Add grouping timeframe to alert grouping rules
The recently introduced grouping rules are greatly beneficial and acknowledge that some products require different grouping methodologies.
For example, QRadar specifically requires grouping based on the source group identifier if you want to properly group SIEM events into a case, based on the offense ID.
I think this should go one step further - In the specific example of QRadar, the alerts are always going to be grouped by the offense ID so I'd like this grouping time to be as long as possible.
This way if it takes a few hours to get around to a lower priority offense/case, you won’t end up hunting down several cases, because a global 2 hour grouping window has elapsed a few times since, for example.
That being said, you wouldn’t want to set the grouping timeframe to something like 24 hours for all other products, because you'll likely end up grouping together events that don't actually relate to each other - It just so happened that more than one offense occurred in that 24 hour window with the same hash, username, IP, or hostname.
To address this issue, I'd like to suggest that a separately configurable grouping timeframe can be set in the rule table per product or grouping rule.
Please see the below images as an example.
When creating a new grouping rule, there should be an option to specify the timeframe:
This grouping timeframe would then be visible in the grouping rules table (above)