In every Chronicle SOAR platform there is a fallback rule. This rule is there to ensure that even if there are no defined rules – or even if the rules defined don’t apply to an alert, there will always be a basic grouping mechanism used.

The rules will be checked in the following hierarchical order:

  1. Alert Type. For example, Phishing Alert
  2. Product. For example, Cyberreason EDR
  3. Data Source. For example, a SIEM such as Chronicle SIEM or Arcsight
  4. And if none of the above are matched – then the fallback rule will be used.

Create a rule

  1. Navigate to Settings > Advanced > Alerts Grouping.
  2. In the Rules section, click on the Plus sign.
  3. In the Category section, choose between Alert Type, Data Source and Product.
    Note that the drop-down in each of the following fields will only be populated by alerts that have been ingested into the system already.
  4. In the Sub-category (or Alert Type) section, select the required options. Note that you can choose several options (multiple select).
  5. In the Group by section, select either Entities or Source Grouping Identifier. Note that if you group by Source Grouping Identifier (for use with Qradar for example) then there is no need to define grouping entities direction as it’s not meaningful.
  6. If you choose to use entities, then you will need to select a direction as well.

Edit the fallback Rule

The fallback rule can not be deleted but it can have two of its fields edited:

  • Group by (Choose between Entities or SourceGroupingIdentifier (relevant for alerts coming from QRadar Connector – identifier called “offense”.)
  • Grouping Entities (by directions) – relevant for entities only.   

For more information on Alert Grouping Rules, click here.