This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Alert is not Grouping Properly as Incident

socuser
Occasional Contributor
Occasional Contributor

‎2022-01-06 03:57 AM

Hi Team,

Alerts are not grouping into a Single Incident, In Incident Rule we are grouping Alerts based on the Source IP within in one hour.

In that case of 1 hours , all the alerts relates to the source IP should be grouped under one Incident but it is not happening.

PFA of Incident Screenshot & Incident Rule Screenshot,

please help us on this issue.

 

Regards,

SOC TEAM

 

 

 

Labels:
Preview file
34 KB
Preview file
36 KB
0 Likes
1 REPLY 1

sravan.koneti
Frequent Contributor Frequent Contributor
Frequent Contributor

‎2022-03-06 04:36 AM

Hi @socuser ,

This grouping works as expected as each incident has 1000 alerts.

rsa.respond.alertrule.batch-size=1000 value decides how many alerts are part of each incident.

https://community.netwitness.com/t5/netwitness-platform-online/respond-server-configuration/ta-p/668983#AlertRuleProperties

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.