.

I checked the ontology for each event, no IP is mapped, and no IP 0.0.0.0 was found in the raw data.

This is rule:

Please help with this, we get a lot of grouping issues.

SoarAndy

Just to confirm, in your first image the 5 events are all part of 1 alert from that remote technology... I mean that no Alert Grouping happened in SOAR, is that right?

ORBR

All 5 events are part of 1 alert.

There are other alerts that were grouped because of this IP (which is not exists)

SoarAndy

Thanks for checking.
I can't see anything obvious from the pictures, so I'm sorry at this point I think someone needs to have a look through the config live, and for this the Support teams are best suited. Sorry I can't point you more in the right direction. Andy

Webinar May 29th: Log Ingestion: Bindplane + Google SecOps

Issues with the "Blocklist" - Exclusion does not work