Automatic alert grouping in Incident Response

Lightstep Incident Response automatically groups alerts during import. Grouping lets you focus on the primary alerts in your queue. You can also create rules to customize grouping alerts.

The system performs automated alert grouping by analyzing incoming alerts.

If an alert comes in against the same service as an existing open alert or the system detects a pattern between alerts that come in against a service and metric name:
  • If more than 10 minutes go by between grouped alerts, a group is created.
  • If more than 30 minutes, a new group is created for any new alerts.
Example 1: If alerts A, B, and C come in with the same service:
  • If A and B are opened 5 minutes apart, and C is opened 5 minutes later, all 3 are grouped together.
  • If alerts A and B are opened 5 minutes apart, and alert C is opened 15 minutes after that, only A and B are grouped together.
Example 2: If alerts A, B, and C open every 10 minutes, and alert D is opened:
  • Alert D is in a new group because it is more than 30 min since the first alert.

Example 3 (expands on Example 2): The following alerts have the same service, so potentially, they could all be in the same group.

Alert1: created 1:00

Alert2: created 1:11

Alert3: created 1:13

Alert4: created 1:16

Alert5: created 1:25

Alert6: created 1:34

Alert7: created 1:44
  • Alert1 and Alert2 are not grouped since the time difference between them is more than 10 min.
  • Alert2 and Alert3 create a group at 1:13. The 10-minute sliding window starts. Alert4 is added to the group at 1:16 and the 10 minutes sliding window restarts, so Alert5 is added to the group since its creation time is less then 10 min after 1:16 and the 10 min sliding window restarts.
  • Alert6 is added to the group since it arrived less than 10 minutes after Alert 5.
  • Alert7 came in 9 minutes after Alert6 but is not added to the group because of the 30-minute limit on the group as a whole has passed. 1:13 +30 = 1:43.

The oldest of the highest severity alerts becomes the primary alert. The rest become related alerts.

Grouped alerts are displayed under a new alert, in the alert list view, that uses the primary alert’s data. A grouped, related alert contains a Grouped by field. This field indicates how the related alert was grouped. For more information, see Alert workspace.
Note:

Automatic alert grouping takes place before any response rules run.