Add grouping timeframe to alert grouping rules

Add grouping timeframe to alert grouping rules

Daniel HarveyDaniel Harvey Siemplify Champion
edited December 2020 in Suggest New Ideas

The recently introduced grouping rules are greatly beneficial and acknowledge that some products require different grouping methodologies.

For example, QRadar specifically requires grouping based on the source group identifier if you want to properly group SIEM events into a case, based on the offense ID.

I think this should go one step further - In the specific example of QRadar, the alerts are always going to be grouped by the offense ID so I'd like this grouping time to be as long as possible.

This way if it takes a few hours to get around to a lower priority offense/case, you won’t end up hunting down several cases, because a global 2 hour grouping window has elapsed a few times since, for example.

That being said, you wouldn’t want to set the grouping timeframe to something like 24 hours for all other products, because you'll likely end up grouping together events that don't actually relate to each other - It just so happened that more than one offense occurred in that 24 hour window with the same hash, username, IP, or hostname.

To address this issue, I'd like to suggest that a separately configurable grouping timeframe can be set in the rule table per product or grouping rule.

Please see the below images as an example.


When creating a new grouping rule, there should be an option to specify the timeframe:

This grouping timeframe would then be visible in the grouping rules table (above)

Tagged:
2
2 votes

Scheduled in Roadmap · Last Updated

Comments

  • Hi @Daniel Harvey, thanks for raising this request!

    So the timeframe is actually relevant to the “Group By=Entities” only.

    For rules where the user chose to group by Source Grouping Identifier, it will not check the timeframe at all (the logic behind this is that the user has configured smart grouping rules in the source product, such as Qradar, so most of the chances that they want to use the rules from the source product without any additional limitations/logic).

    You can check out our grouping documentation in Siemplify Knowledge Center at https://www.manula.com/manuals/siemplify/how-to/5.5.3/en/topic/alert-grouping-in-depth - “Timeframe for grouping alerts (in hours): Choose the number of hours with which to group the alerts for the Case (0.5-24 hours with half hour intervals supported). Note that this does NOT apply to the rules below which are grouped by Source Grouping Identifier.”

    If guys have some other use cases for different grouping time-frames for different grouping rules, I'll highly appreciate if you can describe them so we can discuss it and see how/when to solve this, if needed.

  • Daniel HarveyDaniel Harvey Siemplify Champion

    Hey @Or Suesskind,

    Ahh I see, I missed this part of the documentation - Thanks for pointing that out!

    With regards to different grouping time-frames, nothing else that I can think of, so we can probably dismiss this suggestion for now.

    Thanks again

Sign In or Register to comment.