🌙
 

Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

Alert Group Key

alerts


To reduce the volume of alerts, Taegis™ XDR detectors may use the alert group key to create one alert per key within a specified time window. These group keys are intended to deduplicate alerts which are primarily identical, except for timestamp and other non-consequential fields. Grouped alerts contain a total occurrence count, first seen timestamp, last seen timestamp, first event, and last event.

The Alert Details Summary tab contains Occurrence Count and Group by (Group Key) fields. In addition, the JSON tab contains the object events_metadata which contains the first and last event associated with the alert.

Alert Details with Group Key

Alert Details with Group Key

Occurrence count is available on the alert tables contained in the following pages:

Occurrence count available on Alert tables

FAQ

Why are there only two events available in the Events tab?

The alert will contain the first event and last event that occurred. All event occurrences are searchable, but the alert only maintains references to the first and last event.

What is the group key?

A group key is configured per watchlist and contains fields from the events contained in the alert. For example, a NIDS group key is made up of the following fields.

What alert types have this group key capability?

All alerts use group keys to aggregate repeated occurrences.

How does the seven-day group key work?

Alerts for rules configured with a seven-day group key are grouped to a single day from Monday to Friday. All alerts generated by the associated rule are deduplicated to the same day of the work week.

Example
  1. Rule one is set to deduplicate on Monday.
  2. This rule creates a new alert on Friday.
  3. Repeated occurrences on Saturday and Sunday are appended to the alert created on Friday.
  4. On Monday, repeated occurrences generate a new alert, and occurrences are appended until the next Monday.
  5. The next Monday, a new alert may be created.

What changed with the Alert schema?

The alert schema now contains group_key and an events_metadata object.

   "events_metadata":{
       "__typename":"AlertEventMetadata",
       "began_at":{
           "__typename":"Timestamp",
           "nanos":0,
           "seconds":1661119511
       },
       "ended_at":{
           "__typename":"Timestamp",
           "nanos":774000000,
           "seconds":1661286639
       },
"first_event_id":"event://priv:scwx.nids:35959:1661272095206:146d8128-d2fb-5d06-ac20-8dd7bac30763",
“last_event_id":"event://priv:scwx.nids:35959:1661286639774:146d8128-d2fb-5d06-ac20-8dd7bac30763",
       "total_events":9,
       "updated_at":{
           "__typename":"Timestamp",
           "nanos":391062,
           "seconds":1661287835
       }
   },
   "group_key":[
       "35959:Cisco eStreamer:SERVER-WEBAPP GPON Router authentication bypass and command injection attempt:2.2.3.3:1.1.1.4:2022-08-21"
   ],

 

On this page: