Skip to content

Alert Group Key🔗

To reduce the volume of alerts, Secureworks® Taegis™ XDR detectors may use the alert group key to create one alert per key within a specified time window. These group keys are intended to deduplicate alerts which are primarily identical, except for timestamp and other non-consequential fields. Grouped alerts contain a total occurrence count, first seen timestamp, last seen timestamp, first event, and last event.

The Alert Details Summary tab contains Occurrence Count and Group by (Group Key) fields. In addition, the JSON tab contains the object events_metadata which contains the first and last event associated with the alert.

Alert Details with Group Key

Occurrence count is available on the alert tables contained in the following pages:

  • Alerts
  • Alert Search
  • Investigation → Evidence → Alerts

Occurrence count available on Alert tables

FAQ🔗

Why are there only two events available in the alert JSON?🔗

The JSON view of the alert will contain the first event ID and last event ID that occurred. All event occurrences are searchable and appear in the alert Events tab.

What is the group key?🔗

A group key is configured per watchlist and contains fields from the events contained in the alert. For example, a NIDS group key is made up of the following fields.

  • Tenant ID
  • Sensor Type
  • Alert Title
  • Source IP
  • Destination IP
  • Date (24 hour window)

What alert types have this group key capability?🔗

All alerts use group keys to aggregate repeated occurrences.

How does the seven-day group key work?🔗

Alerts for rules configured with a seven-day group key are grouped to a single day from Monday to Friday. All alerts generated by the associated rule are deduplicated to the same day of the work week.

Example🔗
  1. Rule one is set to deduplicate on Monday.
  2. This rule creates a new alert on Friday.
  3. Repeated occurrences on Saturday and Sunday are appended to the alert created on Friday.
  4. On Monday, repeated occurrences generate a new alert, and occurrences are appended until the next Monday.
  5. The next Monday, a new alert may be created.

What changed with the Alert schema?🔗

The alert schema now contains group_key and an events_metadata object.

   "events_metadata":{
       "__typename":"AlertEventMetadata",
       "began_at":{
           "__typename":"Timestamp",
           "nanos":0,
           "seconds":1661119511
       },
       "ended_at":{
           "__typename":"Timestamp",
           "nanos":774000000,
           "seconds":1661286639
       },
"first_event_id":"event://priv:scwx.nids:35959:1661272095206:146d8128-d2fb-5d06-ac20-8dd7bac30763",
"last_event_id":"event://priv:scwx.nids:35959:1661286639774:146d8128-d2fb-5d06-ac20-8dd7bac30763",
       "total_events":9,
       "updated_at":{
           "__typename":"Timestamp",
           "nanos":391062,
           "seconds":1661287835
       }
   },
   "group_key":[
       "35959:Cisco eStreamer:SERVER-WEBAPP GPON Router authentication bypass and command injection attempt:2.2.3.3:1.1.1.4:2022-08-21"
   ],