Forum Discussion

Copper Contributor

May 23, 2022

Solved

Alert grouping does not work

Hi team, We have an analytics rule that will run every hour. We have configured the alert grouping to "Grouping alerts into a single incident if all the entities match" for the 7-day time frame. ...

alerts

analytics

siem

GaryBushey
May 25, 2022
It will not work if the incidents are closed unless the switch to re-open a closed matched incident is enabled. I don't see any reason why it wouldn't have worked before you closed everything.

burasathi

Copper Contributor

Aug 08, 2023

Steven_Su
Hello Steven,

I have similar problem but in my case I don't have automation and sentinel is not grouping the alerts even though the entity is matching, so can you please let me know is the entity you are using in this rule client_ipaddress_s a list of IPs or single IP?