Create a grouping rule

Create an alert grouping rule to automatically group alerts according to selected criteria.

Before you begin

New rules only run on alerts ingested after the rule is created. Evaluated open alerts are not seen by new rules or by changes to existing rules.

If you change an existing rule that an existing alert would have been captured by, it won’t be. Whatever criteria or actions you have changed won’t be addressed unless the existing alert is closed and reopened. Then, whatever changed rule actions are will take place.

The order that alert grouping rules run in is important because the lower-order rules run first. This can impact whether the conditions of higher-order rules are met, or will process. Lower-order rules can adjust field values or even stop processing.
Note: Set the order for your rule using the Rules Order icon alert rules order icon in the Grouping rules list view. See Incident Response Automation for more information on grouping rule order.

When creating grouping rules, determine the criteria you would use to manually group alerts. Field matching is useful for general criteria. The system rule groups all alerts with the same service and metric name. This rule could result in a large group that contains many different teams, priorities, states, and so on. If you disable the system rule, you could refine the fields to be more specific.

Condition matching creates even more specific rules. For instance, maybe you just want to group only the P1 alerts with the same service, source, and team. Be on the lookout for criteria that overlaps and make sure that what you want to have happen, happens.

There is a lot of flexibilty in creating grouping rules but they require careful thought and planning.

Role required: Manager, Administrator, or Responder

Procedure

  1. Log in to Incident Response.
  2. In the left navigation pane, click Automation.
  3. Click Create new rule.
  4. In the form, fill in the fields.

    The administrator view of this form contains an All teams and services choice in the list menu, not available to managers or responders. Global group rule selection

    Teams or Services are not required for the admin.

    Grouping rule form
    Table 1. Grouping rule setup from
    Fields Description
    Rule name Name of the rule.
    Description Text description of the rule.
    This rule applies to Select your team or service.

    (Only visible to Administrators.) Select all teams and services. Sets the rule to run for all teams and all services. This field is useful for rules that make team assignments or that should be run for all teams or services.

    Teams or Services this rule applies to You can select multiple teams or services.
    Run time limit Set how long this rule should continue to run and group alerts after an initiating alert in minutes. The default is 30.
  5. Click Next.
  6. On the Set grouping methods form, select an action. You can choose one or both actions.
    Grouping rule methods
    Note:

    Choices are on of the other action:

    OptionDescription
    Field Match
    Choose the fields, operators, and values you want to group when an alert is captured by this rule.You can choose multiple fields from the list.
    Grouping rule field match
    Condition Match

    Choose the fields, operators, and values you want to group when an alert is captured by this rule. You can choose as many conditions as you like from the list.

    Grouping rule condition match
    Note:

    For some examples of different types of methods, see Grouping rules examples.

  7. Click Save.
    You are returned to the Grouping rules tab on the Automation landing page.

    The rule takes effect for any alerts that arrive after it is created. It does not reevaluate existing alerts unless they are closed and reopened.

    Note:

    The more fields or conditions you choose, the narrower the results are.

    As you add rules, remember that the order that they are listed in is the order they are processed. Order can change the outcome. So, be sure to test them out as you create new rules.