Alert Correlation Rules and Grouping Mechanism to Reduce Noise

Рет қаралды 6,327

Ashutosh Munot

Күн бұрын

Пікірлер: 30

@NghiNguyen-ug8ur Жыл бұрын

Your content is much much better than the nowlearning on-demand course! Keep doing this, Thanks!!

@AshutoshMunot Жыл бұрын

Glad you think so!

@rupalirasal6846 4 ай бұрын

Hello, do you have any other documentation on alert management?

@dtonomy8635 3 жыл бұрын

This is very useful! Same amount of noises do exist in security detections alerts. Grouping alerts not only reduce noise but also provide valuable context for security analysts to quickly identify true positives and false positives. In our product we have designed a module called pattern discovery. It automatically pulls all detections using the detections API so our Pattern Discovery Engine can automatically cross-correlate all the detections into a much smaller number of Cases. Since cross-correlating could be time consuming when done manually, we've automated that step in our product… Anyways, Good demo, Ashutosh!

@AshutoshMunot 3 жыл бұрын

Thanks for your inputs @DTonomy

@amysrisai 3 жыл бұрын

Thank you for explaining the Alert correlation & grouping using Rule and OOTB methods so well. I would also be interested in how Learned Patterns are created and managed. If you could add a video on this, that would be greatly appreciated.

@AshutoshMunot 3 жыл бұрын

Great suggestion!

@ravigaur583 3 ай бұрын

Best explanation, Thanks

@oswaldoperalta 2 жыл бұрын

Awesome tutorial man. Thank you!

@AshutoshMunot 2 жыл бұрын

Glad it was helpful!

@Avdacademy 2 жыл бұрын

Hello Ashutosh l, I created four events with the same source with the same CI and different message keys. Even they are grouping automatically. Could you confirm me on this . How the automatic rule works.

@aakuSBhan 4 жыл бұрын

nice video..Very Helpfull.

@AshutoshMunot 4 жыл бұрын

Many many thanks

@sharathkumar7938 Жыл бұрын

Can we disable auto alert grouping for some type of alerts???

@vaasant10 3 жыл бұрын

Nice Video ..Bro

@AshutoshMunot 3 жыл бұрын

Thanks

@TaleleMilind 4 жыл бұрын

Thank you Ashutosh for this nice video. I want to replicate similar incident/ parent child incident mechanism in program. please can you help, what rule need to be consider while doing ML

@AshutoshMunot 4 жыл бұрын

Sure. When you say parent child incident means you want to create incident for all secondary alerts as well and make them child of primary alert incident?

@TaleleMilind 4 жыл бұрын

Yes, Primary incident( lets say Diskspace issue) and child are rest of jobs failed due to primary issue. Can you guide on some ML algorithms that can be use outside serviceNow.

@AshutoshMunot 4 жыл бұрын

@@TaleleMilind You can make use of patterns here. You can create rule based correlation as well. How you know they are child? Based on CI relationship? If yes then they are automatically handled by ServiceNow if you have proper relationship in cmdb.

@TaleleMilind 4 жыл бұрын

@@AshutoshMunot Not on CI relation. I need to create some relation. Does any ML will tell me that they are related?

@AshutoshMunot 4 жыл бұрын

@@TaleleMilind we can have Manual correlation and that correlation will be recorded and next time automatically ServiceNow will use it when new alert is created

@SudiptaGoswami2 3 жыл бұрын

👍👍👍

@evaa_121 4 жыл бұрын

if we do manual grouping, you mentioned that next time alert aggregation runs, then servicenow will automatically does the grouping next time right. In that case, will it show the grouping as 'Automated'?

@AshutoshMunot 4 жыл бұрын

Yes

@evaa_121 4 жыл бұрын

@@AshutoshMunot thanks for replying. is there a way to revert that. (in case when the person wrongly does the manual grouping)