Alert Correlation Rules and Grouping Mechanism to Reduce Noise
HTML-код
- Опубликовано: 8 сен 2024
- I have created a community article on the same named as Event Management : Leverage Alert Correlation and Grouping for Noise Reduction : community.serv...
Your content is much much better than the nowlearning on-demand course! Keep doing this, Thanks!!
Glad you think so!
Hello, do you have any other documentation on alert management?
Best explanation, Thanks
This is very useful!
Same amount of noises do exist in security detections alerts. Grouping alerts not only reduce noise but also provide valuable context for security analysts to quickly identify true positives and false positives. In our product we have designed a module called pattern discovery. It automatically pulls all detections using the detections API so our Pattern Discovery Engine can automatically cross-correlate all the detections into a much smaller number of Cases. Since cross-correlating could be time consuming when done manually, we've automated that step in our product…
Anyways, Good demo, Ashutosh!
Thanks for your inputs @DTonomy
Awesome tutorial man. Thank you!
Glad it was helpful!
Thank you for explaining the Alert correlation & grouping using Rule and OOTB methods so well. I would also be interested in how Learned Patterns are created and managed. If you could add a video on this, that would be greatly appreciated.
Great suggestion!
nice video..Very Helpfull.
Many many thanks
Nice Video ..Bro
Thanks
👍👍👍
Can we disable auto alert grouping for some type of alerts???
Thank you Ashutosh for this nice video. I want to replicate similar incident/ parent child incident mechanism in program. please can you help, what rule need to be consider while doing ML
Sure. When you say parent child incident means you want to create incident for all secondary alerts as well and make them child of primary alert incident?
Yes, Primary incident( lets say Diskspace issue) and child are rest of jobs failed due to primary issue. Can you guide on some ML algorithms that can be use outside serviceNow.
@@TaleleMilind You can make use of patterns here. You can create rule based correlation as well. How you know they are child? Based on CI relationship? If yes then they are automatically handled by ServiceNow if you have proper relationship in cmdb.
@@AshutoshMunot Not on CI relation. I need to create some relation. Does any ML will tell me that they are related?
@@TaleleMilind we can have Manual correlation and that correlation will be recorded and next time automatically ServiceNow will use it when new alert is created
Hello Ashutosh l,
I created four events with the same source with the same CI and different message keys. Even they are grouping automatically. Could you confirm me on this . How the automatic rule works.
Hello does this require to purchase any separate module from service now?
EVENT MANAGEMENT MODULE
if we do manual grouping, you mentioned that next time alert aggregation runs, then servicenow will automatically does the grouping next time right. In that case, will it show the grouping as 'Automated'?
Yes
@@AshutoshMunot thanks for replying. is there a way to revert that. (in case when the person wrongly does the manual grouping)