This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

source_grouping_identifier not working for alert grouping

Posted Tuesday
willzj
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hello! I'm trying to use source_grouping_identifier to drive alert grouping in SOAR. There's a relevant post here, and the SOAR documentation is here.

The field is showing on the SOAR UI, but SOAR is creating a separate case for each alert rather than grouping them into the same case.  Has anyone had any success using source_grouping_identifier to drive alert grouping? The config seems pretty simple, so I'm not sure what I'm doing wrong. A screenshot of my grouping config is attached. Thanks much!

grouping.png

Solved Solved
1 1 45
Topic Labels
Jump to Solution
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
a_aleinikov
Silver 4
Silver 4
Reply posted on --/--/---- --:-- AM

Hi @willzj ! If source_grouping_identifier is showing in the UI but alerts are not being grouped, a few things to check:

  1. Ensure all incoming alerts have the same exact value in the source_grouping_identifier field — even small differences will prevent grouping.

  2. Verify the field is being mapped correctly from the alert source to the alert entity in SOAR. You can confirm this in the raw alert payload.

  3. Check the rule order – your rule using Source Grouping Identifier must be above the fallback rule if there are more specific matching rules.

  4. No conflicting rules – If other rules match the alerts earlier (by type, product, etc.), grouping by source_grouping_identifier may be skipped.

If all looks correct and it's still not grouping, try creating a test alert manually with the field to isolate the issue.

View solution in original post

Jump to Solution
1 REPLY 1

Posted on --/--/---- --:-- AM
a_aleinikov
Silver 4
Silver 4
Reply posted on --/--/---- --:-- AM

Hi @willzj ! If source_grouping_identifier is showing in the UI but alerts are not being grouped, a few things to check:

  1. Ensure all incoming alerts have the same exact value in the source_grouping_identifier field — even small differences will prevent grouping.

  2. Verify the field is being mapped correctly from the alert source to the alert entity in SOAR. You can confirm this in the raw alert payload.

  3. Check the rule order – your rule using Source Grouping Identifier must be above the fallback rule if there are more specific matching rules.

  4. No conflicting rules – If other rules match the alerts earlier (by type, product, etc.), grouping by source_grouping_identifier may be skipped.

If all looks correct and it's still not grouping, try creating a test alert manually with the field to isolate the issue.

Jump to Solution
Top Solution Authors
View all