cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Alert grouping does not work

Steven_Su
Copper Contributor

‎May 23 2022 12:40 AM

‎May 23 2022 12:40 AM

Alert grouping does not work

Hi team,

 

We have an analytics rule that will run every hour. We have configured the alert grouping to "Grouping alerts into a single incident if all the entities match" for the 7-day time frame. 

 

However, the incidents are keeping triggering every hour. May I know if there is any approach to troubleshoot the issue or how to check the config? Thanks

Steven_Su_0-1653291174403.png

Steven_Su_1-1653291192376.png

 

Labels:
1,191 Views
0 Likes
8 Replies
Reply
8 Replies
Gary Bushey

‎May 23 2022 04:14 AM

‎May 23 2022 04:14 AM

Re: Alert grouping does not work

@Steven_Su Have you verified that the incidents in each alert matches exactly (number and names) to the one another?

0 Likes
Reply
Steven_Su

‎May 23 2022 08:23 PM

‎May 23 2022 08:23 PM

Re: Alert grouping does not work

Hi @Gary Bushey 

Yes, for example, i search the IP entity and find all the incidents related to it. They only have 1 entity and it is the same, but the alerts were not aggregated into a single incident.

Steven_Su_0-1653362523098.png

 

0 Likes
Reply
Gary Bushey

‎May 24 2022 04:37 AM

‎May 24 2022 04:37 AM

Re: Alert grouping does not work

I see that these are all closed. Do you have your analytic rule grouping set to re-open an incident if a matching alert is to be added to it. It would be below the area your original screenshot shows.
0 Likes
Reply
Steven_Su

‎May 24 2022 06:51 PM

‎May 24 2022 06:51 PM

Re: Alert grouping does not work

Hi,
Because the alert grouping did not work, I manually add the automation to close the ticket if the entity matches the condition.
If the alert grouping still works, then the column "Alerts" in my last screenshot will increase whenever a same alert is fired. But in my screenshot, it is not. So it really make me confused.
0 Likes
Reply
best response confirmed by Steven_Su (Copper Contributor)
Gary Bushey

‎May 25 2022 03:41 AM

‎May 25 2022 03:41 AM

Solution

Re: Alert grouping does not work

It will not work if the incidents are closed unless the switch to re-open a closed matched incident is enabled. I don't see any reason why it wouldn't have worked before you closed everything.
0 Likes
Reply
Steven_Su

‎May 26 2022 02:05 AM

‎May 26 2022 02:05 AM

Re: Alert grouping does not work

Hi Gary,

Yes, you are correct. The function will not work if the ticket is already closed. We enable to re-opening to resolve the issue as recommended. Thanks.
0 Likes
Reply
burasathi

‎Aug 07 2023 10:15 AM

‎Aug 07 2023 10:15 AM

Re: Alert grouping does not work

Hello I have a same problem, the alerts are not grouped into incident even though there was matching entities .I don't have any automation to close the incidents. In my case one of the entities is the list of operation and the list also matches with order but still not grouping . If there is list in the entities can this prevent it from being grouped even though list is matching?
0 Likes
Reply
burasathi

‎Aug 08 2023 08:51 AM

‎Aug 08 2023 08:51 AM

Re: Alert grouping does not work

@Steven_Su 
Hello Steven,

I have similar problem but in my case I don't have automation and sentinel is not grouping the alerts even though the entity is matching, so can you please let me know is the entity you are using in this rule client_ipaddress_s a list of IPs or single IP?

0 Likes
Reply