cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Grouping alert into incident

burasathi
Copper Contributor

‎Aug 07 2023 08:52 AM - edited ‎Aug 10 2023 07:01 AM

‎Aug 07 2023 08:52 AM - edited ‎Aug 10 2023 07:01 AM

Grouping alert into incident

@Clive_Watson
Hello all

 

I have a query regarding the alert grouping in sentinel . For one of the out of the box rules I deployed which runs every hour, I have added alert grouping into one incident for 24 hour if   the defined entity matches but this is not working as expected. Even though the entity matched this rule is creating new incident every hour. 

I have used following fields for entity matching under alert enhancement section

  • OperationNameList - This will have list of  operations that triggered the alert.
  • CallerObjectId - This is the  account that performed the action 
  • CallerIPMax – This is most recent IP from which this operation was performed. 

Even operation list was also same and in same order. Operationlist field have set of values so Can this  prevent it from being grouped into one incident? Does anyone know any reason for it to be not grouping the alert into one incident. Any suggestions would be appreciated.

Thank you

1,542 Views
0 Likes
6 Replies
Reply
6 Replies
raphaelcustodiosoares

‎Aug 08 2023 08:07 AM

‎Aug 08 2023 08:07 AM

Re: Grouping alert into incident

Hello @burasathi

please upload the rule here for analyse or an screenshot
0 Likes
Reply
burasathi

‎Aug 08 2023 09:18 AM - edited ‎Aug 10 2023 07:06 AM

‎Aug 08 2023 09:18 AM - edited ‎Aug 10 2023 07:06 AM

Re: Grouping alert into incident

@raphaelcustodiosoares 

Hello Raphael,

 

Thank you for the reply. I cannot add the rule in full here because of some client information in the rule. but most of the part of the rule is from out of the box sentinel rule called Mass Secret Retrieval From Azure Key Vault. For entity mapping in sentinel we have used following fields 

  • OperationNameList - This will have list of  operations that triggered the alert.
  • CallerObjectId - This is the  account that performed the action 
  • CallerIPMax – This is most recent IP from which this operation was performed. 

We have done following settings :

burasathi_1-1691510680391.png

Under incident settings we have done following settings:

burasathi_3-1691510758493.png

 

Even though all the entity are matching this rule is creating incident every hour and not grouping then into incident.

 

 

 

0 Likes
Reply
KubaTom

‎Aug 08 2023 10:57 AM - edited ‎Aug 08 2023 10:57 AM

‎Aug 08 2023 10:57 AM - edited ‎Aug 08 2023 10:57 AM

Re: Grouping alert into incident

@burasathi 

 

As OperationNameList is a result of make_set operation, it's effectively an array, and its' elements are possibly out of order between the analytical rule's runs, which would cause an entity mismatch i.e.

['a', 'b', 'c', 'd'] vs ['a', 'c', 'b', 'd']

 

Could this be the case? If so, try projecting this instead:
| project-reorder ..., OperationNameList=array_sort_asc(OperationNameList), ...
0 Likes
Reply
raphaelcustodiosoares

‎Aug 08 2023 02:20 PM

‎Aug 08 2023 02:20 PM

Re: Grouping alert into incident

@burasathi

hello
you are using to group when it matches account, id , process. As the ip and the process will always be different, then there will always be a non-grouped incident because it does not match the selected fields.

Select last option and mark account

About the alerts it is generating too many and because you are evaluating every hour with 1 day data polling time, try to run every 1 hour with 1 hour polling time.



if you liked it mark the answer with a like.
if you thought this answer helped in any way please mark it as best answer
0 Likes
Reply
burasathi

‎Aug 10 2023 07:00 AM

‎Aug 10 2023 07:00 AM

Re: Grouping alert into incident

@KubaTom 

 

Hello,

Yeah initially I thought so and checked the list and they were in same order. but I think using | project-reorder ..., OperationNameList=array_sort_asc(OperationNameList), ..is good I idea to make sure it is always in order. 

Thank you for the suggestion.

0 Likes
Reply
burasathi

‎Aug 10 2023 07:10 AM

‎Aug 10 2023 07:10 AM

Re: Grouping alert into incident

@raphaelcustodiosoares 

Hello, 

I have checked the ip and process they were same in each incident it generated every hour but was still not grouping. Thank you for the information. I will try reducing polling time as well.

0 Likes
Reply