Aug 07 2023 08:52 AM - edited Aug 10 2023 07:01 AM
@Clive_Watson
Hello all
I have a query regarding the alert grouping in sentinel . For one of the out of the box rules I deployed which runs every hour, I have added alert grouping into one incident for 24 hour if the defined entity matches but this is not working as expected. Even though the entity matched this rule is creating new incident every hour.
I have used following fields for entity matching under alert enhancement section
Even operation list was also same and in same order. Operationlist field have set of values so Can this prevent it from being grouped into one incident? Does anyone know any reason for it to be not grouping the alert into one incident. Any suggestions would be appreciated.
Thank you
Aug 08 2023 08:07 AM
Aug 08 2023 09:18 AM - edited Aug 10 2023 07:06 AM
Hello Raphael,
Thank you for the reply. I cannot add the rule in full here because of some client information in the rule. but most of the part of the rule is from out of the box sentinel rule called Mass Secret Retrieval From Azure Key Vault. For entity mapping in sentinel we have used following fields
We have done following settings :
Under incident settings we have done following settings:
Even though all the entity are matching this rule is creating incident every hour and not grouping then into incident.
Aug 08 2023 10:57 AM - edited Aug 08 2023 10:57 AM
As OperationNameList is a result of make_set operation, it's effectively an array, and its' elements are possibly out of order between the analytical rule's runs, which would cause an entity mismatch i.e.
['a', 'b', 'c', 'd'] vs ['a', 'c', 'b', 'd']
Aug 08 2023 02:20 PM
Aug 10 2023 07:00 AM
Hello,
Yeah initially I thought so and checked the list and they were in same order. but I think using | project-reorder ..., OperationNameList=array_sort_asc(OperationNameList), ..is good I idea to make sure it is always in order.
Thank you for the suggestion.
Aug 10 2023 07:10 AM
Hello,
I have checked the ip and process they were same in each incident it generated every hour but was still not grouping. Thank you for the information. I will try reducing polling time as well.