Why are my alerts not getting aggregated?

This article applies to:

• SIEM OE 5.7
• SIEM OE 5.9
• SIEM OE 5.9.1

Question:

• Why are my alerts not getting aggregated?

Information:

In any of the alert views on the SOC (Security Operations Center) server, SIEM will aggregate the alerts and increase the event count to keep the alert views from being too busy or verbose to look at.

On the TE (Threat Evaluator) server, SIEM tracks alerts "in state" (within the running application), and will increment the count for any alerts currently being held in state. To determine whether an alert should be aggregated, SIEM uses a compound key that is made up of the following two fields:

[composite_key] = [alert_registration_id]-[alert_id_key]

The alert_id_key is also a composite key created in an earlier rule (te:/system/te/output/validate/) :

[alert_id_key] = [generator_column]-[source_column]-[target_column]-[user_id]-[malware_id]-[event_id]

An alert will aggregate if all of the following keys are the same as an alert being held in state:

[alert_registration_id]
[generator_column] (g_hostname)
[source_column]  (source_hostname)
[target_column]  (target_hostname)
[user_id]
[malware_id]
[event_id]

Occasionally a correlation will produce alerts that are too unique and will not aggregate on the SOC, making your alert views too busy. 

To resolve this issue, you can construct a custom rule in te:/local/te/output/ .  Filter for alerts from a certain correlation or escalation (alert_registration_id) and reconstruct the alert_id_key before it is sent to the SOC tier. For each correlation that requires an adjustment to summarization you can create a separate custom rule.