Skip to main content
Alerts Linking
Muhammad Omar Khan avatar
Written by Muhammad Omar Khan
Updated over 4 months ago

Alert Linking enables security analysts to connect related alerts to a single incident. This feature streamlines the investigation process by eliminating the need to separately analyze similar alerts, saving time and effort. This is accomplished by consolidating the information, including artifacts and automation actions, from each alert into one incident. As a result, users benefit from a unified view of multiple related alerts within the same incident, making analysis more efficient and effective.

Alerts can be linked either manually or automatically by defining rules that are checked every time a new alert is ingested.

Manual Alert Linking

Analysts can select multiple alerts and link them to an existing Incident or to a new incident.

When the alerts are linked, all the artifacts and output of executed automation actions from the selected alerts are copied over into the incident with which the alerts are linked.

All the alerts that are linked, are automatically marked as closed. This way, these alerts can only be viewed; they cannot be reopened, updated, deleted or unlinked. Any further investigations and actions are done on the parent disposition (investigation, incident) with which those alerts are linked. Additionally, we can not perform any bulk actions over parent disposition.

To manually perform alert linking, follow these steps: Navigate to the Main Menu, select the Alerts tab within Incident Management, and then click on Bulk Actions.

Within the Bulk Actions of Incident Management/alerts list, we have two options:

Link and Create Incident

Use this option if you wish to link the alerts to a new Incident.

  • Select Alerts from the list then click on Link and Create Incident.

  • The Incident form will be prepopulated with the data of the last Alert from the list of selected Alerts.

  • The 'Alerts' dropdown contains a list of all selected alerts with an option to search and select more alerts.

  • During the creation of a new Incident, you can add new artifacts.

  • Once an incident is created, the artifacts from the linked alerts are also copied over to the Incident (not displayed in the form).

Link to an Existing Incident

If you wish to link alerts to an existing Incident, select alerts from the list and click on Link to Incident from the Bulk Actions

A popup will appear with a dropdown, allowing you to search for an incident. Type in the search string and press enter or space.

Link Alert from Incident

You can also link alerts with an Incident in the Incident Edit form.

Note: Once linked, the alert cannot be unlinked.

Also, every time you link a new alert during editing, it will trigger the playbooks associated with the incident to run the actions against the artifacts of the linked alert.

Manual Alert Linking Permission

To use the manual alert linking feature, you need to have the "Alert Linking" permission enabled.

Automated Alert Linking

Automated Alert Linking allows you to define Pre Ingestion Rules that automatically link incoming alerts to incidents. This eliminates the need to manually select alerts for linking. With this feature, users can define rules that determine the alerts that should be linked to a maching existing incident. If the existing incident conditions are not met, a new incident is created and alerts are linked to it.

Pre Ingestion Rules

These rules defines conditions that are checked against every alert before they are ingested in SIRP.

To create a new Pre Ingestion Rule go to Main Menu > Administration > Automation > Pre-Ingestion Rules

Steps to Create a Pre-Ingestion Rule

  • Name: Specify the rule's name.

  • Status: Choose between enabling or disabling the rule.

  • Rule Order: This determines the sequence in which rules are applied. Only one rule triggers against each alert.

Section 1: Conditions for Incoming Alerts

This section defines the conditions to be checked against incoming alerts

  • Subject: Defines the field of the incoming alert to be matched. Currently you can only match the Subject/Title of the alert.

  • Operator: Defines matching condition

  • Value: Define the Subject/Title of the alert to match

Use + icon to define multiple AND and OR based conditions to check.

Section 2: Actions

This section specifies the actions to perform on the ingested alerts.

Currently, the only available action is Link and Update i.e. the incoming alert will be linked and updated.

Section 3: Link to

This section defines conditions for the Incident to link alerts with.

  • Link to: Select either the latest or the oldest incident to be selected in case multiple Incidents matches the defined condition.

  • Created within: Narrow down the search for incidents based on Creation time.

  • Search Closed Incidents: Select if the engine should search for Closed incidents as well.

Example:

The following condition will search for incidents that were created within the last 2 days and selects the oldest one if multiple Incidents are found matching the condition.

Execution Flow:

  • When alerts are ingested, the defined rules are automatically trigerred and matches the defined conditions against each alert.

  • If an incoming rule is matched, it's picked for linking. Then the incidents are searched to based on defined "Link to" conditions.

  • If a matching Incident is found then the alert is linked.

  • If no matching Incident is found, then a new incident is created with all the data from the alert, and then the alert is linked with the new Incident.

  • After linking, the alert's status is changed to Closed so that no further changes can be made to the Alert.

Logs

Logs are generated and retained at every step of the rules.

Activity Logs:

Provides logs for

  • Alerts ingested in a buffer before pre-ingestion rules are applied

  • Alerts created and linked

  • Incident created or updated with linked alerts

Pre Ingestion Logs

Administration > Logs > Pre-Ingestion Logs

These logs are generated for each incoming alert, displaying information about:

  • The rule that was triggered

  • The conditions under which the incoming alert were matched

  • The action that was performed

  • The incidents for which the conditions were matched

  • If no matches occur, information about the newly created incident is provided.

View any log entry to get the details

Automated Alert Linking Permissions

Following previliges are to be enabled to utilize Automated Alert Linking:

  • Pre Ingestion Rule List

  • Add Pre Ingestion Rule

  • Update Pre Ingestion Rule

  • Delete Pre Ingestion Rule

  • Pre Ingestion Rule Log List

Linked Alerts Visibility

For every linked alert, there is a link icon next to the subject that signifies that the alert is linked with an Incident. Clicking on the icon will redirect to the parent Incident.

If an alert is already linked, both options Link and Create Incident and Link to Incident will be disabled. One alert cannot be linked with multiple Incidents.

A filter is available that allows you filter the Linked and Unlinked Alerts

Incident View

A new tab called Linked Alerts has been added in the Incidents which displays the list of all alerts linked to the incident.

Playbook Rule for Linked Alerts

A field called "Linked" in the Playbook rules allow you to define condition if the playbook should execute against a linked alert or not.

Did this answer your question?