Automatic alert grouping in Incident Response
Lightstep Incident Response automatically groups alerts during import. Grouping lets you focus on the primary alerts in your queue. You can also create rules to customize grouping alerts.
The system performs automated alert grouping by analyzing incoming alerts.
- If more than 10 minutes go by between grouped alerts, a group is created.
- If more than 30 minutes, a new group is created for any new alerts.
- If A and B are opened 5 minutes apart, and C is opened 5 minutes later, all 3 are grouped together.
- If alerts A and B are opened 5 minutes apart, and alert C is opened 15 minutes after that, only A and B are grouped together.
- Alert D is in a new group because it is more than 30 min since the first alert.
Example 3 (expands on Example 2): The following alerts have the same service, so potentially, they could all be in the same group.
Alert1: created 1:00
Alert2: created 1:11
Alert3: created 1:13
Alert4: created 1:16
Alert5: created 1:25
Alert6: created 1:34
- Alert1 and Alert2 are not grouped since the time difference between them is more than 10 min.
- Alert2 and Alert3 create a group at 1:13. The 10-minute sliding window starts. Alert4 is added to the group at 1:16 and the 10 minutes sliding window restarts, so Alert5 is added to the group since its creation time is less then 10 min after 1:16 and the 10 min sliding window restarts.
- Alert6 is added to the group since it arrived less than 10 minutes after Alert 5.
- Alert7 came in 9 minutes after Alert6 but is not added to the group because of the 30-minute limit on the group as a whole has passed. 1:13 +30 = 1:43.
The oldest of the highest severity alerts becomes the primary alert. The rest become related alerts.
Automatic alert grouping takes place before any response rules run.