Forum Discussion
Grouping alert into incident
@Clive_Watson Hello all I have a query regarding the alert grouping in sentinel . For one of the out of the box rules I deployed which runs every hour, I have added alert grouping into one incid...
burasathi
hello
you are using to group when it matches account, id , process. As the ip and the process will always be different, then there will always be a non-grouped incident because it does not match the selected fields.
Select last option and mark account
About the alerts it is generating too many and because you are evaluating every hour with 1 day data polling time, try to run every 1 hour with 1 hour polling time.
if you liked it mark the answer with a like.
if you thought this answer helped in any way please mark it as best answer
hello
you are using to group when it matches account, id , process. As the ip and the process will always be different, then there will always be a non-grouped incident because it does not match the selected fields.
Select last option and mark account
About the alerts it is generating too many and because you are evaluating every hour with 1 day data polling time, try to run every 1 hour with 1 hour polling time.
if you liked it mark the answer with a like.
if you thought this answer helped in any way please mark it as best answer
Hello,
I have checked the ip and process they were same in each incident it generated every hour but was still not grouping. Thank you for the information. I will try reducing polling time as well.