Forum Discussion

sammyredo's avatar
sammyredo
Copper Contributor
Oct 15, 2020

Ignore alerts if Entities Match previous within the last 24 hours

I have a Proofpoint TAP connected to Sentinel. When a User clicks on a Malicious link in an email, one of our remediation steps is to have the user change their password. I have encountered a situation whereby Proofpoint generated one alert, but Sentinel generated two of the same alerts, an hour apart and triggered a playbook twice, to reset a user's password on both occasions. As in the image

 

 

I am seeking to create a solution, where by if a new alert is generated and has the entities match a previously created alert within 24 hours, the 2nd would be ignored and would not trigger the playbook. If there is a dynamic way of preventing these duplication of alerts, that would be the preferred rout. 

 

    • sammyredo's avatar
      sammyredo
      Copper Contributor

      LodewykV  I have configured to group the alerts if the entities match. I have a question about that function though. So I have configured my query to run every 5 minutes. If I set to limit the group to alerts created within 1 hour and After the first alert is generated the first query run, will the subsequent alerts be added to the 1st, and won't they trigger an automated playbook? I get that the alerts generated within the hour will be grouped. My question however is how will that affect the automation? The first query runs and generates an alert which triggers a playbook. Query runs again after 45 minutes and generates another alert with same entities, will that trigger the playbook, or it will just be added to the first alert and not trigger the playbook?

       

       

       

      • Thijs Lecomte's avatar
        Thijs Lecomte
        Bronze Contributor
        Currently there is only one automation possible, which runs everytime an alert is created. So even when the same incident has multiple alerts, it will run multiple times.

        There is a new possibility in private preview, which will only trigger once per incident. This would be a solution for you, but it's not GA yet.

Resources