You can create alerts in Sentinel in either of the following ways:
Associate the Create alerts action to a correlation rule. Sentinel generates an alert when the correlation rule fires.
Create alerts by using the REST API. For more information, see the Alert Create Method section in Help > API Documentation.
Sentinel automatically rolls up identical and/or duplicate instances of an alert as follows:
When a new alert is created, Sentinel initializes the Occurrences field value in the alert to 1.
Subsequent instances of the same alert are rolled up into the existing alert until the existing alert is closed. After the existing alert is closed, if a new instance of the same alert is detected, a new alert is created.
When rolling up alerts, Sentinel performs the following activities:
Increments the value of the Occurrences field by one.
Associates trigger events of the new alert instance to the existing alert.
Sentinel determines the sameness of alerts by comparing the existing alert fields with the fields of the new alert instance. When comparing the alerts, Sentinel considers all fields except unique and date/time fields.
Multiple open alerts with identical fields can exist if one or more alerts are re-opened from the closed state. In this case, Sentinel chooses the most recently created alert for roll up.
Rolling up of alerts helps in reducing the number of open and duplicate alerts in Sentinel.
When the alert is created by a correlation rule, the fields of the correlated event are copied to the alert. The Create alerts action also sets the following properties on the alert: Owner, Priority, and State. Therefore, you can control the alert output by customizing the correlated event. To customize the correlated event, see Customizing Correlated Event
in the Sentinel User Guide.
HINT:If there are too many distinct alerts, you can reduce the number of unique fields in the correlated event output to create a more generalized alert, so that the subsequent alert instances are rolled up. Similarly, if the alerts are too generic, you can increase the number of unique fields in the correlated event output to create distinct alerts.
For example, consider a correlation rule that generates a correlated event with severity 5 whenever User A logs in to the system and the Create Alerts action is associated to the correlation rule. When the correlation rule fires, Sentinel creates an alert with severity 5. Subsequent alert instances triggered by this correlation rule are identical to the existing alert. Therefore, Sentinel rolls up the alert instances into the existing alert. If the severity field value of the correlated event is customized to 3, Sentinel generates a new alert with severity 3 instead of rolling up the alert instance to the existing alert.
To associate the Create alert action to a Correlation rule:
In the Correlation panel, select the correlation rule to which you want to associate the Create Alerts action, and click the Edit icon.
In the correlation rule builder, in the Actions section, select Create alert.
To configure the alert, click Configure.
Specify the following details in the Configure Alert window:
Owner: You can specify a user or a role as the owner of the alert. If you specify a role as the owner of the alert, all the users in that role are owners for the alert. One of the users in that role can acknowledge the alert to notify that they have taken the ownership of the alert and are investigating the issue.
NOTE:When assigning an alert to a user or a role, ensure that the role or the user has the Manage Alerts permission.
Priority: Priority indicates the importance of the alert.
State: State indicates the status of the alert in the alert resolution cycle.
New: This is the default state of the newly created alerts.
Investigating: Indicates that the alert has been triaged and the investigation for the alert is in progress.
Closed: Indicates that there will not be further activity on the alert and based on the alert retention policy, the alert will be deleted.
Click Save.
Click Save Rule.