Alert grouping does not work

Copper Contributor

Hi team,


We have an analytics rule that will run every hour. We have configured the alert grouping to "Grouping alerts into a single incident if all the entities match" for the 7-day time frame. 


However, the incidents are keeping triggering every hour. May I know if there is any approach to troubleshoot the issue or how to check the config? Thanks




8 Replies

@Steven_Su Have you verified that the incidents in each alert matches exactly (number and names) to the one another?

Hi @Gary Bushey 

Yes, for example, i search the IP entity and find all the incidents related to it. They only have 1 entity and it is the same, but the alerts were not aggregated into a single incident.



I see that these are all closed. Do you have your analytic rule grouping set to re-open an incident if a matching alert is to be added to it. It would be below the area your original screenshot shows.
Because the alert grouping did not work, I manually add the automation to close the ticket if the entity matches the condition.
If the alert grouping still works, then the column "Alerts" in my last screenshot will increase whenever a same alert is fired. But in my screenshot, it is not. So it really make me confused.
best response confirmed by Steven_Su (Copper Contributor)
It will not work if the incidents are closed unless the switch to re-open a closed matched incident is enabled. I don't see any reason why it wouldn't have worked before you closed everything.
Hi Gary,

Yes, you are correct. The function will not work if the ticket is already closed. We enable to re-opening to resolve the issue as recommended. Thanks.
Hello I have a same problem, the alerts are not grouped into incident even though there was matching entities .I don't have any automation to close the incidents. In my case one of the entities is the list of operation and the list also matches with order but still not grouping . If there is list in the entities can this prevent it from being grouped even though list is matching?

Hello Steven,

I have similar problem but in my case I don't have automation and sentinel is not grouping the alerts even though the entity is matching, so can you please let me know is the entity you are using in this rule client_ipaddress_s a list of IPs or single IP?