26.3 Configuring Alert Creation

You can create alerts in Sentinel in either of the following ways:

  • Associate the Create alerts action to a correlation rule. Sentinel generates an alert when the correlation rule fires.

  • Create alerts by using the REST API. For more information, see the API documentation in any of the following ways:

    • Click Help > APIs > API reference > Alert Create Method.

    • Go to <Sentinel Server IP address >SentinelRESTServices/apidoc/en/api-ref/Alerts/alert-create.html

Sentinel automatically rolls up identical and/or duplicate instances of an alert as follows:

  1. When a new alert is created, Sentinel initializes the Occurrences field value in the alert to 1.

  2. Subsequent instances of the same alert are rolled up into the existing alert until the existing alert is closed. After the existing alert is closed, if a new instance of the same alert is detected, a new alert is created.

    When rolling up alerts, Sentinel performs the following activities:

    • Increments the value of the Occurrences field by one.

    • Associates trigger events of the new alert instance to the existing alert.

    Sentinel determines the sameness of alerts by comparing the existing alert fields with the fields of the new alert instance. When comparing the alerts, Sentinel considers all fields except unique and date/time fields.

  3. Multiple open alerts with identical fields can exist if one or more alerts are re-opened from the closed state. In this case, Sentinel chooses the most recently created alert for roll up.

Rolling up of alerts helps in reducing the number of open and duplicate alerts in Sentinel.

When the alert is created by a correlation rule, the fields of the correlated event are copied to the alert. The Create alerts action also sets the following properties on the alert: Owner, Priority, and State. Therefore, you can control the alert output by customizing the correlated event. To customize the correlated event, see Customizing Correlated Event in the Sentinel User Guide.

HINT:If there are too many distinct alerts, you can reduce the number of unique fields in the correlated event output to create a more generalized alert, so that the subsequent alert instances are rolled up. Similarly, if the alerts are too generic, you can increase the number of unique fields in the correlated event output to create distinct alerts.

For example, consider a correlation rule that generates a correlated event with severity 5 whenever User A logs in to the system and the Create Alerts action is associated to the correlation rule. When the correlation rule fires, Sentinel creates an alert with severity 5. Subsequent alert instances triggered by this correlation rule are identical to the existing alert. Therefore, Sentinel rolls up the alert instances into the existing alert. If the severity field value of the correlated event is customized to 3, Sentinel generates a new alert with severity 3 instead of rolling up the alert instance to the existing alert.

To associate the create alert action to a correlation rule:

  1. In the Correlation panel, select the correlation rule to which you want to associate the Create Alerts action, and click the Edit icon.

  2. In the correlation rule builder, in the Actions section, select Create alert.

  3. To configure the alert, click Configure.

  4. Specify the following details in the Configure Alert window:

    • Owner: You can specify a user or a role as the owner of the alert. If you specify a role as the owner of the alert, all the users in that role are owners for the alert. One of the users in that role can acknowledge the alert to notify that they have taken the ownership of the alert and are investigating the issue. This field is mandatory.

      NOTE:When assigning an alert to a user or a role, ensure that the role or the user has the Manage Alerts permission.

    • Priority: Priority indicates the importance of the alert.

    • State: State indicates the status of the alert in the alert resolution cycle.

      Table 26-1 Alert states in Sentinel

      State

      Field: Value

      Description

      New

      stt: 0

      For new alerts that just arrived. Alerts that are not acknowledge yet.

      Pending

      stt: 10

      Acknowledged (as it is moved from New state), but pending to be assigned to an owner who will be working on it.

      Assigned

      stt: 20

      Triaged, acknowledged, and assigned to an owner.

      NOTE:Owner field cannot be left blank.

      Investigating

      stt: 25

      Owner started working on it.

      NOTE:Owner field cannot be left blank.

      Resolved

      stt: 30

      Owner has found a solution and wants to wait for a few days to test and make sure the issue does not recur.

      Closed

      stt: 50

      Marked as closed after proper testing and other actions that might be needed to prevent such a situation in the future.

  5. Click Save.

  6. Click Save Rule.