Grouping alert into incident

Question

@Clive_WatsonHello all&nbsp;I have a query regarding the alert grouping in sentinel . For one of the out of the box rules I deployed which runs every hour, I have added alert grouping into one incident for 24 hour if&nbsp;&nbsp;&nbsp;the defined entity matches but this is not working as expected. Even though the entity matched this rule is creating new incident every hour.&nbsp;I have used following fields for entity matching under alert enhancement sectionOperationNameList&nbsp;-&nbsp;This will have list of &nbsp;operations that triggered the alert.CallerObjectId -&nbsp;This is the &nbsp;account that performed the action&nbsp;CallerIPMax –&nbsp;This is most recent IP&nbsp;from which this operation was performed.&nbsp;Even operation list was also same and in same order. Operationlist field have set of values so Can this &nbsp;prevent it from being grouped into one incident? Does anyone know any reason for it to be not grouping the alert into one incident. Any suggestions would be appreciated.Thank you

raphaelcustodiosoares · Answer

Hello burasathiplease upload the rule here for analyse or an screenshot

burasathi · Answer

raphaelcustodiosoares&nbsp;Hello Raphael,&nbsp;Thank you for the reply. I cannot add the rule in full here because of some client information in the rule. but most of the part of the rule is from out of the box sentinel rule called&nbsp;Mass Secret Retrieval From Azure Key Vault. For entity mapping in sentinel we have used following fields&nbsp;OperationNameList&nbsp;-&nbsp;This will have list of &nbsp;operations that triggered the alert.CallerObjectId -&nbsp;This is the &nbsp;account that performed the action&nbsp;CallerIPMax –&nbsp;This is most recent IP&nbsp;from which this operation was performed.&nbsp;We have done following settings :Under incident settings we have done following settings:&nbsp;Even though all the entity are matching this rule is creating incident every hour and not grouping then into incident.&nbsp;&nbsp;&nbsp;

kubatom · Answer

burasathi&nbsp;&nbsp;As&nbsp;OperationNameList is a result of make_set operation, it's effectively an array, and its' elements are possibly out of order between the analytical rule's runs, which would cause an entity mismatch i.e.['a', 'b', 'c', 'd'] vs&nbsp;['a', 'c', 'b', 'd']&nbsp;Could this be the case? If so, try projecting this instead:| project-reorder ..., OperationNameList=array_sort_asc(OperationNameList), ...

raphaelcustodiosoares · Answer

burasathihelloyou are using to group when it matches account, id , process. As the ip and the process will always be different, then there will always be a non-grouped incident because it does not match the selected fields.Select last option and mark accountAbout the alerts it is generating too many and because you are evaluating every hour with 1 day data polling time, try to run every 1 hour with 1 hour polling time.if you liked it mark the answer with a like.if you thought this answer helped in any way please mark it as best answer

burasathi · Answer

KubaTom&nbsp;&nbsp;Hello,Yeah initially I thought so and checked the list and they were in same order. but I think using&nbsp;| project-reorder ..., OperationNameList=array_sort_asc(OperationNameList), ..is good I idea to make sure it is always in order.&nbsp;Thank you for the suggestion.

Forum Discussion

Grouping alert into incident

6 Replies

Resources