Solved: Re: Source group identifier

vanitharaj1208 · 10-03-2024 05:34 PM

What is the source grouping identifier in the Alerts Grouping settings?

JeremyLand

The source grouping identifier field is used when the alert source has its own built in grouping mechanism and we want to match those groups in SecOps. The field may be populated by a connector based on fields that particular source uses for grouping. Not all connectors include this mapping, but an example of one that does is QRadar, which uses offense.id to indicate grouping.

For an example of how that field is populated by a connector use the IDE to checkout the QRadar Offenses Connector, that is included with the Qradar integration from the marketplace, and search for 'alert_info.source_grouping_identifier'

To see if that field is populated for a particular alert type you can use a manual action against an alert to run 'Get Original Alert Json' (included with the Tools powerup) and review the output to find the 'SourceGroupingIdentifier' field.

View solution in original post

JeremyLand

The source grouping identifier field is used when the alert source has its own built in grouping mechanism and we want to match those groups in SecOps. The field may be populated by a connector based on fields that particular source uses for grouping. Not all connectors include this mapping, but an example of one that does is QRadar, which uses offense.id to indicate grouping.

For an example of how that field is populated by a connector use the IDE to checkout the QRadar Offenses Connector, that is included with the Qradar integration from the marketplace, and search for 'alert_info.source_grouping_identifier'

To see if that field is populated for a particular alert type you can use a manual action against an alert to run 'Get Original Alert Json' (included with the Tools powerup) and review the output to find the 'SourceGroupingIdentifier' field.

vanitharaj1208

Thank you!!

willzj

Thanks for this post! source_grouping_identifier is perfect for my use case, but I can't seem to get it working while testing my connector.

I have only 1 grouping rule configured - it's for "All alerts" and group by "Source Grouping Identifier".

I'm hard coding a value for source_grouping_identifier in my connector and when I test via "run connector once" and ingest the results (instructions here: https://cloud.google.com/chronicle/docs/soar/respond/start-developing/testing-the-connector), I see SourceGroupingIdentifier populated with my hardcoded value in the SOAR UI.

I expect each of my ingested test alerts to be grouped into the same case, but they are becoming different cases. Is there some additional action I need to take somewhere for the grouping rule to take affect? Thanks!

JeremyLand

@willzj It looks like you might be writing that SourceGroupingIdentifier into the event instead of the alert. Try moving it up to the parent alert in the connector. Should look something like this in the alert json.

willzj

Thanks for the reply Jeremy! It was actually configured correctly, but it seems that the grouping settings don't work while testing the connector. When I flipped the connector on so it was actually being scheduled, all the alerts were grouped as expected.